Microsoft September Patch Tuesday: 80+ CVEs, SMB Audit, and JSON vulnerability fixes

Microsoft’s September Patch Tuesday delivers a heavy, operationally urgent security package: more than 80 CVEs across Windows, Office, Hyper‑V, Azure components and developer libraries, including eight items Microsoft rates critical and two vulnerabilities that were publicly disclosed before the updates landed. Immediate attention is required for internet‑facing systems, hypervisors, and services that parse untrusted documents or JSON—particularly because public proof‑of‑concept details exist for several of these issues, increasing the risk window for organizations that delay remediation.

Background / Overview​

Microsoft published the cumulative security updates for September as part of the regular Patch Tuesday cadence, delivering combined Servicing Stack Updates (SSU) and Latest Cumulative Updates (LCU), plus a set of hotpatches for eligible server SKUs. The release includes fixes for Windows client and server families, SQL Server, Office, SharePoint, and Azure‑adjacent components. Microsoft also used this cycle to ship operational hardening controls—most notably SMB audit and enforcement tooling—designed to let administrators discover legacy, unsigned SMB endpoints before switching on enforcement.
Administrators should treat September as strategic rather than routine: the update wave coincides with Windows 10 end‑of‑support on October 14, 2025, and an Azure identity enforcement milestone in early October, compressing migration and hardening timelines for many environments. These calendar pressures make triage, inventory and staged rollouts essential to avoid both security gaps and operational disruption. (microsoft.com)

---

What’s new and why it matters​

Two publicly disclosed items to prioritize​

• SMB / NTLM related disclosure (reported as CVE‑2025‑55234): Community reporting highlights an SMB elevation‑of‑privilege issue that Microsoft addressed in the September updates and accompanied with audit-first configuration options to discover endpoints that lack signing or Extended Protection for Authentication (EPA). Public technical details were published before the update, which raises the exploitation likelihood for unpatched networks; however, Microsoft had not confirmed active in‑the‑wild exploitation at release time. Treat this advisory as both a vulnerability fix and an operational telemetry program—enable the new SMB audit events, ingest them into SIEM, and remediate endpoints that fail signing/EPA checks before turning on strict enforcement.
  Caution: at the time of writing, some specifics about CVE identifiers and exploitability reported in community outlets differ from Microsoft’s public pages; administrators should validate CVE ↔ KB mappings against Microsoft’s Security Update Guide prior to mass deployment.
• Newtonsoft.Json (CVE‑2024‑21907) now patched where used by Microsoft products: This flaw in the widely used Json.NET (Newtonsoft.Json) library was originally disclosed in 2018 and tracked as CVE‑2024‑21907; it allows denial‑of‑service via deeply nested JSON input (StackOverflow exception) and can crash processes that deserialize untrusted content. Many server applications (including some Microsoft products that embed the library) remain vulnerable until they upgrade to 13.0.1 or set conservative MaxDepth values for deserialization. This month’s updates include remediation where Microsoft’s products consumed the vulnerable dependency. Independent vulnerability records and advisories corroborate both the technical details and the recommended mitigations: upgrade to 13.0.1+ or explicitly set JsonSerializer MaxDepth. (nvd.nist.gov, wiz.io)

The critical‑severity cluster (high operational impact)​

September’s batch includes eight critical fixes, primarily for remote code execution (RCE) and kernel or service‑level elevation‑of‑privilege (EoP) paths. Notable examples called out in vendor and community reporting include:

• NTLM elevation (CVE‑2025‑54918) — a flaw in NTLM handling that could let attackers escalate to SYSTEM in certain circumstances; community trackers rate exploitation likelihood as elevated.
• Hyper‑V guest‑to‑host RCEs (CVE‑2025‑53799, CVE‑2025‑53800, CVE‑2025‑55224) — multiple critical Hyper‑V items that threaten multi‑tenant host isolation and require urgent patching on hypervisor hosts.
• Windows Graphics and Office RCEs (CVE‑2025‑55236, CVE‑2025‑54910) — document‑parsing vectors that can trigger code execution when a user opens or previews a malicious file, lowering user interaction requirements and demanding rapid remediation for endpoints that process untrusted documents.
• Internet Connection Sharing (ICS) RCE (CVE‑2025‑55228) — exploitable via crafted network packets on systems where ICS is enabled.

Multiple vendors and detection teams published signatures and IDS rules to help defenders detect exploitation attempts: integrate Talos/Snort and other community detection packs where possible to shorten the detection gap while patches roll out.

---

Technical analysis and risk assessment​

Why now is more dangerous than a typical patch cycle​

Three operational realities raise risk in this cycle:

• Public disclosure and PoC availability — several flaws had proof‑of‑concepts released or were otherwise publicly discussed before Patch Tuesday, increasing the chance of exploit development and scanning. When exploit code or detailed analysis is public, the time to weaponization compresses dramatically, especially for high‑value targets like document parsing, SMB/NTLM, and hypervisor flaws.
• Concentration on authentication stacks and virtualization — the patch set heavily targets NTLM, Kerberos/SMB interactions, and Hyper‑V isolation. These subsystems are high‑value for lateral movement and domain compromise. An initial foothold plus an unpatched NTLM or SMB EoP can rapidly escalate to domain takeover in poorly segmented networks.
• Calendar pressure — Windows 10 end‑of‑support (October 14, 2025) and Azure MFA enforcement deadlines compress the window for coordinated upgrades and identity hardening, which can lead organizations to rush patching without proper pilots—raising the risk of outages. Administrative teams must balance urgency with safe rollout practices. (support.microsoft.com)

Strengths in Microsoft’s approach — and where it creates operational risk​

Microsoft balanced immediate mitigations with operational continuity in several ways: delivering hotpatch options for eligible servers, combining SSU+LCU to reduce sequencing errors, and shipping audit‑first enforcement for SMB so organizations can discover incompatible appliances before hard enforcement breaks them. These are practical steps that reduce surprise outages when hardening is enforced broadly.
The tradeoffs: audit‑first approaches require disciplined remediation programs (inventorying, patching legacy appliances, and coordinating vendor upgrades). Moreover, allowlists and temporary exceptions (used to preserve functionality) introduce long‑term operational risk if not guarded by strict controls and auditing. Overuse of allowlist entries effectively reintroduces the legacy attack surface designers intended to remove.

---

Practical, prioritized remediation plan​

Immediate (hours to 24 hours)​

• Patch internet‑facing and externally reachable assets first: firewalls, VPN/RRAS gateways, web servers, SharePoint, and any nodes that accept documents or run preview panes. Many RCEs can be triggered with lower user interaction when previews are enabled.
• Apply hotpatches where supported for critical server roles: check Microsoft’s KBs for hotpatch availability to reduce reboot windows for highly available workloads. Confirm KB ↔ CVE mappings before hotpatch application.
• Enable SMB audit events and ingest them into SIEM: use the new telemetry to find endpoints lacking signing or EPA before enabling SMB stricter settings. Remediate or isolate devices that fail auditing.

Short term (24–72 hours)​

• Pilot updates in a representative ring (domain controllers, management VMs, and a subset of production servers).
• Validate authentication flows (Kerberos/NTLM), application connectivity, and third‑party storage appliance compatibility.
• Upgrade Newtonsoft.Json instances in server applications and set JsonSerializer MaxDepth globally if urgent upgrades are not immediately possible. Confirm SQL Server and other Microsoft stacks that embed the library have received updates. (wiz.io)

Medium term (one to two weeks)​

• Complete staged rollout to broader server and endpoint rings, prioritizing hypervisor hosts and domain controllers.
• Audit and remove legacy NTLM usage where possible; migrate automation and service accounts to managed identities or service principals to prepare for Azure MFA enforcement.
• Apply configuration hardening that reduces reliance on weak SMB dialects and ciphers; proactively migrate away from DES where Microsoft flags deprecation and provides detection scripts.

Operational hygiene that must accompany patching​

• Snapshot or image critical VMs and export AD system state before broad rollouts.
• Ensure rollback plans are tested and that WSUS/patch management repositories maintain offline installers and drop‑in fallbacks.
• Maintain an auditable change log for any allowlist entries created to preserve compatibility after hardening. Limit allowlisted installers strictly and rotate entries on a fixed schedule.

---

Detection and hunting guidance​

• Ingest Microsoft’s SMB audit telemetry and create SIEM alerts for endpoints that fail signing/EPA checks. Hunt for anomalous SMB traffic, unexpected NTLM authentication to external addresses, and chained authentication requests originating from document preview actions.
• Monitor for anomalous Office process trees (unexpected child processes spawned by Word/Excel/Winword.exe) and AMSI errors that correlate with document‑parsing crashes—these are common exploitation patterns for RCEs in the graphics and document stacks.
• Deploy or update IDS/IPS signatures from major vendors (Talos, Snort) that have published rules aligned to this release to catch exploit attempts while patching progresses.

---

Special note on Newtonsoft.Json (CVE‑2024‑21907)​

This vulnerability deserves a focused callout because of its broad reach across the .NET ecosystem. The defect allows deeply nested JSON to cause a StackOverflow exception and process crashes; exploit simplicity is noteworthy—an attacker needs only to send a maliciously nested JSON payload to a service that deserializes untrusted input. The technical community and vulnerability trackers uniformly recommend:

• Upgrading Newtonsoft.Json to 13.0.1 or later, which introduces sensible defaults such as MaxDepth limits.
• Where upgrading is delayed, set JsonSerializerSettings.MaxDepth to a conservative value (for example, 128) and ensure deserialization occurs under resource constraints (timeouts, process monitoring, and isolated application pools). (nvd.nist.gov, wiz.io)

Applications hosted in IIS or similar environments should be monitored for process terminations and application pool recycles—these are the most visible failure modes when exploitation occurs.

---

What to watch for after deployment​

• Exploit‑Wednesday activity: newly published fixes often trigger aggressive scanning and exploit attempts; prioritize monitoring of external‑facing assets for unusual connection attempts and failed authentications.
• Compatibility regressions: despite Microsoft’s care (audit‑first enforcement, hotpatches, etc.), some legacy appliances and installers may break. Use pilots and the Known Issue Rollback (KIR) mechanisms where available, and coordinate with vendors for updated firmware or software.
• Third‑party dependency lag: for embedded libraries such as Newtonsoft.Json, check vendor advisories and service dependencies; many apps will need rebuilds or explicit package updates to remove transitive references to vulnerable versions. Where possible, use SBOMs and dependency scanners to locate all instances quickly. (github.com, app.opencve.io)

---

Unverifiable claims and cautions​

Some early community reports and aggregated CVE tallies showed discrepancies in CVE ↔ KB mappings and described exploit conditions with higher certainty than vendor advisories. Where public proof‑of‑concepts are circulating, those claims are noted by the community but may not perfectly match Microsoft’s official advisory text or exploitation assessments. Administrators must verify the authoritative KB and MSRC advisory for each CVE and avoid relying solely on third‑party CVE lists when planning mass rollouts. Any claim not directly mirrored in Microsoft’s Security Update Guide should be treated with caution until corroborated.

---

Bottom line — recommended checklist​

• Enable SMB audit events and ship telemetry to SIEM immediately. Use audit results to identify legacy endpoints before enabling enforcement.
• Patch high‑risk, internet‑facing systems first (RCE exposures, Office preview pane vectors, SharePoint), then hypervisor hosts and domain controllers. Use hotpatches on eligible servers to shorten outages.
• Upgrade Newtonsoft.Json instances to 13.0.1+ or enforce MaxDepth in deserialization settings for all .NET services that accept external JSON. (wiz.io, nvd.nist.gov)
• Prepare for Windows 10 end‑of‑support and Azure identity enforcement deadlines by inventorying legacy devices, converting automation accounts to managed identities, and validating MFA‑protected flows. (support.microsoft.com)
• Maintain conservative allowlisting and auditing for any compatibility exceptions introduced to preserve production workflows.

---

Microsoft’s September Patch Tuesday is both large in scale and operationally consequential. It includes the kinds of fixes that matter most in modern attacks—document parsing, authentication stacks and hypervisor isolation—while also nudging organizations toward a stronger posture via audit‑first hardening. The technical remediation is straightforward: patch quickly, prioritize internet‑facing and virtualization hosts, upgrade vulnerable libraries, and use the new telemetry to make enforcement safe. The operational challenge is harder: coordinate pilots, validate key application flows, and avoid over‑broad allowlists that reintroduce risk. For IT and security teams, the practical path is clear: inventory, patch, monitor and harden—now. (nvd.nist.gov, wiz.io)

---

Source: Redmondmag.com Microsoft September Security Patch -- Redmondmag.com