Microsoft Corp.<\/strong> today issued security updates to fix more than 80 vulnerabilities in its Windows<\/strong> operating systems and software. There are no known \u201czero-day\u201d or actively exploited vulnerabilities in this month\u2019s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft\u2019s most-dire \u201ccritical\u201d label. Meanwhile, both Apple<\/strong> and Google<\/strong> recently released updates to fix zero-day bugs in their devices.<\/p>\n Microsoft assigns security flaws a \u201ccritical\u201d rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is CVE-2025-54918<\/a>. The problem here resides with Windows NTLM<\/strong>, or NT LAN Manager, a suite of code for managing authentication in a Windows network environment.<\/p>\n Redmond rates this flaw as \u201cExploitation More Likely,\u201d and although it is listed as a privilege escalation vulnerability, Kev Breen<\/strong> at Immersive<\/strong> says this one is actually exploitable over the network or the Internet.<\/p>\n \u201cFrom Microsoft\u2019s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,\u201d Breen said. \u201cThe patch notes for this vulnerability state that \u2018Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,\u2019 suggesting an attacker may already need to have access to the NTLM hash or the user\u2019s credentials.\u201d<\/p>\n Breen said another patch \u2014 CVE-2025-55234<\/a>, a 8.8 CVSS-scored flaw affecting the Windows SMB<\/strong> client for sharing files across a network \u2014 also is listed as privilege escalation bug but is likewise remotely exploitable. This vulnerability was publicly disclosed prior to this month.<\/p>\n \u201cMicrosoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,\u201d Breen noted.<\/span><\/p>\n CVE-2025-54916<\/a> is an \u201cimportant\u201d vulnerability in Windows NTFS<\/strong> \u2014 the default filesystem for all modern versions of Windows \u2014 that can lead to remote code execution. Microsoft likewise thinks we are more than likely to see exploitation of this bug soon: The last time Microsoft patched an NTFS bug was in March 2025 and it was already being exploited in the wild as a zero-day.<\/p>\n \u201cWhile the title of the CVE says \u2018Remote Code Execution,\u2019 this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,\u201d Breen said. \u201cThis is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run.\u201d<\/p>\n Critical and remote code execution bugs tend to steal all the limelight, but Tenable<\/strong> Senior Staff Research Engineer Satnam Narang<\/strong> notes that nearly half of all vulnerabilities fixed by Microsoft this month are privilege escalation flaws that require an attacker to have gained access to a target system first before attempting to elevate privileges.<\/p>\n \u201cFor the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,\u201d Narang observed.<\/p>\n On Sept. 3, Google fixed two flaws<\/a> that were detected as exploited in zero-day attacks, including\u00a0CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component.<\/p>\n Also, Apple recently patched its seventh zero-day (CVE-2025-43300) of this year. It was part of an exploit chain<\/a> used along with a vulnerability in the WhatsApp <\/strong>(CVE-2025-55177) instant messenger to hack Apple devices. Amnesty International reports<\/a> that the two zero-days have been used in \u201can advanced spyware campaign\u201d over the past 90 days. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.<\/p>\n The SANS Internet Storm Center<\/strong> has a clickable breakdown<\/a> of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com<\/a>, which often has the skinny on wonky updates.<\/p>\n AskWoody also reminds us that we\u2019re now just two months out from Microsoft discontinuing free security updates for Windows 10 computers. For those interested in safely extending the lifespan and usefulness of these older machines, check out last month\u2019s Patch Tuesday coverage<\/a> for a few pointers.<\/p>\n As ever, please don\u2019t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2022\/07\/winupdatedate.png?resize=750%2C496&ssl=1\")
<\/p>\n