Microsoft’s September Patch Tuesday delivers more than 80 security fixes — eight of them rated critical — and introduces new SMB audit tooling designed to let administrators discover and harden fragile file-sharing endpoints before enforcement becomes mandatory. The update cycle, which IT teams should treat as strategically urgent, patches multiple Hyper-V guest-to-host remote code execution (RCE) flaws, an SMB elevation-of-privilege vulnerability with public exploit details, and the notoriously widespread Newtonsoft.Json denial-of-service bug across affected Microsoft products.
Failing to prioritize these updates could give attackers a rapid path from a mundane foothold to domain domination, especially given that two of the addressed vulnerabilities were already publicly disclosed before Patch Tuesday, and exploit proofs-of-concept are circulating for several of the most dangerous flaws.
A Strategic, Not Routine, Release
September’s cumulative patches touch Windows client and server OSes, SQL Server, Office, SharePoint, and Azure-adjacent components. Combined Servicing Stack Updates (SSU) and Latest Cumulative Updates (LCU) are delivered as usual, and Microsoft provides hotpatches for eligible server SKUs to minimize reboot windows. But the headline isn’t just the volume; it’s the operational hardening controls baked in.
Administrators face a compressed timeline: Windows 10’s end of support lands on October 14, 2025, and an Azure identity enforcement milestone hits in early October. This calendar pressure, combined with the severity and public nature of several bugs, means patching cadence and staging discipline are more critical than ever.
Two Publicly Disclosed Flaws Demand Immediate Attention
SMB Elevation-of-Privilege (CVE-2025-55234)
This vulnerability in Server Message Block (SMB) protocol handling allows an attacker to elevate privileges on a target system. Technical details were made public before Microsoft shipped the fix, raising the odds of weaponization. While Microsoft has not confirmed active exploitation, the combination of a publicly documented exploit path and SMB’s ubiquity makes this a high-priority item.
Rather than a simple patch-and-forget approach, Microsoft paired the vulnerability fix with new audit capabilities. Administrators can now enable SMB audit events that log endpoints failing to use SMB signing or Extended Protection for Authentication (EPA). Ingesting these events into a SIEM provides immediate visibility into the very assets an attacker would target. The strategic move: discover and remediate incompatible legacy devices first, then flip the switch to require signing and EPA.
Newtonsoft.Json Denial-of-Service (CVE-2024-21907) Patched in Microsoft Products
Originally disclosed in 2018 and tracked as CVE-2024-21907, this flaw in the popular Json.NET library (Newtonsoft.Json) allows an attacker to crash any process that deserializes untrusted JSON by sending deeply nested data that causes a StackOverflow exception. Although the upstream library was fixed in version 13.0.1, many Microsoft products embedded vulnerable versions. September’s updates close that gap where Microsoft consumes the library.
All organizations must audit their own .NET applications and services: upgrade to Newtonsoft.Json 13.0.1 or newer, or explicitly set a conservative MaxDepth (e.g., 128) on the JsonSerializer to block nesting attacks.
The Critical-Severity Cluster
Eight of the 80+ CVEs carry Microsoft’s “critical” rating, signifying that exploitation could lead to remote code execution or system-level compromise without user interaction — or with minimal interaction such as previewing a document. The most operationally impactful:
- Hyper-V Guest-to-Host RCEs (CVE-2025-53799, CVE-2025-53800, CVE-2025-55224): These break the fundamental isolation between virtual machines and the hypervisor host, enabling an attacker with control over a guest VM to execute code on the host. In multi-tenant environments, this could allow lateral movement across customer workloads. Hypervisor hosts must be patched immediately.
- Windows Graphics and Office RCEs (CVE-2025-55236, CVE-2025-54910): Document-parsing vulnerabilities that trigger when a user opens or previews a malicious file. The low user-interaction bar makes these a favorite for phishing campaigns.
- NTLM Elevation-of-Privilege (CVE-2025-54918): A flaw in NTLM handling could let attackers escalate to SYSTEM under certain conditions. Because NTLM remains deeply woven into enterprise authentication, exploitation risks are elevated.
- Internet Connection Sharing (ICS) RCE (CVE-2025-55228): On systems where ICS is enabled, crafted network packets can achieve remote code execution.
Security vendors and detection teams have already released Snort and Talos signatures to catch exploitation attempts. Defenders are urged to integrate those immediately to buy time while patches roll out.
SMB Audit: A Hardening Lifeline
The SMB audit tooling deserves its own spotlight because it illustrates a pragmatic shift by Microsoft. Rather than simply requiring SMB signing and EPA — which would suddenly break connectivity to legacy network-attached storage, printers, and appliances that don’t support these features — the September update adds comprehensive audit events. These logs reveal which endpoints would fail under enforcement, giving IT teams a safe, measured path to remediation.
Enable audit mode now, ship events to your SIEM, and create alerts for non-compliant devices. Then work through the inventory: update firmware, replace unsupported hardware, or isolate legacy devices before the inevitable day when Microsoft makes signing and EPA mandatory.
Newtonsoft.Json: The Lingering Ecosystem Risk
Beyond the Microsoft product patches, this vulnerability serves as a stern reminder of the dangers posed by deeply embedded open-source libraries. Countless line-of-business applications, web APIs, and background services use Newtonsoft.Json. An attacker only needs to find an endpoint that accepts and deserializes JSON to crash the process and potentially take down entire service tiers.
Mitigation is straightforward:
- Upgrade Newtonsoft.Json to version 13.0.1 or later.
- Where immediate upgrade isn’t possible, globally set JsonSerializerSettings.MaxDepth = 128 and enforce timeouts.
- Monitor for application pool recycles and unexpected process terminations in IIS and containerized environments.
Operational Realities That Elevate Risk
This patch cycle occurs against a backdrop of tightening deadlines and architectural vulnerabilities that criminals actively exploit:
- Public Proof-of-Concept Availability: PoCs for the SMB EoP and document-parsing flaws shorten the time from patch release to in-the-wild exploitation.
- Concentration on Authentication and Virtualization: The bugs target NTLM, Kerberos, SMB, and Hyper-V — all critical for lateral movement and domain privilege escalation. An initial foothold combined with an unpatched NTLM or SMB flaw can lead to full domain compromise.
- Calendar Pressures: With Windows 10 end-of-support on October 14, 2025, and Azure MFA enforcement right behind, many organizations face conflicting priorities. The risk is that patching is rushed without proper testing, leading to operational outages that could have been avoided.
Prioritized Remediation Roadmap
Immediate (Hours to 24 Hours)
- Patch internet-facing assets first: firewalls, VPN/RRAS gateways, web servers, SharePoint, and any endpoint that processes documents or preview panes.
- Apply hotpatches to critical Hyper-V hosts and eligible servers to reduce reboot windows.
- Enable SMB audit events and begin ingesting telemetry into your SIEM.
Short Term (24–72 Hours)
- Pilot updates on domain controllers, management VMs, and a representative sample of production servers.
- Validate authentication flows, application connectivity, and third-party storage appliance compatibility.
- Upgrade Newtonsoft.Json across custom and vendor applications; confirm SQL Server and other Microsoft stacks have received their updates.
Medium Term (One to Two Weeks)
- Complete staged rollout to all servers and endpoints, prioritizing remaining hypervisor hosts.
- Audit and reduce legacy NTLM usage; migrate service accounts to managed identities where possible.
- Apply SMB hardening enforcement after verifying that all audited endpoints comply.
Detection and Hunting Guidance
Beyond patching, defenders should actively hunt for exploitation activity:
- Create SIEM alerts for SMB audit failures. Correlate with anomalous outbound SMB traffic or NTLM authentication attempts to suspicious external addresses.
- Monitor Office process trees for unexpected child processes spawned by Word, Excel, or PowerPoint — a classic indicator of document-based RCE.
- Watch for AMSI telemetry errors and frequent application pool recycles, which may indicate crashing due to a JSON DoS attack.
- Deploy updated IDS/IPS signatures from Cisco Talos, Snort, and other vendors that have published rules aligned to this release.
A Word of Caution on CVE Mappings
Community trackers and early aggregation posts have occasionally reported CVE-to-KB mappings that don’t perfectly align with Microsoft’s Security Update Guide. Before mass deployment, verify every CVE against the official MSRC advisory for your specific OS build and edition. Relying solely on third-party lists without cross-referencing can lead to dangerous gaps.
The Bottom Line
Microsoft’s September 2025 Patch Tuesday is more than a monthly maintenance event; it’s a strategic inflection point. The inclusion of SMB audit tooling signals that enforcement of secure-by-default configurations is coming, and the window to prepare without breaking production systems is finite. Meanwhile, the critical nature of the Hyper-V escapes and the broad attack surface of document-parsing RCEs demand that patching be swift and methodical.
IT and security teams should inventory, patch, monitor, and harden — in that order. Enable the audit telemetry to expose risk, patch the most exposed systems first, and then systematically lock down what the telemetry reveals. The technical steps are well understood; the operational discipline to execute them under deadline pressure is what will separate resilient networks from compromised ones.