Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.
Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).
“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Satnam Narang, senior staff research engineer at Tenable, said. “Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.”
The patches are in addition to 12 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of August 2025’s Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser.
The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB.
“SMB Server might be susceptible to relay attacks depending on the configuration,” Microsoft said. “An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.”
The Windows maker said the update enables support for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA, allowing customers to assess their environment and detect any potential device or software incompatibility issues before deploying appropriate hardening measures.
“The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options,” Adam Barnett, lead software engineer at Rapid7, said.
Mike Walters, president and co-founder of Action, said the vulnerability stems from the fact that SMB sessions can be established without properly validating the authentication context when key hardening measures, such as SMB signing and Extended Protection for Authentication, are not in place.
“This gap opens the door to man-in-the-middle relay attacks, where attackers can capture and forward authentication material to gain unauthorized access,” Walters added. “It can easily become part of a larger campaign, moving from phishing to SMB relay, credential theft, lateral movement, and eventually data exfiltration.”
The CVE with the highest CVSS score for this month, but not listed in the Release Notes, is CVE-2025-54914 (CVSS score: 10.0), a critical flaw impacting Azure Networking that could result in privilege escalation. It requires no customer action, given that it’s a cloud-related vulnerability.
Two other shortcomings that merit attention include a remote code execution flaw in Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232, CVSS score: 9.8) and an elevation of privilege issue affecting Windows NTLM (CVE-2025-54918, CVSS score: 8.8) that could allow an attacker to gain SYSTEM privileges.
“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Kev Breen, senior director of threat research at Immersive, said.
“The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”
Lastly, the update also remediates a security flaw (CVE-2024-21907, CVSS score: 7.5) in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition, as well as two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911, CVSS score: 7.3, and CVE-2025-54912, CVSS score: 7.8).
Microsoft’s Hussein Alrubaye has been credited with discovering and reporting both the BitLocker flaws. The two defects add to four other vulnerabilities in the full-disk encryption feature (collectively called BitUnlocker) that were patched by Microsoft in July 2025 –
- CVE-2025-48003 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation
- CVE-2025-48800 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing
- CVE-2025-48804 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing
- CVE-2025-48818 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing
Successful exploitation of any of the above four flaws could allow an attacker with physical access to the target to bypass BitLocker protections and gain access to encrypted data.
“To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication,” Security Testing and Offensive Research at Microsoft (STORM) researchers Netanel Ben Simon and Alon Leviev said in a report last month. “This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM.”
“To mitigate BitLocker downgrade attacks, we advise enabling the REVISE mitigation. This mechanism enforces secure versioning across critical boot components, preventing downgrades that could reintroduce known vulnerabilities in BitLocker and Secure Boot.”
The disclosure comes as Purple Team detailed a new lateral movement technique dubbed BitLockMove that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects of BitLocker.
BitLockMove, developed by security researcher Fabian Mosch, works by initiating a remote connection to the target host through WMI and copying a malicious DLL to the target over SMB. In the next phase, the attacker writes a new registry key that specifies the DLL path, ultimately causing BitLocker to load the copied DLL by hijacking its COM objects.
“The purpose of the BitLocker COM Hijacking is to execute code under the context of the interactive user on a target host,” Purple Team said. “In the event that the interactive user has excessive privileges (i.e., domain administrator), this could also lead to domain escalation.”
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —
- Adobe
- Arm
- Broadcom (including VMware)
- Cisco
- Commvault
- Dell
- Drupal
- F5
- Fortra
- FUJIFILM
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Google Wear OS
- Fortinet
- Hikvision
- Hitachi Energy
- HP
- HP Enterprise (including Aruba Networking)
- IBM
- Ivanti
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- QNAP
- Qualcomm
- Rockwell Automation
- Salesforce
- Samsung
- SAP
- Schneider Electric
- Siemens
- Sitecore
- Sophos
- Spring Framework
- Supermicro
- Synology
- TP-Link, and
- Zoom
