Microsoft Patch Tuesday, September 2025 Version – Krebs on Safety

Microsoft Corp. at this time issued safety updates to repair greater than 80 vulnerabilities in its Windows working techniques and software program. There are not any recognized “zero-day” or actively exploited vulnerabilities on this month’s bundle from Redmond, which however consists of patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, each Apple and Google lately launched updates to repair zero-day bugs of their units.

Microsoft assigns safety flaws a “critical” score when malware or miscreants can exploit them to realize distant entry to a Windows system with little or no assist from customers. Among the extra regarding important bugs quashed this month is CVE-2025-54918. The drawback right here resides with Windows NTLM, or NT LAN Manager, a set of code for managing authentication in a Windows community atmosphere.

Redmond charges this flaw as “Exploitation More Likely,” and though it’s listed as a privilege escalation vulnerability, Kev Breen at Immersive says this one is definitely exploitable over the community or the Internet.

“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Breen mentioned. “The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”

Breen mentioned one other patch — CVE-2025-55234, a 8.8 CVSS-scored flaw affecting the Windows SMB consumer for sharing recordsdata throughout a community — is also listed as privilege escalation bug however is likewise remotely exploitable. This vulnerability was publicly disclosed previous to this month.

“Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,” Breen famous.

CVE-2025-54916 is an “important” vulnerability in Windows NTFS — the default filesystem for all fashionable variations of Windows — that may result in distant code execution. Microsoft likewise thinks we’re greater than more likely to see exploitation of this bug quickly: The final time Microsoft patched an NTFS bug was in March 2025 and it was already being exploited within the wild as a zero-day.

“While the title of the CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,” Breen mentioned. “This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run.”

Critical and distant code execution bugs are inclined to steal all of the limelight, however Tenable Senior Staff Research Engineer Satnam Narang notes that almost half of all vulnerabilities mounted by Microsoft this month are privilege escalation flaws that require an attacker to have gained entry to a goal system first earlier than making an attempt to raise privileges.

“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Narang noticed.

On Sept. 3, Google fixed two flaws that have been detected as exploited in zero-day assaults, together with CVE-2025-38352, an elevation of privilege within the Android kernel, and CVE-2025-48543, additionally an elevation of privilege drawback within the Android Runtime part.

Also, Apple lately patched its seventh zero-day (CVE-2025-43300) of this 12 months. It was a part of an exploit chain used together with a vulnerability within the WhatsApp (CVE-2025-55177) instantaneous messenger to hack Apple units. Amnesty International reports that the 2 zero-days have been utilized in “an advanced spyware campaign” over the previous 90 days. The challenge is mounted in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

The SANS Internet Storm Center has a clickable breakdown of every particular person repair from Microsoft, listed by severity and CVSS rating. Enterprise Windows admins concerned in testing patches earlier than rolling them out ought to keep watch over askwoody.com, which regularly has the thin on wonky updates.

AskWoody additionally reminds us that we’re now simply two months out from Microsoft discontinuing free safety updates for Windows 10 computer systems. For these occupied with safely extending the lifespan and usefulness of those older machines, try final month’s Patch Tuesday protection for a couple of pointers.

As ever, please don’t neglect to again up your knowledge (if not your complete system) at common intervals, and be at liberty to hold forth within the feedback should you expertise issues putting in any of those fixes.