September 2025 Patch Tuesday: 80 CVEs, SMB hardening & NTLM fixes

Microsoft’s September 2025 Patch Tuesday shipped a wide-ranging set of fixes addressing 80 CVEs across Windows, Office, virtualization, and platform components — with eight rated Critical and 72 rated Important — and included several high-profile fixes for SMB, NTLM, NTFS, Office, SharePoint, and Hyper‑V that require rapid attention from administrators and security teams.

Background​

Microsoft’s monthly security cadence continues to be the primary mechanism for shipping fixes for vulnerabilities in Windows and Microsoft products. The September 2025 cycle is notable for both the volume of fixes and the operational nature of some advisories — particularly the SMB advisory (CVE‑2025‑55234) which adds audit tooling and hardening controls rather than only a single code fix. This Patch Tuesday mixes traditional memory‑safety RCEs and kernel/driver elevation‑of‑privilege (EoP) bugs with strategic hardening guidance that aims to change attacker surface area over time. (msrc.microsoft.com)
The cadence also produced additional detection guidance and IDS/IPS rules from industry players. Cisco Talos and Snort rule updates were coordinated with this month’s release to detect attempts at exploiting some of the more dangerous issues. These detection packs help SOCs prioritize hunts and cover some of the RCE/EoP vectors called out by defenders. (snort.org)

---

Overview: what changed this month​

This update set affects a broad set of components and product families:

• Core Windows components and kernel subsystems (NTFS, Win32K, graphics stack, TCP/IP, LSASS).
• Authentication subsystems (NTLM, SPNEGO, SMB).
• Virtualization and cloud‑oriented components (Hyper‑V, Azure Arc, Windows Virtual Machine Agent).
• File format and productivity software (Microsoft Office, Excel, PowerPoint, SharePoint, Visio, Word).
• Platform services (BitLocker, Defender Firewall Service, DWM, SMBv3 client, MapUrlToZone and more).

Operationally, the distribution of vulnerability types this month shows a heavy skew toward Elevation of Privilege (EoP) — nearly half of the patched issues — with Remote Code Execution (RCE) accounting for a significant minority. For many organizations the EoP cluster is as important as RCEs because it reduces the cost of lateral movement after an initial foothold.

---

Key takeaways — what admins must know now​

• Patch priority: fix internet‑facing RCEs and authentication‑related bugs first (NTLM, SMB, SharePoint, Office preview‑pane vectors). These present the highest immediate risk.
• SMB hardening is operational: CVE‑2025‑55234 provides audit events and policy toggles to help teams find incompatible devices before enforcing stronger SMB defaults. Treat this as an operational change rather than a simple code patch.
• NTLM remains a recurring problem: another critical NTLM EoP (CVE‑2025‑54918) was patched, underscoring the persistence of authentication‑relay and protocol weaknesses.
• Virtualization risk: Hyper‑V received multiple fixes, including an RCE (CVE‑2025‑55224) that could allow a guest to traverse to host code execution with a race‑win. Mitigate and patch hypervisor hosts quickly, particularly in multi‑tenant or cloud environments.
• Defensive tuning: SOCs should ingest vendor detection guidance (Snort/Talos) and update IDS/IPS signatures to improve short‑term detection coverage. (snort.org)

---

Deep dive: the most significant CVEs​

CVE‑2025‑55234 (Windows SMB — EoP; publicly disclosed / operational audit)​

CVE‑2025‑55234 is unusual: rather than being a classical bug that attackers exploit immediately, Microsoft used the CVE as the vehicle to publish SMB audit events and hardening controls — tools that let administrators discover devices that do not support SMB signing, Extended Protection for Authentication (EPA), or SMB encryption/dialect controls. The advisory aims to allow a phased rollout from audit to enforcement, reducing the risk of accidentally breaking legacy devices when hardening is turned on. This is an operationally significant step toward reducing NTLM relay/SMB relay abuse across environments.
Why this matters:

• SMB is pervasive across servers, NAS appliances, backup units and virtual appliances; incompatible endpoints are the reason SMB hardening often breaks production systems.
• The audit‑first approach is practical: it enables discovery, remediation and vendor coordination before enforcement.

Operational guidance:

• Enable the new SMB audit events in a limited scope (test/staging) and collect telemetry centrally.
• Identify and inventory endpoints that fail signing / EPA checks.
• Remediate or create exception lists for legacy devices before switching enforcement on.

Note: the Security Boulevard coverage emphasized the audit/enforcement model as the central purpose of CVE‑2025‑55234 rather than a single security bug; this framing should inform how teams approach deployment.

CVE‑2025‑54918 (Windows NTLM — Critical EoP)​

CVE‑2025‑54918 is a critical elevation‑of‑privilege issue in the NTLM authentication stack and was rated with a high CVSS score. Microsoft assessed the exploitability as “Exploitation More Likely”, indicating a stronger chance that attackers will turn this into active exploit chains. This continues a worrying pattern of multiple NTLM EoP bugs in 2025. Patching and reviewing NTLM usage policies (including outbound NTLM blocking and Kerberos migration) remains top priority.
Mitigations and recommendations:

• Apply the update immediately on domain controllers and systems that processes authentication.
• Evaluate and plan for NTLM blocking where Kerberos can be used instead; leverage Microsoft guidance around LmCompatibilityLevel and NTLM auditing.
• Use network segmentation and enforce least privilege around authentication‑handling systems.

CVE‑2025‑54916 (Windows NTFS — RCE)​

CVE‑2025‑54916 is a remote code execution vulnerability in NTFS — a rare RCE in the file system since most NTFS issues historically have been EoP or information disclosure. Microsoft rated it as “Exploitation More Likely” and the advisory indicated an authenticated attacker could trigger RCE. Given past history (a prior NTFS RCE in March 2025 was exploited in the wild), treat this as high priority for systems that accept authenticated file operations.
Operational notes:

• Patch file servers and hosts that mount or process untrusted NTFS volumes.
• Monitor file I/O and unusual process creation from services that handle file parsing or sharing.

CVE‑2025‑54910 (Microsoft Office — RCE via crafted documents / Preview Pane)​

This Office bug is a heap‑based buffer overflow that can be triggered by specially crafted Office documents, and potentially via Outlook’s Preview Pane. Microsoft assigned a critical rating with “Exploitation Less Likely” but the attack vector (document preview) historically reduces user interaction requirements and thus raises risk. Office LTSC for Mac updates were pending at the advisory time; Mac admins should watch for the follow‑up patches.
Mitigation steps:

• Patch Office clients and servers.
• Disable or harden Preview Pane functionality where possible in high‑risk environments.
• Block or sandbox untrusted Office documents using email gateway scanning and attachment policies.

CVE‑2025‑54897 (SharePoint — RCE requiring authentication)​

A SharePoint RCE (CVE‑2025‑54897) allows authenticated attackers — any user — to execute arbitrary code on vulnerable SharePoint servers. Because privileged accounts are not required to exploit the flaw, any authenticated user is dangerous; internet‑facing SharePoint instances are especially high risk. Microsoft’s historical guidance for SharePoint vulnerabilities (rotate ASP.NET machine keys, enable AMSI, etc.) remains relevant. (msrc.microsoft.com)
Hardening advice:

• Apply patches immediately on on‑prem SharePoint servers.
• Restrict authentication surface for external access; place application gateways or authentication proxies in front of SharePoint.
• Ensure AMSI is active and Defender for Endpoint or equivalent EDR solutions are deployed for detection and post‑exploit blocking.

CVE‑2025‑55224 and CVE‑2025‑5409x series (Hyper‑V — RCE + EoP)​

Hyper‑V received multiple fixes, including a race‑condition RCE (CVE‑2025‑55224) that lets an attacker, with a race win, escalate from guest to host. Several EoP issues (CVE‑2025‑54091, CVE‑2025‑54092, CVE‑2025‑54098, CVE‑2025‑54115) allow local authenticated attackers to reach SYSTEM on hosts. For cloud providers, hosting providers, and organizations running multi‑tenant infrastructures, these are urgent patches because hypervisor integrity is central to isolation guarantees.
Mitigation checklist:

• Schedule coordinated hypervisor updates with minimal disruption, patch hosts first.
• Reduce exposure: limit untrusted guest execution, and lock down management interfaces.
• Use strong host monitoring to detect suspicious VM‑to‑host interaction patterns.

---

Detection and monitoring: what defenders should deploy now​

Industry IDS/IPS and threat research teams released detection updates aligned with this Patch Tuesday. Cisco Talos and Snort posted updates and new signatures that map to many of the RCE/EoP vectors patched this month. SOC teams should quickly evaluate and deploy these rule updates to gain immediate detection benefits while patches are rolled out. (snort.org)
Operational detection playbook:

• Ingest vendor signature updates (Snort/Talos) and enable the relevant rules covering SMB, Office file parsing, SharePoint, Win32K/graphics, and NTLM anomalies.
• Hunt for post‑exploit indicators: suspicious rundll32/PowerShell child processes spawned by Office or SharePoint services; unusual SMB session activity without signing; anomalous NTLM authentication patterns.
• Use Windows Event logs added by the SMB hardening advisory to flag legacy or incompatible clients during audit mode; integrate those events into SIEM alerts.

---

Patch management: prioritized steps for IT teams​

• Inventory and map exposure:
• Identify internet‑facing servers (SharePoint, SMB file servers, RRAS, Edge/Outlook gateways).
• Inventory virtualization hosts (Hyper‑V) and sensitive domain controllers.
• Prioritize patches by exposure and exploitability:
• Internet‑facing RCEs and authentication subsystems first (Office preview RCE, SharePoint RCE, NTLM EoP).
• Hypervisor patches next for hosts and management consoles.
• Desktop and less exposed systems last, after testing.
• Use staged rollouts:
• Test patches in staging with representative workloads to detect compatibility issues, especially for SMB hardening changes.
• For SMB hardening, operate in audit mode to find incompatible endpoints before turning enforcement on — use the audit events CVE‑2025‑55234 enables.
• Monitor vendor detection guidance and community rulesets (Snort/Talos) as interim safeguards. (snort.org)
• Communicate with application and hardware vendors where third‑party devices (NAS, printers, appliances) may not support SMB signing or EPA — coordinate firmware or software updates.

---

Risk analysis: strengths and remaining concerns​

Strengths of this release:

• Microsoft’s operational transparency on SMB hardening (audit events, staged enforcement) helps enterprises adopt stronger defaults without risking mass breakage. The audit approach is a pragmatic way to reduce attack surface gradually.
• Coordinated industry detection (Talos/Snort) provides defenders with short‑term visibility while patches are applied. (snort.org)

Risks and caveats:

• Several vulnerabilities were assessed as “Exploitation More Likely” by Microsoft; when public exploitability is high, the window for attackers to weaponize disclosed bugs is short. Prioritization must reflect that urgency.
• Operational hardening (SMB) relies on accurate inventory and vendor cooperation; legacy appliances and embedded NAS devices frequently lack timely updates, increasing the administrative burden to create exceptions or replace devices.
• A subset of the advisory language and reporting in community writeups referenced a vulnerability reported by third‑party services (VulnCheck) that some feeds omitted; that particular omission could be a benign indexing gap, but any such discrepancy should be treated as a potential blind spot until verified with the vendor advisory. Flagging such claims for verification is prudent.

Unverifiable or ambiguous elements:

• The Security Boulevard note that “Our counts omitted one vulnerability reported by VulnCheck” appears to be an editorial detail about tallying; this should be verified against Microsoft’s Security Update Guide data or the official CSAF/CVRF feed before being used as an authoritative metric for vulnerable counts. Treat this specific counting discrepancy as unverified until cross‑checked with Microsoft’s published advisory index.

---

Practical hardening recommendations (short checklist)​

• Enable SMB audit events and run a baseline for at least 7–14 days to find incompatible endpoints. Use centralized logging and correlate with access patterns.
• Block or limit NTLM where feasible; maintain exception lists and monitor NTLM auth attempts.
• Apply Office and SharePoint patches promptly; consider disabling Preview Pane or tightening mailbox attachment policies where previews are a threat vector.
• Patch Hyper‑V hosts and restrict guest access to management networks; consider suspending untrusted guest deployments temporarily if patches cannot be applied immediately.
• Update IDS/IPS signatures (Snort/Talos) and enable rules that map to patched issues to gain detection while remediation is underway. (snort.org)

---

Communications and compliance​

• For regulated environments, document patching schedules and detection actions; the SMB audit events provide a useful paper trail when moving from audit to enforcement.
• Notify third‑party vendors and SaaS providers that rely on SMB or NTLM to plan upgrades or provide exception pathways.
• Use Microsoft’s Security Update Guide and the CSAF/CSAF feeds for authoritative patch lists and to reconcile CVE tallies during compliance reporting. (msrc.microsoft.com)

---

Conclusion​

September 2025’s Patch Tuesday is both a conventional security rollup and a signal of shifting Microsoft strategy: the platform vendor is coupling low‑level fixes (RCEs, EoP) with operational tools — notably for SMB — that make systemic hardening realistic at enterprise scale. That audit‑first approach is welcome, but it places the onus on IT teams to invest in inventory, telemetry and vendor coordination.
Immediate action items are clear: prioritize patches for NTLM, SMB, SharePoint, and Office preview vectors; update hypervisor hosts; and deploy IDS/IPS detection updates from trusted threat researchers. Use the SMB audit controls to discover and remediate incompatible devices before turning on enforcement, and treat any community‑reported discrepancies in CVE counts as items to validate against Microsoft’s official feeds.
The security posture improvement from this update depends on a coordinated operational response: patch quickly, monitor aggressively, and use the new audit telemetry to reduce reliance on legacy authentication and protocol behaviors that continue to empower modern relay and lateral‑movement techniques. (snort.org)

---

Source: Security Boulevard Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)