Microsoft Patch Tuesday (September 2025): 80 fixes, one very nosey SMB bug

Microsoft’s September 2025 Patch Tuesday fixes 80 vulnerabilities: 8 Critical and 72 Important. None are known to be exploited, but one flaw was publicly disclosed before patching: CVE-2025-55234 in Windows SMB, which can enable relay attacks leading to privilege escalation if SMB signing/EPA aren’t enforced. Microsoft added auditing to help admins check client compatibility before hardening. Other notable issues include CVE-2025-54914 (Azure Networking, CVSS 10.0; handled on Microsoft’s side), CVE-2025-55232 (HPC Pack RCE, CVSS 9.8), and an NTLM elevation (CVE-2025-54918, CVSS 8.8). Two additional BitLocker privilege-escalation bugs were patched, alongside previously disclosed BitLocker issues. Microsoft also rolled up a dozen Edge fixes since August. Guidance from researchers stresses that patching alone isn’t enough—enable SMB signing/EPA, audit compatibility, and retest.

Microsoft’s monthly patch drop has landed with 80 fixes—eight Critical, the rest Important—and, for once, no active zero-days. Still, there’s a headline act: an SMB flaw (CVE-2025-55234) that’s already public knowledge and can enable relay attacks if your environment isn’t using SMB signing and Extended Protection for Authentication (EPA). Translation: patch promptly, then switch on the proper safeguards.

What’s worth your tea break
• SMB elevation (CVE-2025-55234) — patch it, enable signing/EPA, and use the new auditing to spot incompatible clients before you harden.
• Azure Networking (CVE-2025-54914, CVSS 10.0) — Microsoft-side fix; customers don’t need to lift a finger.
• HPC Pack RCE (CVE-2025-55232, CVSS 9.8) — network-exploitable, so prioritise servers running HPC components.
• Windows NTLM EoP (CVE-2025-54918, CVSS 8.8) — could lead to SYSTEM privileges in the wrong hands.
• BitLocker hardening — more fixes; consider TPM+PIN and anti-downgrade controls to cut attack surface.

What to do this week
1. Patch fleet-wide, starting with SMB servers, HPC Pack hosts and high-risk Windows systems.
2. Enable SMB signing/EPA and run audits to catch compatibility snags.
3. Review NTLM usage, and keep BitLocker on best practice (TPM+PIN; anti-downgrade).
4. Schedule validation: scan, test and verify the fixes actually stuck.
Patching is half the job; policy and auditing do the rest. Your future self (and your incident queue) will thank you.