Microsoft’s Patch Tuesday: About 80 Vulnerabilities Patched – Source: www.techrepublic.com

Microsoft released its latest monthly security patch on Sept. 9, addressing approximately 80 CVEs. September was a relatively quiet month, with none of the vulnerabilities known to be actively exploited. Of those vulnerabilities, 13 were rated critical.

Two notable vulnerabilities Microsoft patched in September were CVE-2025-54918, an elevation of privilege vulnerability in the Windows NTLM authentication protocol on Windows Server, and CVE-2025-54916, a remote code execution bug in Windows NTLM.

CVE-2025-54918 lets attackers bypass security controls

CVE-2025-54918 could allow attackers to infiltrate organizations that rely on Windows-based authentication.

“The core issue appears to be a flaw in how the NTLM authentication protocol validates credentials or manages authentication sessions, allowing attackers to bypass security controls and elevate their privileges over a network connection,” said Alex Vovk, chief executive officer and co-founder of Action1, in an email to TechRepublic.

CVE-2025-54918 “is titled a privilege escalation vulnerability, but is actually exploitable over the network or the internet,” said Kev Breen, senior director of threat research at Immersive, in an email to TechRepublic.

Breen warned that organizations should prioritize patching this vulnerability.

CVE-2025-54916 opens up a flaw for all modern versions of Windows

Another major flaw is CVE-2025-54916, which targets the New Technology File System.

“NTFS is the default filesystem for all modern versions of the Windows operating system, making for a large attack surface,” Breen said.

If exploited, CVE-2025-54916 could trigger a stack-based buffer overflow breach.

However, CVE-2025-54916 is not easily triggered.

“While the title of the CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,” Breen said.

Other notable vulnerabilities patched in September

CVE-2025-55234 is notable because attackers can chain it with other attack techniques.

“At its core, the vulnerability exists because SMB sessions can be established without properly validating the authentication context when key hardening measures, such as SMB signing and Extended Protection for Authentication, are not in place,” said Mike Walters, president and co-founder of Action1.

Attackers could piggyback off CVE-2025-55234 to move laterally across a network, gain control over Active Directory, or strengthen NTLM relay attacks.

“The 8.8 CVSS score reflects the potential impact, though exploitation does require user interaction and network access, which somewhat limits the attack surface,” Walters said.

In Microsoft Office, a vulnerability addressed by the security patches could have allowed attackers to execute arbitrary code. CVE-2025-54910 came about because of memory corruption that may occur when data is written beyond an allocated heap buffer, Walters said.

“With Microsoft Office installed on billions of devices worldwide, the attack surface is enormous,” he said. “The Preview Pane attack vector is particularly concerning for organizations that rely on Outlook, as it allows code execution without any user interaction, bypassing the usual ‘don’t open suspicious attachments’ advice.”

Until patches are applied, organizations may mitigate some of the risk by disabling Preview Pane.

Refer to Microsoft’s September 2025 security updates for the complete list.

As TechRepublic reported last month, Microsoft will discontinue free security updates for Windows 10. Users should take action by Oct. 14 if they want to continue to receive security patches. They can either install Windows 11 or enroll in the Extended Security Updates program for Windows 10.

Apple and Google released significant security updates

Apple and Google both released some security patches in early September. Apple patched a zero-click bug used as part of the WhatsApp exploit used to spy on targeted users. Google patched a critical security vulnerability in the System component and other vulnerabilities.

Attackers hid cryptocurrency stealers inside a series of npm (Node Package Manager) packages that get ​​more than two billion downloads each week.