Patch Tuesday September 2025 - Critical Microsoft Security Patches Released for Privilege Escalation and Remote Code Vulnerabilities

CVE-2025-54918 - 8.8 - Windows NTLM Elevation of Privilege Vulnerability

Kev Breen, Senior Director Threat Research, Immersive

‍

While no CVEs are marked as being actively exploited in the wild, that doesn't mean security teams can sit back and rest on their laurels. There are still a number of potentially high-impact vulnerabilities that should be patched quickly. Threat actors are known to try to quickly reverse engineer security patches to create working exploits before organizations have a chance to fully roll out patches, commonly referred to as n-day vulnerabilities. 

High on the list of patches to apply is a vulnerability in Windows NTLM, or NT LAN Manager, a suite of protocols that provides authentication in a network environment. Tracked as CVE-2025-54918 and marked by Microsoft as “Exploitation More Likely,” this vulnerability is titled a privilege escalation vulnerability, but is actually exploitable over the network or the internet. From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine. The patch notes for this vulnerability state that “Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network”, suggesting an attacker may already need to have access to the NTLM hash or the user's credentials. 

CVE-2025-54916 7.8 Windows NTFS Remote Code Execution Vulnerability

Also high on the list of patches to apply is a Stack-based Buffer Overflow vulnerability in NTFS tracked as CVE-2025-54918 and flagged by Microsoft as “Exploitation More Likely”. NTFS is the default filesystem for all modern versions of the Windows Operating system, making for a large attack surface. While the title of the CVE says “Remote Code Execution,” this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit. This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run. 

CVE-2025-55234 8.8 Windows SMB Elevation of Privilege Vulnerability

September's patch also includes a notable vulnerability in the Windows SMB Client. Listed as a Privilege Escalation Vulnerability, this is actually remotely exploitable. Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution.  

It is noted that the SMB Server already has the ability to harden against replay attacks by enabling features like SMB Server Signing and Extended Protection for Authentication.

Before turning on these additional security features, organizations should check the potential impact, as enabling these features may adversely affect some third-party integrations or network configurations. 

To support this, alongside the patch notes, Microsoft has also provided customers with audit capabilities to assess enterprise networks and identify any possible compatibility issues before turning on the extra security layers. More detail can be found here: https://support.microsoft.com/help/5066913

Windows Elevation of Privilege Vulnerabilities

This patch cycle also includes several Privilege Escalation Vulnerabilities, several of which are flagged as “Exploitation More Likely.” While local privilege escalation vulnerabilities don't often get high CVSS scores, that doesn’t make them any less important. Once a threat actor gains initial code execution through a Remote Code Execution vulnerability, stolen credentials, or a phishing attack, they will then try to escalate their permissions both locally on the host and, if possible, across the domain. 

With SYSTEM or Administrator level permissions, threat actors are able to disable security tooling and logging as well as deploy additional malware or tools in order to move laterally across the network.

Key CVEs in this category include CVE-2025-54110, which impacts the Windows Kernel and potentially allows attackers to escape from the “Contained execution environment,” a security layer that is supposed to limit the impact of exploiting applications; CVE-2025-54093 in the Windows TCP/IP Driver; and CVE-2025-54098 in the Windows Hyper-V system.

CVE-2025-54912 – Windows BitLocker Elevation of Privilege Vulnerability

Microsoft’s September 2025 Patch Tuesday addresses a newly patched vulnerability in Windows BitLocker, the system’s built-in disk encryption tool. Tracked as CVE-2025-54912, this vulnerability is rated Important and could allow attackers to bypass BitLocker protections through physical access to a device.

This flaw allows an attacker to gain unauthorized access to encrypted data on the system drive with no user interaction or prior privileges required. Microsoft notes the attack complexity is low, although no public exploit code currently exists.

If exploited, this flaw could expose sensitive files, credentials, or allow tampering with system integrity. This poses a particular risk for organizations where devices may be lost or stolen, as attackers with hands-on access could potentially bypass encryption and extract sensitive data.

Organizations with remote employees or employees who travel frequently are strongly urged to update immediately to prevent potential data breaches or unauthorized system access. This is commonly seen in “Evil Maid”-style attacks, where laptops are stolen from hotel rooms and later tampered with, potentially being returned in a compromised state. 

CVE-2025-53803, CVE-2025-53804 – Windows Kernel Memory Information Disclosure Vulnerability & Windows Kernel-Mode Driver Information Disclosure Vulnerability

Microsoft’s September 2025 Patch Tuesday also addresses two related Windows Kernel information disclosure vulnerabilities, tracked as CVE-2025-53803 and CVE-2025-53804. Both flaws are rated Important with a CVSS score of 5.5 and stem from improper handling of error messages and sensitive memory addresses in the Windows Kernel and kernel-mode drivers.

While neither issue directly provides code execution, successful exploitation could allow a local attacker with low privileges to obtain kernel memory addresses. This information can be weaponized to bypass security protections, making it significantly easier to chain with other exploits such as privilege escalation or remote code execution.

Microsoft assesses this exploitation as “more likely” and organizations should patch promptly. If left unaddressed, these vulnerabilities could become valuable tools in exploit chains, particularly for attackers seeking to escalate privileges or establish persistence on compromised systems.

‍