Microsoft September 2025 Patch Tuesday: 80 Vulnerabilities Resolved with Critical NTLM and NTFS Flaws
Microsoft’s September 2025 Patch Tuesday addressed 80 unique vulnerabilities across a broad array of services and operating system components. Eight of these vulnerabilities were rated critical, indicating high risk for organizations that do not quickly patch affected systems. The update is notable for repeated critical issues within core Windows authentication and file system components, underscoring the continuing threat posed by privilege escalation and remote code execution flaws.
Overview of Patched Components
The scope of this month’s patches was wide, including updates for Azure Arc, Windows Hyper-V, Microsoft Office components (Excel, PowerPoint, SharePoint, Visio, Word), Windows Virtual Hard Drive, SQL Server, Windows Defender Firewall Service, and Xbox. The vulnerabilities spanned across system utilities, security mechanisms, file systems, networking components, and developer platforms, demonstrating both the complexity and interconnectivity of modern enterprise environments.
Critical NTLM Privilege Escalation (CVE-2025-54918)
A particularly critical elevation of privilege vulnerability was resolved in the Windows New Technology LAN Manager (NTLM) protocol. Designated CVE-2025-54918 and rated with a CVSSv3 score of 8.8, exploitation of this flaw allows attackers to escalate privileges to SYSTEM level, the highest available authorization for Windows processes. Microsoft’s own Exploitability Index classifies exploitation as more likely, signaling risk to unpatched systems. This is the third such NTLM critical escalation vulnerability patched by Microsoft in the 2025 calendar year, highlighting a recurring target for attackers.
NTFS Remote Code Execution (CVE-2025-54916)
Another significant flaw, CVE-2025-54916, concerns the Windows New Technology File System (NTFS). This vulnerability is a remote code execution (RCE) vector with a CVSSv3 score of 7.8, categorized as important, and is considered more likely to be exploited in the wild. Any authenticated user could potentially leverage this flaw to execute arbitrary code on a target system. Only a handful of NTFS vulnerabilities have allowed RCE in recent years, with most previously focused on privilege escalation or information disclosure, making this patch particularly noteworthy.
Vulnerability Breakdown
The majority of the vulnerabilities addressed this month were elevation of privilege flaws (47.5%), followed by remote code execution vulnerabilities (27.5%). The rest included information disclosure, denial-of-service, and security bypass issues. One of the critical flaws had already been publicly disclosed prior to the official patch release.
Recommendations and Best Practices
Security professionals are advised to promptly apply all relevant patches, given the criticality and likelihood of exploitation for several vulnerabilities disclosed in the September 2025 Patch Tuesday. Continuous vulnerability assessment and prioritized patching of core system services and authentication protocols is essential, as exploitation could facilitate lateral movement and complete compromise of enterprise environments. For NTFS and NTLM vulnerabilities in particular, active monitoring for out-of-band access or privilege manipulation may offer early warning of attempted exploitation.
Google September 2025 Android Security Bulletin: Zero-Day Exploits Under Active Attack
Google’s Android security team disclosed two significant vulnerabilities in its September 2025 bulletin, both of which are being actively exploited in the wild. These zero-day vulnerabilities highlight ongoing risks to Android device users, particularly as attackers refine techniques to bypass existing mitigations in the mobile operating system ecosystem.
CVE-2025-38352 and Companion Vulnerability Details
The first vulnerability, designated CVE-2025-38352, is being actively leveraged by attackers. Its technical details have not been fully published to protect at-risk users, but early analysis indicates it enables privilege escalation or code execution through targeted manipulation of core Android services. Techniques observed include the use of malicious applications crafted to escalate privileges beyond normal app sandbox restrictions.
The second flaw, which has not yet been named publicly but is confirmed to be under active attack, further increases the urgency for users and device vendors to apply relevant security updates as soon as feasible. Both flaws affect a wide range of devices running up-to-date Android builds, emphasizing the importance of timely device patching and ongoing collaboration between Google, device manufacturers, and mobile carriers.
Ecosystem Response and Risk Mitigation
Google has coordinated security patches with original equipment manufacturers (OEMs) and has begun deploying over-the-air (OTA) updates to address the vulnerabilities. Users are strongly encouraged to update their devices as soon as patches become available, to avoid exposure. Enterprises managing Android fleets should enforce mobile device management policies that mandate prompt OS updates and use application whitelisting when possible to block installation of untrusted apps.
Infosec Product Launches: Smishing AI, Agentic Threat Detection, and Automated Vendor Risk Management
The week saw a suite of notable information security product launches aimed at addressing emergent threats and operational challenges. These releases include innovations in smishing attack prevention, generative AI-powered threat detection, vendor risk management, endpoint encryption, and AI-moderated data defense.
Smishing AI – Next Generation SMS Phishing Defense
Lookout’s new Smishing AI platform leverages large language models (LLMs) to assess the intent and context of incoming SMS messages. Unlike legacy solutions that primarily filter known malicious URLs or spoofed sender signatures, the solution evaluates nuanced text communications, enabling detection of sophisticated social engineering campaigns that evade conventional filters.
Agentic AI for Threat Detection, Compliance, and Analysis
Gigamon unveiled a threat detection platform that uses agentic AI capabilities for real-time root-cause analysis and compliance validation. Deep integration into major SIEM and observability platforms (including Elastic and Splunk) enables security analysts to interactively query and retrieve actionable context, accelerating investigations and incident response without manual deep-dives through dashboard data.
Automated Vendor Risk Management with Cynomi TPRM
Cynomi’s Third-Party Risk Management (TPRM) solution now enables managed service and security providers to cut vendor assessment times by up to 79%, increasing operational efficiency and service delivery margins. Driven by automation, the platform streamlines vendor review workflows, performing both preliminary and ongoing risk analyses across complex supply chains.
Advanced Data Security and Endpoint Management
DataLocker’s DL GO product introduces hardware-enforced AES-256 XTS encryption, with biometric authentication support for both Windows and macOS platforms. The solution does not require drivers and can function in both online and offline modes, and features centralized management integration for enterprise credentials and policy enforcement.
24/7 AI-Native Data Defense Engineering
Relyance AI’s new Data Defense Engineer module autonomously learns, monitors, and protects data flows across enterprise environments, enforcing security policies at machine speed and adapting to emerging threats using continuous learning models.
Artificial Intelligence Drives New Wave of Cyber-Attacks and Social Engineering Campaigns
The adoption of generative artificial intelligence (genAI) by cyber-attackers is fueling a new era of credibility and complexity in threat campaigns. The latest semester at higher education institutions, security teams report a marked rise in AI-generated malicious emails, including multi-message threads designed to manipulate users into revealing sensitive information or sending payments. These campaigns can be indistinguishable from legitimate correspondence, with language and style dynamically adapted to the target.
Implications for Security Awareness and Technical Controls
AI-generated attacks challenge traditional user awareness campaigns and anti-phishing defenses, forcing organizations to leverage advanced detection algorithms and update employee training to account for highly personalized and persistent social engineering tactics. Solutions capable of analyzing thread context, message intent, and behavioral anomalies are now critical components of the modern cybersecurity arsenal.
Active Exploitation and Abuse of Security Tools, Supply Chain Attack Highlights
Recent incident reports detail malicious abuse of popular security tools and another supply chain compromise. Attackers have exploited features in the open-source Velociraptor incident response (IR) platform to gain persistence and evade detection, weaponizing a defensive toolkit against its own community. In a separate event, a supply-chain attack leveraging the npm package ‘Nx’ resulted in the leak of approximately 20,000 sensitive files, affecting developers and organizations relying on the compromised package.
Incident Response Challenges and Developer Ecosystem Impact
The abuse of legitimate security tools by adversaries complicates threat hunting and response, requiring defenders to scrutinize both authorized and anomalous activity within established IR workflows. The latest npm supply-chain attack reinforces the persistent risk posed by compromised dependencies, and highlights the need for thorough dependency management, code audit processes, and validation of third-party sources in developer environments.
TransUnion Data Breach: 4.4 Million Affected
Credit bureau TransUnion experienced a data breach impacting 4.4 million individuals. Initial investigations suggest attackers may have accessed a broad range of personal information. The breach once again puts the spotlight on data aggregation firms as high-value targets and raises renewed calls for improved data protection and incident transparency in the financial sector.
Exposure Mitigation Steps
Impacted individuals are being notified with recommendations for credit monitoring and identity protection. Security analysts urge organizations with similar data holdings to strengthen access controls, monitor for unauthorized data flows, and implement rapid breach notification protocols to minimize downstream impact.