Microsoft launched its newest month-to-month safety patch on Sept. 9, addressing roughly 80 CVEs. September was a comparatively quiet month, with not one of the vulnerabilities recognized to be actively exploited. Of these vulnerabilities, 13 have been rated crucial.
Two notable vulnerabilities Microsoft patched in September have been CVE-2025-54918, an elevation of privilege vulnerability within the Home windows NTLM authentication protocol on Home windows Server, and CVE-2025-54916, a distant code execution bug in Home windows NTLM.
CVE-2025-54918 lets attackers bypass safety controls
CVE-2025-54918 might enable attackers to infiltrate organizations that depend on Home windows-based authentication.
“The core subject seems to be a flaw in how the NTLM authentication protocol validates credentials or manages authentication classes, permitting attackers to bypass safety controls and elevate their privileges over a community connection,” mentioned Alex Vovk, chief government officer and co-founder of Action1, in an e mail to TechRepublic.
CVE-2025-54918 “is titled a privilege escalation vulnerability, however is definitely exploitable over the community or the web,” mentioned Kev Breen, senior director of menace analysis at Immersive, in an e mail to TechRepublic.
Breen warned that organizations ought to prioritize patching this vulnerability.
CVE-2025-54916 opens up a flaw for all trendy variations of Home windows
One other main flaw is CVE-2025-54916, which targets the New Know-how File System.
“NTFS is the default filesystem for all trendy variations of the Home windows working system, making for a big assault floor,” Breen mentioned.
If exploited, CVE-2025-54916 might set off a stack-based buffer overflow breach.
Nonetheless, CVE-2025-54916 is just not simply triggered.
“Whereas the title of the CVE says ‘Distant Code Execution,’ this exploit is just not remotely exploitable over the community, however as a substitute wants an attacker to both have the power to run code on the host or to persuade a person to run a file that may set off the exploit,” Breen mentioned.
Different notable vulnerabilities patched in September
CVE-2025-55234 is notable as a result of attackers can chain it with different assault methods.
“At its core, the vulnerability exists as a result of SMB classes will be established with out correctly validating the authentication context when key hardening measures, akin to SMB signing and Prolonged Safety for Authentication, usually are not in place,” mentioned Mike Walters, president and co-founder of Action1.
Attackers might piggyback off CVE-2025-55234 to maneuver laterally throughout a community, achieve management over Lively Listing, or strengthen NTLM relay assaults.
“The 8.8 CVSS rating displays the potential influence, although exploitation does require person interplay and community entry, which considerably limits the assault floor,” Walters mentioned.
In Microsoft Workplace, a vulnerability addressed by the safety patches might have allowed attackers to execute arbitrary code. CVE-2025-54910 took place due to reminiscence corruption that will happen when knowledge is written past an allotted heap buffer, Walters mentioned.
“With Microsoft Workplace put in on billions of gadgets worldwide, the assault floor is big,” he mentioned. “The Preview Pane assault vector is especially regarding for organizations that depend on Outlook, because it permits code execution with none person interplay, bypassing the standard ‘don’t open suspicious attachments’ recommendation.”
Till patches are utilized, organizations might mitigate a number of the danger by disabling Preview Pane.
Confer with Microsoft’s September 2025 safety updates for the entire record.
As TechRepublic reported final month, Microsoft will discontinue free safety updates for Home windows 10. Customers ought to take motion by Oct. 14 in the event that they need to proceed to obtain safety patches. They’ll both set up Home windows 11 or enroll within the Prolonged Safety Updates program for Home windows 10.
Apple and Google launched important safety updates
Apple and Google each launched some safety patches in early September. Apple patched a zero-click bug used as a part of the WhatsApp exploit used to spy on focused customers. Google patched a crucial safety vulnerability within the System element and different vulnerabilities.
Attackers hid cryptocurrency stealers inside a collection of npm (Node Bundle Supervisor) packages that get greater than two billion downloads every week.
