Tenable Patch Tuesday Commentary

This month’s Patch Tuesday release highlights an emerging trend. For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws. Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities. One of the more interesting vulnerabilities patched this month is CVE-2025-55234, a zero-day privilege escalation flaw […]

Exposure Management | Security Operations | Threat Intelligence

Posted: Wednesday, Sep 10

KBI.Media
$
Tenable Patch Tuesday Commentary

Tenable Patch Tuesday Commentary

This month’s Patch Tuesday release highlights an emerging trend. For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws. Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.

One of the more interesting vulnerabilities patched this month is CVE-2025-55234, a zero-day privilege escalation flaw in Windows Server Message Block (SMB) that was publicly disclosed before this month. Many elevation of privilege flaws patched each Patch Tuesday often require an attacker to have gained access to a target system first (post-compromise) before attempting to elevate privileges. This case appears to be part of an SMB relay attack. While unclear if they are related, Microsoft patched another SMB relay attack, identified as CVE-2025-33073, in June. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers.

Since 2022, Microsoft has patched a number of New Technology File System (NTFS) vulnerabilities in Windows, with the majority of these flaws resulting in information disclosure or privilege escalation. However, this month, Microsoft patched its second remote code execution vulnerability in NTFS in 2025. The first, CVE-2025-24993, was patched in March and was exploited in the wild as a zero-day. While this one does not appear to have been exploited, it is still certainly worth keeping an eye on since NTFS is the primary file system used by Windows

It wouldn’t be a Patch Tuesday without another SharePoint vulnerability, would it? Microsoft patched CVE-2025-54897 this month, another remote code execution flaw in SharePoint Server. However, it’s assessed as being less likely to be exploited. Nonetheless, we continue to monitor for new SharePoint bugs in the wake of the ToolShell vulnerabilities.

Microsoft patched five bugs in its virtualization platform, Hyper-V. Local attackers could exploit four of these vulnerabilities to elevate their privileges, but only one (CVE-2025-54098) was assessed to be more likely to be exploited, while the other three (CVE-2025-54091, CVE-2025-54092, CVE-2025-54115) were assessed as less likely. Microsoft also patched a remote code execution in Hyper-V (CVE-2025-55224), but it is also less likely to be exploited. – Satnam Narang, sr. staff research engineer at Tenable