Microsoft’s Patch Day: EoP Flaws Strike Again!

For the second consecutive month, elevation of privilege (EoP) bugs outnumbered all other vulnerability categories in Microsoft’s monthly security update.

The company’s September 2025 security update included fixes for 81 unique CVEs across its product portfolio, with a plurality — 38 vulnerabilities — enabling attackers to escalate privileges after gaining initial access to a system. Though remote code execution (RCE) bugs often attract more attention, EoP bugs present as big a threat because they allow attackers to transform an initial foothold on a system or a network into full-fledged control.

The remaining flaws in Microsoft’s September update included the usual mix of RCE vulnerabilities, information disclosure issues, and denial-of-service threats.

This month, as with August, Microsoft reported no actively exploited vulnerabilities among the disclosed CVEs. But it did include one previously disclosed vulnerability — an EoP issue — which the company ranked among eight CVEs in this month’s set that attackers are more likely to exploit.

Microsoft assessed 11 of the bugs as being of critical severity and most of the others as being as important or of moderate severity on the 10-point CVSS scale. As always though, security researchers had their own takes on the severity of the risks some of the bugs pose and the ones security teams need to prioritize now.

Related:Huge NPM Supply Chain Attack Goes Out With Whimper

The EoP Bugs Parade

Among the bugs needing immediate attention is CVE-2025-55234 (CVSS Score: 8.8), a publicly disclosed (and therefore a zero-day) EoP bug in Windows Server Message Block (SMB) that an attacker can exploit to gain the privileges of the legitimate user. The flaw, according to Microsoft, gives attackers a way to perform so-called SMB relay attacks to escalate privileges.

Somewhat interestingly, Microsoft said its decision to release the CVE was to “provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures.” It’s a characterization that at least one security researcher found puzzling.

“CVEs mean that a vulnerability exists,” says Tyler Reguly, associate director, security R&D at Fortra, in comments to Dark Reading. In this case, Microsoft appears to be using a CVE identifier to indicate that a new configuration/audit capability is available. “That is a major expansion of the meaning of CVEs, and if this starts happening on a regular basis, it will greatly increase the already large number of CVEs issued each year,” he says, while calling on MITRE to reject the CVE. Microsoft did not immediately have a clarification on the issue.

Related:UltraViolet Expands AppSec Capabilities With Black Duck’s Testing Business

Another EoP bug that security researchers said needed high-priority attention is CVE-2025-54918 (CVSS Score 8.8) in Windows NT LAN Manager (NTLM). It is the only CVE in the entire set that Microsoft marked as critical and is likely to draw lots of attacker interest. That’s because it is easy to exploit, requires little prior knowledge of the system, and enables attackers to have “repeatable success with the payload against the vulnerable component,” according to the company.

Kev Breen, senior director of threat research at Immersive, said that Microsoft’s limited description of the flaw makes it sound like something that allows attackers to gain system level privileges by sending specially crafted packets to a vulnerable device. The patch notes an attacker may already need to have access to the NTLM hash or the user’s credentials in order exploit the flaw, Breen said in prepared comments.

Ryan Braunstein, security manager at Automox, pointed to two other EoP flaws as meriting urgent attention: CVE-2025-54111 (CVSS Score: 7.8) and CVE-2025-54913. The flaws affect different components of Windows UI XAML for creating user interfaces for Windows applications and allow an attacker with standard user privileges to escalate privileges locally. Attackers often exploit these vulnerabilities using phished credentials that grant initial access, or via malicious Microsoft Store apps and packaged apps that abuse XAML flyouts (popup UI components), Braunstein said in an emailed statement. “Patching these CVEs should be a priority for risk reduction,” he emphasized.

Related:CISA’s New SBOM Guidelines Get Mixed Reviews

High Priority RCE Flaws

On the RCE side of things, one bug to pay attention to is CVE-2025-55232 (CVSS Score 9.8) in the Microsoft High Performance Compute (HPC) Pack. It is the only vulnerability in September’s update that Microsoft assigned a CVS score higher than 9.0. “Microsoft has labeled this as exploitation less likely with a severity of important, but it is still something that you’ll want to pay attention to if you have the High Performance Compute Pack deployed in your environment,” Reguly noted.

Another RCE bug that Microsoft flagged this month as appealing to attackers is CVE-2025-54916 (CVS Score: 7.8) in Windows NTFS. Any authenticated user can trigger the vulnerability from a local machine, Microsoft said in its patch advisory. “Attackers may use crafted file operations or malformed requests that target NTFS paths through SMB or local parsing routines,” to exploit the vulnerability, noted Seth Hoyt, senior security engineer at Automox. At-risk environments include file servers with broad or legacy shares, mixed-trust networks, and appliances still using older SMB dialects, Hoyt said in emailed comments.

Nick Carroll, cyber incident response manager at Nightwing, advised that this month’s Microsoft patch update is a good time to keep in mind the upcoming end-of-life date for Windows 10 and the next phase of mandatory multifactor authentication (MFA) for Azure. Both of those are happening in October, and security teams should be prepping now, he said in prepared comments.

“Organizations that use Azure should check out Microsoft’s blog from Sept. 5 for guidance: ‘Azure mandatory multifactor authentication: Phase 2 starting in October 2025,‘” he said. “And those organizations that aren’t going to make the October window for migrating away from Windows 10 should look into the Extended Security Updates program for Windows 10 that Microsoft is offering to see if it can spread that migration runway out as needed.”