Microsoft’s September Patch Tuesday delivers security fixes for 81 vulnerabilities across its product stack. The release includes nine critical issues, primarily remote code execution (RCE), and two zero‑day vulnerabilities that were publicly disclosed before patches were available. Microsoft reports no evidence of active exploitation at the time of release.
Zero‑day vulnerabilities: SMB relay and Newtonsoft.Json in SQL Server
CVE-2025-55234: SMB relay leading to elevation of privilege
CVE-2025-55234 (CVSS 8.8) affects Windows SMB Server and enables SMB relay scenarios. In a relay attack, an adversary intercepts and forwards NTLM authentication requests to another service, potentially achieving elevation of privilege using the victim’s identity. Microsoft advises enabling SMB Server Signing and Extended Protection for Authentication (EPA) to materially reduce risk.
The company cautions that enforcing SMB signing or EPA can introduce compatibility issues with legacy systems and devices. Organizations should audit SMB usage, validate client readiness, and roll out protections in phases starting with test or low‑risk network segments while monitoring for authentication failures.
CVE-2024-21907: Denial of service via Newtonsoft.Json in SQL Server
CVE-2024-21907 (CVSS 7.5) impacts the Newtonsoft.Json library bundled with certain Microsoft SQL Server builds. Passing crafted input to JsonConvert.DeserializeObject can trigger a StackOverflow exception, leading to unauthenticated denial of service in some configurations. The issue, previously disclosed publicly, is now remediated in this update cycle. Teams should confirm whether SQL Server components rely on the affected library and apply the patches without delay.
Critical fixes: Azure (CVSS 10.0), HPC Pack RCE, and Windows NTLM
CVE-2025-54914: Azure networking vulnerability rated CVSS 10.0
CVE-2025-54914 carries a maximum CVSS score of 10.0 and relates to Azure networking components, potentially enabling privilege escalation. Because this flaw resides in Microsoft’s cloud control plane, the mitigation is applied service‑side; no customer action is required beyond standard monitoring and compliance verification.
CVE-2025-55232: RCE in Microsoft HPC Pack
CVE-2025-55232 (CVSS 9.8) is a critical remote code execution issue in Microsoft High Performance Compute (HPC) Pack. Successful exploitation could allow arbitrary code execution across cluster nodes. Microsoft recommends placing HPC clusters in trusted network segments, restricting external exposure, and filtering TCP port 5999 at perimeter and internal firewalls.
CVE-2025-54918: Elevation of privilege in Windows NTLM
CVE-2025-54918 (CVSS 8.8) affects Windows NTLM and could allow privilege escalation up to SYSTEM. Prioritize patch deployment, review authentication policies, and harden or reduce NTLM usage where possible, favoring modern mechanisms that enforce mutual authentication (for example, hardened Kerberos configurations).
Risk‑based prioritization and practical mitigations
Prioritize updates based on CVSS scores, external exposure, and business criticality. Internet‑facing or cross‑boundary services (e.g., SMB, SQL components, HPC Pack endpoints) should be patched first. For SMB relay risk, combine the patch with SMB signing and EPA after compatibility testing.
- Accelerate deployment of the September Microsoft security updates across affected products.
- Limit access to administrative and service ports; block or tightly control TCP 5999 for HPC Pack.
- Enable SMB Server Signing and EPA where feasible; implement phased rollouts with monitoring.
- Verify SQL Server dependencies on Newtonsoft.Json and update vulnerable components.
- Strengthen authentication policies, reduce NTLM usage, and enhance logging to detect privilege escalation attempts.
The September release underscores persistent attacker focus on authentication paths (SMB, NTLM) and high‑value infrastructure (HPC clusters, cloud networking). Rapid patching, combined with principled security hygiene—network segmentation, least privilege, minimal exposure, and rigorous monitoring—significantly reduces the attack window and improves organizational resilience.
