Microsoft’s September 2025 Patch Tuesday landed with 80 security fixes, including a novel SMB hardening advisory that provides audit capabilities rather than a traditional vulnerability patch, underscoring a strategic shift in how the company addresses systemic protocol weaknesses. The update addresses eight Critical and 72 Important CVEs across Windows, Office, virtualization, and authentication components, with an unusually high number of elevation-of-privilege bugs that demand immediate action from IT teams.
This month’s release is not just a collection of code fixes—it’s an operational blueprint. The standout advisory, CVE-2025-55234, introduces SMB audit events and policy toggles to help organizations discover incompatible devices before enforcing signing and encryption, directly tackling the long-standing problem of NTLM relay attacks. Meanwhile, critical remote code execution flaws in NTFS (CVE-2025-54916), Office (CVE-2025-54910), and SharePoint (CVE-2025-54897), along with a race-condition RCE in Hyper-V (CVE-2025-55224), make the case for aggressive patching of internet-facing systems and hypervisors.
Overview of the September 2025 Patch Tuesday
The 80 CVEs span a wide range of components:
- Core Windows and kernel subsystems (NTFS, Win32K, graphics stack, TCP/IP, LSASS)
- Authentication protocols (NTLM, SPNEGO, SMB)
- Virtualization (Hyper-V, Azure Arc, Windows Virtual Machine Agent)
- Productivity software (Office, Excel, PowerPoint, SharePoint, Visio, Word)
- Platform services (BitLocker, Defender Firewall Service, DWM, SMBv3 client)
Elevation of privilege (EoP) bugs represent nearly half of the patched issues, a persistent theme that reflects attacker focus on lateral movement after initial compromise. Remote code execution (RCE) follows closely, with eight critical-rated vulnerabilities that can lead to full system takeover. Microsoft assessed several of these as “Exploitation More Likely,” signaling a heightened risk of weaponization.
SMB Hardening Becomes Operational with CVE-2025-55234
The most unusual entry this month is CVE-2025-55234. Rather than a classic bug, it is a delivery vehicle for SMB auditing and hardening controls. Administrators can now enable granular audit events that log devices failing to support SMB signing, Extended Protection for Authentication (EPA), or encryption. This audit-first approach lets organizations inventory incompatible endpoints—NAS appliances, legacy printers, embedded systems—before flipping the enforcement switch.
“SMB hardening often breaks production because admins don’t know what’s out there,” said a senior security analyst familiar with the advisory. “This gives them a safe way to find the laggards.” The CVE is publicly disclosed and operationally focused; Microsoft’s guidance emphasizes a phased rollout from audit to enforcement, reducing the risk of accidental outages.
Practical steps:
- Enable the new SMB audit events in a test environment and collect telemetry for 7–14 days.
- Identify endpoints that fail signing or EPA checks and create exception lists.
- Coordinate with third-party vendors to update firmware or replace devices that cannot meet modern SMB security requirements.
Critical NTLM EoP (CVE-2025-54918): The Never-Ending Relay Threat
NTLM continues to haunt Windows environments. CVE-2025-54918 is a critical EoP in the NTLM authentication stack, rated “Exploitation More Likely” and carrying a high CVSS score. Attackers who trigger this flaw can escalate privileges on domain controllers and other authentication-handling systems, enabling full domain compromise.
This is the latest in a series of NTLM EoPs in 2025, reinforcing the need to accelerate Kerberos migration and block outbound NTLM traffic. Microsoft recommends immediately patching domain controllers, tuning LmCompatibilityLevel, and enabling NTLM auditing to detect anomalous authentication patterns. For many organizations, the ultimate defense lies in network segmentation and strict privilege management around authentication services.
NTFS RCE (CVE-2025-54916): A Rare File System Code Execution Flaw
Remote code execution in NTFS is uncommon. CVE-2025-54916 allows an authenticated attacker to execute arbitrary code by triggering a vulnerability in the file system driver. Microsoft rates it “Exploitation More Likely,” and history adds urgency: a similar NTFS RCE from March 2025 (CVE-2025-24993) was exploited in the wild.
Any system that mounts or processes untrusted NTFS volumes—file servers, backup targets, forensic workstations—is at risk. Administrators should prioritize patches on these systems and monitor for unusual file I/O or unexpected process creation from services like spoolsv.exe or dllhost.exe.
Office and SharePoint RCEs: The Preview Pane Attack Vector
Two critical RCEs in productivity software demand swift attention:
- CVE-2025-54910 (Microsoft Office): A heap-based buffer overflow that can be triggered by crafted documents, potentially via Outlook’s Preview Pane. While Microsoft rates exploitation “Less Likely,” the preview pane vector historically lowers the bar for attacks. Office LTSC for Mac patches were pending at release time; Mac admins should check for follow-up updates.
- CVE-2025-54897 (SharePoint): Any authenticated user can execute code on a vulnerable SharePoint server, making internet-facing instances prime targets. Previous SharePoint guidance—rotate ASP.NET machine keys, enable AMSI, deploy EDR—remains critical.
Mitigations include disabling the Preview Pane in high-risk environments, tightening email attachment policies, and applying patches immediately.
Hyper-V Guest-to-Host Escape (CVE-2025-55224 and EoPs)
Hyper-V received multiple fixes, the most severe being CVE-2025-55224, a race-condition RCE that allows a guest VM to execute code on the host. Combined with several EoPs (CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115), an attacker can go from unprivileged guest user to full host SYSTEM.
For cloud providers and multi-tenant environments, hypervisor integrity is non-negotiable. Patch hosts immediately, restrict management network access, and monitor for suspicious VM-to-host interactions.
Detection and Monitoring: Snort/Talos Rules Drop Alongside Patches
Industry defenders released coordinated detection guidance. Cisco Talos and Snort updated their rule sets to flag exploitation attempts for many of these CVEs. SOC teams should ingest these signatures and hunt for post-exploit indicators:
- Suspicious child processes (rundll32, PowerShell) spawned by Office or SharePoint services
- SMB sessions without signing
- Anomalous NTLM authentication patterns
The new SMB audit events from CVE-2025-55234 provide rich log data that can be integrated into SIEM alerts during the audit phase.
Patch Management: A Prioritized Action Plan
Given the volume and severity, IT teams need a structured approach:
- Inventory and map exposure: Identify internet-facing servers (SharePoint, SMB file servers, gateways) and virtualization hosts.
- Patch in this order:
- Internet-facing RCEs and authentication subsystems (Office, SharePoint, NTLM)
- Hypervisor hosts
- Desktops and less exposed systems (after testing) - Stage rollouts: Test SMB hardening in audit mode first; use the audit events to discover incompatible devices before enforcing controls.
- Deploy IDS/IPS updates as a stopgap while patches are applied.
- Communicate with vendors about legacy appliances that may break with SMB hardening.
Risk Analysis: Strengths and Unresolved Concerns
Strengths:
- The SMB audit approach is a pragmatic win. It shifts the industry from “patch and pray” to data-driven hardening, allowing gradual adoption of secure defaults like signing and EPA.
- Coordinated detection updates from Talos/Snort give defenders immediate visibility, shortening the window of exposure.
Concerns:
- Several vulnerabilities carry “Exploitation More Likely” ratings; the time between public disclosure and active exploitation is shrinking.
- SMB hardening relies on accurate inventories and vendor cooperation. Embedded devices and outdated NAS appliances often lack update paths, forcing exceptions that leave gaps.
- A discrepancy in CVE counts was noted: Security Boulevard’s coverage omitted one vulnerability reported by VulnCheck. This counting gap should be verified against Microsoft’s official Security Update Guide to ensure no blind spots exist.
Practical Hardening Recommendations
- Run SMB audit mode for at least two weeks and build a comprehensive inventory of legacy endpoints.
- Block NTLM where possible, using Microsoft’s auditing tools to track remaining usage.
- Disable the Office Preview Pane via Group Policy where feasible.
- Patch Hyper-V hosts immediately and restrict guest access to management networks.
- Ingest Snort/Talos signature updates and tune SIEM rules to alert on anomalous SMB and NTLM activity.
The Bigger Picture
September 2025’s Patch Tuesday is more than a routine rollup—it marks a tactical shift. Microsoft is coupling traditional vulnerability fixes with operational hardening tools that empower IT teams to gradually eliminate protocol-level attack surfaces. The SMB advisory, in particular, could become a template for future security enhancements: audit first, enforce later.
But the burden remains on administrators. Patching must be swift, detection must be proactive, and inventory hygiene must be impeccable. The payoff is a network that is not just patched, but truly hardened against the relay and lateral-movement techniques that dominate today’s threat landscape.