Another Patch Tuesday, another pile of vulnerabilities Microsoft expects you to patch without breaking production. September 2025 delivered 81 CVEs including two publicly disclosed zero-days that need immediate attention.
The not-so-fun part? CVE-2025-55234 is a Windows SMB elevation of privilege bug that's already being exploited through relay attacks. Because SMB vulnerabilities never get old, apparently.
CVE-2025-55234: SMB Relay Attacks Strike Again
CVE-2025-55234 is the publicly disclosed zero-day everyone's talking about - a Windows SMB Server elevation of privilege vulnerability that lets attackers perform relay attacks. Basically, if your SMB server isn't hardened, you're potentially fucked.
Microsoft's explanation: "SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks."
Translation: If you haven't enabled SMB Server Signing and SMB Server Extended Protection for Authentication (EPA), attackers can bounce authentication requests around your network to gain elevated privileges.
The official Microsoft advisory recommends enabling auditing first to see what breaks when you implement proper hardening. Microsoft's SMB security hardening guide has the full details on securing SMB traffic. Because nothing says "enterprise-ready" like crossing your fingers before applying security fixes.
CVE-2024-21907: The Newtonsoft.Json Denial of Service
The second publicly disclosed issue is CVE-2024-21907 - a vulnerability in Newtonsoft.Json that Microsoft SQL Server uses. Crafted data passed to JsonConvert.DeserializeObject can trigger a StackOverflow exception and cause denial of service.
This one's been publicly known since 2024 but Microsoft just got around to updating their SQL Server installations. Microsoft's KB5065226 finally upgrades the Newtonsoft.Json version to 13.0.1. The CVE details show it affects SQL Server 2016, 2017, and 2019. Better late than never, I guess.
The Patching Nightmare: Why Everything Breaks
Microsoft's official guidance says "deploy immediately" but here's what actually happens when you patch 81 vulnerabilities at once:
Day 1: Emergency change approval meetings. "Are we sure we need to patch today?" Yes, Karen, the SMB relay attacks are kind of urgent.
Day 2: Patches deployed to dev environment. Three applications immediately break, including the payroll system. KB5065426 for Windows 11 includes 14 changes that nobody tested with your legacy apps.
Day 3: Vendor says their software "isn't compatible with the latest security updates" and suggests we wait six months for their next release.
Day 4: Production deployment at 2am. Exchange stops accepting email, file shares go read-only, and printers forget how to print. The cumulative update breaks group policy processing on three domain controllers.
Day 5: Rollback procedures while attackers laugh at our unpatched systems.
The r/sysadmin community is already full of horror stories. My favorite: "Patch broke our building access cards. Security team is now manually escorting everyone."
What Actually Needs Emergency Patching
Ignore Microsoft's "critical/important/moderate" ratings. Here's the real priority list based on actual risk:
- CVE-2025-55234 - SMB relay attacks are being exploited now. Patch or harden SMB immediately.
- CVE-2025-54918 - Windows NTLM elevation of privilege with Critical rating means patch this shit.
- CVE-2025-55224 - Windows Hyper-V RCE if you're running virtualization hosts.
- CVE-2025-55228 - Windows Graphics Component RCE because graphics drivers are always broken.
Everything else can wait for proper testing unless you enjoy explaining to executives why the payroll system died during an emergency patch.
The Cynical Truth About Patch Tuesday
Microsoft releases monthly updates on the second Tuesday because it shifts responsibility to customers. Can't blame Microsoft for vulnerabilities if patches are available, right?
The Windows Update delivery optimization documentation reads like a joke. "Minimize downtime by using express updates!" Express updates that still require reboots and break applications. Microsoft's deployment ring strategy suggests testing on pilot groups, but who has time for that during zero-day emergencies?
Here's the real strategy:
- Patch the kernel RCEs immediately because those kill you fastest
- Test everything else in isolated environments for at least 72 hours
- Maintain current backups because something will break
- Have rollback procedures ready because something will definitely break
The uncomfortable reality: Sometimes the patch is more dangerous than the vulnerability. I've seen more production outages from bad patches than from actual attacks. But you still have to patch because not patching means audit failures and compliance violations.
Detection and Workarounds for the Paranoid
CVE-2025-55234 SMB hardening: Microsoft recommends enabling SMB auditing first to see what breaks when you enforce SMB Server Signing and Extended Protection for Authentication. The SMB security enhancements documentation explains the new signing algorithms and encryption features.
Temporary mitigations:
- Enable Windows Exploit Protection (won't stop SMB relay but helps with other shit)
- Segment network access to critical servers
- Monitor authentication logs for unusual relay attack patterns
SMB hardening checklist:
- Enable SMB Server Signing on all servers
- Configure SMB Server Extended Protection for Authentication (EPA)
- Test with legacy devices before full enforcement
- Monitor Event ID 3024 for SMB signing failures
Bottom line: September 2025 Patch Tuesday requires emergency deployment planning. The SMB relay attacks alone make this critical for any domain environment. Test fast, patch faster, and keep your resume updated just in case.
The only thing worse than getting owned by a zero-day is getting owned by a zero-day that had patches available for weeks.