September 2025 Patch Tuesday: ~80 CVEs, SMB hardening, Windows 10 EoS, MFA enforcement

Microsoft’s September 2025 Patch Tuesday delivers a heavy, operationally important security payload: this cycle addresses roughly 80 CVEs across Windows, Office, Azure, Hyper‑V and related components, including several critical remote‑code‑execution (RCE) and elevation‑of‑privilege (EoP) flaws that should move immediately to the top of enterprise patch lists. The release also comes with two calendar items that change risk calculations for IT teams: Windows 10 reaches end of support in mid‑October, and Microsoft is enforcing the next phase of mandatory multifactor authentication (MFA) for Azure resource management tools starting October 1. These simultaneous events turn September into a strategic month — not just another Patch Tuesday. (microsoft.com) (learn.microsoft.com)

---

Background / Overview​

Microsoft’s monthly security cadence remains the cornerstone of the Windows ecosystem’s risk management model. The September 2025 cycle is notable for its mix of memory‑safety RCEs, kernel and driver EoP issues, and a handful of advisories that shift the emphasis from single‑system code fixes to operational hardening — most prominently the new SMB audit and enforcement tooling. Multiple security teams and vendors released detection content and analysis alongside the vendor advisories, giving defenders immediate telemetry and signatures to ingest. (microsoft.com)
This article summarizes what changed, explains which updates matter most to Windows admins and SOC teams, evaluates Microsoft’s hardening moves and the broader risks they create, and lays out a practical, prioritized remediation and detection plan.

---

What Microsoft patched in September 2025​

Headline numbers and distribution​

• Total CVEs fixed this month: ~80 across Windows, Office, Azure agents and platform components.
• Critical vs Important: multiple items received Critical ratings (several RCEs), with the bulk rated Important (EoP and other high‑impact issues).
• No widespread, confirmed “in‑the‑wild” exploitation was publicly reported at release time, but several advisories represent high‑value targets (document parsing, SMB/NTLM, Hyper‑V) and will attract adversary attention quickly.

Notable vulnerabilities to prioritize now​

The following are short summaries of the most operationally important issues from the September slate. Each item below is drawn from the vendor and community reporting bundled with Patch Tuesday and should be validated against your inventory before rollout.

• CVE‑2025‑55234 — SMB hardening / EoP (audit first): This advisory is unusual because Microsoft used the CVE vehicle to ship audit events and configuration toggles that let administrators discover SMB endpoints that do not support signing, Extended Protection for Authentication (EPA), or required dialects before turning on enforcement. The rollout is deliberately audit‑first to reduce the chance of breaking legacy storage appliances or backup appliances. Treat this as a process and telemetry change as much as a vulnerability fix.
• CVE‑2025‑54916 — NTFS RCE: A remote code‑execution flaw in Windows NTFS that, according to community analysis, can be triggered by an unauthenticated local actor or via crafted network file interactions in specific contexts. Microsoft rated this as high‑impact and defenders should prioritize hosts that process untrusted files and network shares.
• CVE‑2025‑54910 — Microsoft Office RCE via crafted documents / Preview Pane: A heap‑based overflow in Microsoft Office that can be triggered by malicious documents (and may be exploited through Explorer/Outlook preview panes). Historically, preview‑pane bugs lower the user‑interaction bar, so patch Office endpoints and consider reducing preview functionality for high‑risk groups until mitigated.
• CVE‑2025‑55232 — Microsoft High Performance Compute (HPC) Pack — RCE: Rated extremely high by community trackers. Any organizations running HPC pack components should treat this as a near‑term priority for patching.
• NTLM and Kerberos EoP cluster (multiple CVEs including CVE‑2025‑54918 and CVE‑2025‑53779): A recurring theme this year has been authentication‑stack issues that enable relay or elevation attacks. Microsoft’s advisory set this month continues that trend and the vendor bundled guidance for auditing and migration away from NTLM where possible.
• Hyper‑V guest‑to‑host and host EoP issues (multiple CVEs): Hyper‑V received several fixes including a race‑condition RCE that could allow a guest VM to influence host code execution with a “race win.” Multi‑tenant hosts and cloud providers are highest risk. Patch hypervisor hosts early and reduce management plane exposure.
• Third‑party or widely used library follow‑ups (Newtonsoft.Json CVE‑2024‑21907): Not part of the same monthly release but worth flagging: the Newtonsoft.Json (Json.NET) CVE‑2024‑21907 (affecting versions prior to 13.0.1) remains an important DoS/resource‑exhaustion vector for server‑side code that deserializes untrusted JSON. Applications that embed vulnerable Newtonsoft versions should upgrade to 13.0.1 or set MaxDepth limits in JsonSerializer settings. (wiz.io, nvd.nist.gov)

---

Quality and experience changes included in the updates​

Beyond security fixes, Microsoft shipped quality updates for Windows 11 and Windows 10 with features and fixes that affect enterprise deployments:

• Windows 11 (23H2, 24H2) updates add Copilot+ PC enhancements (Windows Recall, Click to Do improvements) and auditing capabilities for SMB/EPA compatibility.
• Windows 10 KB updates include stability and accessibility fixes plus two enterprise features: a networking control to block outbound traffic for the keyless Commercial ESU solution, and a cloud‑based Windows Backup for Organizations. These enterprise features will interact with migration planning for Windows 10 EoS.

Administrators should treat the new audit and telemetry features as an opportunity to reduce hardening breakage by identifying incompatible endpoints in advance.

---

Why this month’s release matters — strengths and strategic value​

• Operational hardening with telemetry: The SMB audit approach is a pragmatic, risk‑aware path to hardening. Instead of flipping enforcement and breaking production appliances, administrators get actionable events to build an exception list and remediate incompatible devices first. That is a positive change in vendor posture.
• Comprehensive coverage across attack surface: The mix of RCEs (document parsing, graphics/codec, NTFS), EoPs (kernel, NTLM), and virtualization fixes addresses both initial access vectors and post‑compromise lateral movement. The release therefore raises the cost for attackers across multiple stages of an intrusion. Community detection content (Cisco Talos / Snort rules) was coordinated with this cycle, which shortens SOC time to detection.
• Calendar alignment that forces action: With Windows 10 end of support and Azure MFA enforcement dates looming, organizations have to fold patching, authentication hardening, and platform migration into the same operational window. That alignment can accelerate otherwise slow upgrades. (microsoft.com, learn.microsoft.com)

---

Risks, caveats, and things that look concerning​

• NTLM remains a recurring problem. Multiple high‑impact NTLM‑related EoP CVEs continue to appear through 2025. The protocol’s persistence in legacy apps and appliances means that technical debt will keep producing security incidents until it is retired or blocked at the network perimeter.
• Patch‑induced outages remain a practical risk. Every month some customers report update problems — UAC prompts, boot failures, application incompatibilities, or driver regressions. Backups, staged testing and Known Issue Rollback (KIR) options are essential to avoid production impacts. Recent August/September updates produced non‑admin UAC prompt issues that required KIR or temporary workarounds. Treat patching as a change‑management project, not an automatic install. (tomshardware.com)
• SMB enforcement will break devices if mismanaged. The audit‑first design reduces the risk of surprise breakage, but organizations that flip enforcement without a remediation runbook will still face outages across NAS, backup appliances and IoT devices that ship with older SMB implementations. Use the new SMB audit telemetry widely and build an exception process.
• Timing pressure from Windows 10 EoS and Azure MFA enforcement. Many mid‑market organizations struggle with device refresh budgets and identity modernization efforts simultaneously. Trying to accomplish both in October, while rolling out critical patches, increases the chance of misconfiguration and service disruption. Plan calendar‑aware rollouts now. (microsoft.com, learn.microsoft.com)
• Some claims may not be fully verifiable from public advisories. Community writeups and CVE summaries are valuable, but if vendor advisories lack technical detail for a given CVE, treat some exploitability ratings and environment lists as provisional until you consult the Microsoft Security Update Guide for your exact builds. Flag any such gaps and validate before urgent remediation decisions. (microsoft.com)

---

Practical remediation and deployment playbook (prioritized)​

Follow a risk‑driven, staged approach. The list below is ordered by immediate priority for most enterprise environments.

• Inventory and exposure mapping (first 24–48 hours)
• Identify internet‑facing and externally accessible services (SharePoint, RRAS, SMB shares).
• Map Hyper‑V hosts, virtualization cluster managers, domain controllers, Microsoft Office clients and file servers.
• Search for obsolete NTLM‑depending applications and unmanaged NAS or backup appliances. Use the SMB audit telemetry once enabled to feed this inventory.
• Rapid triage (48–72 hours)
• Patch internet‑facing RCEs and authentication‑related issues first (Office preview‑pane RCEs, SharePoint RCEs, SMB/NTLM fixes).
• Patch Hyper‑V hosts and virtualization management planes before patching guest VMs where feasible. Prioritize hosts in multi‑tenant or cloud provider contexts.
• Test and stage (parallel to triage)
• Deploy patches to a staging cohort that represents each workload class (domain controllers, file servers, VDI, end‑user images).
• Validate application behavior (backup, imaging, third‑party drivers). Use rollback or KIR where available for known problematic updates.
• Deployment and monitoring
• Deploy broadly in waves, instrumenting telemetry and SIEM to detect abnormal reboots, service crashes, or authentication errors.
• Ingest community IDS/IPS signatures (Talos/Snort) for immediate detection during rollout windows.
• Hardening and audit configuration changes
• Enable SMB audit events in audit mode to discover incompatible devices. Remediate devices or create controlled exceptions before enforcement.
• Identity and resource management (MFA)
• Ensure administrators and automation accounts that interact with Azure management APIs are set up for MFA or migrated to workload identities. The Phase 2 MFA enforcement date is October 1, 2025 — plan audits of scripts, IaC pipelines, and credential usage now. (learn.microsoft.com)
• Contingency and ESU planning (Windows 10)
• For any Windows 10 estate that cannot migrate to Windows 11 by October 14, 2025, evaluate Extended Security Updates (ESU) enrollment and budgeting. Don’t assume indefinite support — ESU windows are finite and may have enrollment deadlines. (microsoft.com)

---

Detection and monitoring — immediate SOC actions​

• Deploy updated Snort/Talos IDS rules and vendor EDR signatures that map to the September CVEs. These community rules were released to align with Microsoft’s advisories and significantly shorten the detection gap while patches roll out.
• Integrate the new SMB audit events into SIEM correlation rules and create alerts for endpoints that fail signing/EPA checks.
• Hunt for exploitation indicators typical of Office/Preview‑pane and graphics RCEs: Office spawning unusual child processes, AMSI errors, anomalous Image file decodes or sudden crashes in user sessions that open attachments.
• Prioritize telemetry from domain controllers and Hyper‑V hosts for signs of authentication lateral movement or unexpected elevation activity.

---

Azure MFA enforcement — operational checklist​

Microsoft’s Phase 2 MFA enforcement affects a broad set of resource‑management clients (Azure CLI, Azure PowerShell, IaC tools, REST control plane) starting October 1, 2025. Administrators must take concrete steps now:

• Inventory service and automation accounts that use user credentials for scripted automation. Migrate them to managed identities or service principals where possible. (learn.microsoft.com)
• Confirm tenant-level enforcement settings and, if necessary, apply for a postponement window (the documentation provides a tenant-level postponement flow).
• Ensure end users and admin accounts are registered for MFA and test common automation and CI/CD pipelines to avoid service interruptions.
• Upgrade Azure CLI and Azure PowerShell clients to the recommended versions to avoid compatibility errors during enforcement. (learn.microsoft.com)

---

Windows 10 end of support — migration and ESU options​

Microsoft’s Windows 10 support ends on October 14, 2025. After that date, Windows 10 no longer receives feature or security updates unless enrolled in an ESU program. Practical steps:

• Immediately inventory devices for Windows 11 compatibility; prioritize security‑sensitive assets (domain controllers, admin workstations, internet‑facing servers). (support.microsoft.com)
• For devices that cannot be upgraded, evaluate ESU enrollment or accelerated hardware refresh funding.
• Where migration is delayed, increase compensating controls: network segmentation, application isolation, strict outbound filtering and robust EDR coverage.

---

Final assessment — what IT teams should take away​

September 2025’s Patch Tuesday is both routine and pivotal. It contains a familiar set of memory‑safety and EoP fixes that require standard rapid remediation, plus operational hardening controls (SMB audit/enforcement) that change the way teams must approach protocol hardening. At the same time, the calendar forces decisions: Windows 10 support sunsets October 14, 2025, and Azure’s MFA enforcement (Phase 2) begins October 1, 2025 — these deadlines compress migration, hardening, and patching into one operational window.
Strengths of this release include the audit‑first hardening model for SMB, coordinated detection content from vendors, and comprehensive coverage across platform components. The risks are real: NTLM legacy exposure persists, hypervisor and document‑parsing bugs remain high‑value targets, and rushed rollouts risk outages.
The practical imperative is straightforward: inventory now, patch high‑risk systems first, test in representative staging groups, enable SMB audits and SIEM rules, and finalize Azure MFA readiness by October 1. If migration timelines to Windows 11 can’t be met, plan for ESU enrollment or defend with layered mitigations.
Finally, treat Microsoft’s advisories and community reports as complementary inputs: consult the Security Update Guide for build‑specific details, ingest vendor IDS/EDR rules for quick detection, and use Microsoft’s SMB audit telemetry to avoid surprise breakage when hardening is enforced.

---

By aligning patching, identity hardening, and migration planning this month, security and IT teams can convert a potentially chaotic October into a managed program of risk reduction — but the clock is ticking.

---

Source: Petri IT Knowledgebase Microsoft Releases September 2025 Patch Tuesday Updates