Microsoft’s September 2025 security update lands with 81 freshly patched vulnerabilities, and the mix is anything but quiet: a publicly disclosed Server Message Block (SMB) elevation-of-privilege flaw, a near-perfect 9.8 CVSS remote code execution bug in High Performance Compute (HPC) Pack, and a torrent of Office, graphics, and kernel-level fixes that will keep enterprise patch teams busy well into the month. Administrators who skim the headline numbers might miss the handful of issues that Microsoft itself flags as “Exploitation More Likely” within 30 days, making this release a test of how quickly organizations can translate triage guidance into actual deployment.
Sophos first reported the full breakdown on September 10, and the data paints a picture of a Patch Tuesday dominated by Elevation of Privilege (EoP) vulnerabilities—38 in total—while Remote Code Execution (RCE) fixes, though fewer in number, carry a disproportionate share of the Critical severity designations. Only one CVE (the SMB EoP) was publicly known before patches landed, and as of release time, Microsoft’s telemetry showed no active in-the-wild exploitation. But in the hours and days following a Patch Tuesday, that snapshot can shift quickly, especially when a public disclosure hands attackers a head start.
The September 2025 Patch Tuesday by the Numbers
The official count from Microsoft covers 15 product families, with Windows alone accounting for 58 of the 81 CVEs. Office, Excel, and the broader Microsoft 365 stack collectively add another 13, while SharePoint, Azure, SQL Server, and even Xbox make cameo appearances. Here’s the impact breakdown:
- Elevation of Privilege: 38 CVEs
- Remote Code Execution: 22 CVEs
- Information Disclosure: 15 CVEs
- Denial of Service: 3 CVEs
- Security Feature Bypass: 2 CVEs
- Spoofing: 1 CVE
Nine vulnerabilities wear the Critical badge, while the remaining 72 are rated Important. One quirk: the nine Critical issues aren’t the same as the nine CVEs with CVSS base scores of 8.0 or higher, a discrepancy that underscores the difference between Microsoft’s internal severity classification and the standardized scoring system. For example, CVE-2025-55232—the HPC Pack RCE—is rated Important by Microsoft but racks up a 9.8 CVSS base score, the kind of number that makes intrusion detection analysts sweat.
Eight CVEs made Microsoft’s “Exploitation More Likely” list, a curated set that includes three kernel-level EoPs, an NTFS RCE, the NTLM EoP (CVE-2025-54918), and the already-public SMB issue (CVE-2025-55234). Administrators who treat that list as a cheat sheet for prioritization will save themselves a lot of weekend work.
The Standout Vulnerabilities: SMB, HPC, and Identity
CVE-2025-55234 — Windows SMB Elevation of Privilege
This is the release’s only public disclosure, and that fact alone makes it the most urgent item on the board. The flaw resides in SMB’s authentication handling and could allow an attacker to mount relay attacks against exposed servers or file shares. While SMB has long supported hardening mechanisms—signing, NTLM restrictions, and extended protection—organizations with older configurations or legacy network topologies often leave these controls off, and a publicly documented vulnerability turns that oversight into a countdown.
Microsoft’s advisory points administrators toward existing SMB hardening documentation, and the Sophos analysis adds that the SMB server’s built-in relay protections can blunt the attack. Practically, this means turning on SMB signing where possible, restricting NTLM, and filtering SMB traffic at network boundaries. For any server that accepts SMB connections from untrusted networks, the patch should land yesterday.
CVE-2025-55232 — Microsoft HPC Pack Remote Code Execution (CVSS 9.8)
No user interaction. No authentication. Just a reachable TCP port 5999. That’s the nightmare scenario in CVE-2025-55232, which targets Microsoft’s High Performance Compute Pack. The product is niche, but for the research institutions, engineering firms, and government labs that run HPC clusters, this vulnerability is operationally critical. The fix requires patching HPC nodes and, critically, locking down port 5999 to trusted management networks. Microsoft’s official word is blunt: run HPC clusters behind firewalls and treat that port as hostile unless you know exactly what’s connecting to it.
CVE-2025-54918 — Windows NTLM Elevation of Privilege
This is the identity card this month. NTLM-based EoPs have been a recurring theme in 2025’s Patch Tuesdays, and CVE-2025-54918 keeps that streak alive. Domain controllers, Active Directory management servers, and any system that processes NTLM authentication requests are the obvious targets. The Sophos team notes that this CVE, along with earlier Kerberos-related disclosures, pushes identity hardening to the top of any Active Directory patching schedule. Monitoring for msds-* attribute changes and restricting admin access to domain controllers are minimum precautions while the patch cycle spins up.
The Document and Graphics Parsing Onslaught
Seven Excel RCEs, a PowerPoint RCE, a Word information disclosure, and a raft of graphics component fixes—September continues the pattern of treating Office and image-processing pipelines as a rich attack surface. CVE-2025-54910, a Critical Microsoft Office RCE, and CVE-2025-54897, an 8.8 CVSS SharePoint RCE caught (fittingly) by a researcher’s cat named Vanilla, are prime examples. Servers that preview, ingest, or render untrusted documents—mail gateways, SharePoint, document conversion services—should be sandboxed or patched immediately, because the payloads here don’t require much user cooperation beyond opening a file.
CVE-2025-53799 deserves special mention: it’s a Critical information disclosure in the Windows Imaging Component that also affects Office for Android. That cross-platform reach is a reminder that shared parsing libraries can create exposure outside the traditional Windows estate. An attacker could read small chunks of heap memory, the kind of leak that chains neatly into a larger exploit. Mobile endpoints that open unknown files should be considered part of the urgent patching wave.
Legacy Code Haunting: MapUrlToZone and Windows 10
Two identically named Security Feature Bypass CVEs—CVE-2025-54107 and CVE-2025-54917—both take aim at the MapUrlToZone function, a piece of legacy URL-zone logic inherited from Internet Explorer. With Windows 10 entering its final month of mainstream support, these fixes serve as a sharp reminder that deprecated browser components still lurk in the operating system’s DNA. Forty-four of this month’s patches apply to Windows 10, and any organization with a long-tail Windows 10 fleet needs to include those endpoints in the early rollout, not the “we’ll get to it” pile.
Community Perspectives: A Pragmatic Rollout Plan
The forum contribution attached to this release adds a layer of real-world deployment guidance that official advisories often skip. Drawing from the community’s insights, here’s a battle-tested sequencing model:
- First wave (immediate): Domain controllers, identity infrastructure, Exchange hybrid front ends, and document-ingestion servers. If it handles authentication or opens untrusted files, patch it now.
- Second wave (within 48 hours): Internet-facing SMB servers, file shares, Hyper-V hosts, and virtualization control planes. These are the machines that an attacker will probe once the public disclosure spawns proof-of-concept code.
- Third wave (within the week): User endpoints, application servers, and isolated HPC nodes. If the HPC management port is segmented, the urgency drops slightly; if it’s exposed, promote to first wave.
The combined servicing stack update (SSU) and latest cumulative update (LCU) packaging—standard for Windows this month—simplifies deployment for large fleets but introduces rollback complexity. Because the SSU component is effectively non-removable once installed, a severe regression requires using DISM /Remove-Package rather than the simpler wusa /uninstall. Test on representative images, consult Microsoft’s known-issue lists, and have a rollback plan that doesn’t assume you can just hit “uninstall.”
Detection, Mitigations, and Defender Controls
Sophos included specific IPS and Intercept X detection IDs for four CVEs (including the TCP/IP driver EoP and the NTLM EoP), and any security team running up-to-date feeds should immediately validate that those signatures are live. For other defenders, the checklist is straightforward:
- Block SMB across the internet and restrict lateral SMB to authenticated, segmented zones.
- Firewall TCP/5999 for HPC deployments or block it entirely if HPC Pack isn’t in use.
- Disable file preview panes in Outlook, File Explorer, and mail gateways until Office patches are rolled out enterprise-wide.
- Enforce NTLM/SMB signing and Kerberos hardening policies where supported; if legacy systems can’t support signing, segment them more aggressively.
- Update EDR/IPS/IDS signatures and run a verification scan to confirm that detections for September’s highlighted CVEs are present.
- Monitor directory changes: set up SIEM alerts for suspicious msds-* attribute modifications and unusual NTLM authentication sequences.
Risk Analysis: Strengths and Exposures
Microsoft’s coordinated SSU+LCU delivery reduces the sequencing errors that plagued earlier patch models, and cloud-side mitigations for some tenant-facing issues mean that certain fixes are already applied server-side. But the exposures are equally real:
- Public disclosure gap: A publicly known vulnerability shortens the adversary’s research cycle. Even absent active exploitation, the window between disclosure and widespread patching is the riskiest period. Organizations that treat “not yet exploited” as “no urgency” are making a bet they can’t afford.
- Patch fatigue and complexity: 81 CVEs across 15 product families strain even mature patch management programs. Missed hotfixes and partial rollouts become more likely as the volume stays consistently high.
- Legacy surface area: Old browser components (MapUrlToZone), aging Windows 10 deployments, and unhardened SMB configurations are the persistent soft spots that turn a manageable Patch Tuesday into a breach. If your organization still relies on default configurations from a decade ago, this release is your wake-up call.
What Admins Should Do Right Now
- Run asset discovery: Use winver.exe to determine exact Windows builds and map every installed product against the Security Update Guide. Don’t guess—know which CVEs apply to your specific SKUs.
- Prioritize identity: Patch domain controllers and account-management servers before anything else, and turn on auditing for the msds-* attributes that get abused in relay attacks.
- Harden SMB and HPC immediately: Even before patching, apply network-level mitigations. An SMB relay attempt that never reaches a target is better than one that hits a patched but misconfigured server.
- Isolate document-processing servers: If a server ingests or previews untrusted Office documents, treat it as a high-priority target. Patch it, sandbox it, or both.
- Validate cloud mitigations: If Microsoft reports service-side mitigations for your tenant, confirm they’re actually in effect. Don’t assume “mitigated in cloud” means your on-premises hybrid is safe.
- Update detection tooling and hunt: Correlate EDR telemetry with the month’s high-risk CVEs, and look for post-patch anomalies that might indicate a late-stage exploit attempt.
September 2025’s Patch Tuesday isn’t defined by a single show-stopping zero-day. It’s defined by a persistent drumbeat of EoP and RCE fixes that, taken together, form a mosaic of modern Windows risk: identity, parsing, kernel, and network services all under pressure. The difference between a smooth patch cycle and a security incident this month will come down to how quickly organizations translate the “Exploitation More Likely” list into concrete action—and whether they treat the public SMB disclosure as the closing of a window, not the opening of a debate.