Automox Experts Analyze 82 New Patch Tuesday Vulnerabilities

With 82 new vulnerabilities released, September’s Patch Tuesday includes a mix of privilege-escalation and remote code execution flaws. 

See what Automox’s cybersecurity experts are tracking this month, and be sure to tune in to the Patch [FIX] Tuesday podcast for deeper analysis.

Before diving into this month’s details, let’s look at how September compares to the past year.

Vulnerabilities in Windows UI XAML

CVE-2025-54111 and CVE-2025-54913 (both rated at CVSS 7.8/10) are vulnerabilities in Windows UI XAML, a framework that supports many common user-facing controls – with the two elements specifically called out being DatePickerFlyout and MapControlSettings.

Under crafted conditions, these components can trigger use-after-free vulnerabilities. An attacker with standard user privileges could exploit these flaws to gain local privilege escalation.

How attackers may exploit XAML vulnerabilities

Attackers often begin with common entry points such as:

• Phished credentials that grant initial user access

• Malicious or rogue Microsoft Store apps

• Packaged apps that abuse XAML flyouts in rapid, repeated loops

What to look out for

You can recognize suspicious activity by monitoring for system crashes followed by unexpected privilege changes. Watch for:

• Application Error events citing Windows.UI.Xaml.dll, DatePickerFlyoutPresenter, ShellExperienceHost.exe, or PhoneExperienceHost.exe

• Event ID 1000/1001 pairs and clusters of Windows Error Reporting (WER) buckets

• Unusual UWP or packaged apps invoking flyouts rapidly, followed by suspicious activity such as new service installs or token elevation attempts

Mitigation guidance

Patching these CVEs should be a priority for risk reduction. In addition, you can reduce short-term exposure with:

• Application controls: Use Windows Defender Application Control (WDAC) or AppLocker to limit execution of untrusted packaged apps.

• Attack surface reduction: Disable sideloading where not required, and evaluate whether services like Phone Link or PhoneExperienceHost are necessary.

• Detection and monitoring: Collect and forward crash-related telemetry (for example, XAML-related Application Error events) to your SIEM for correlation. Spikes in these logs may be early indicators of exploitation attempts.

– Ryan Braunstein, Security Manager, Automox

Windows Hyper-V Elevation of Privilege Vulnerability

CVE-2025-54098 (CVSS 7.8/10) involves an exploitation of improper access control that allows a local user to escalate privileges to SYSTEM on hosts with Hyper-V enabled. While the exact call path isn’t public, past flaws in this category often stem from weak boundary checks between management components and worker processes. If Hyper-V is present on workstations, the potential impact expands quickly.

How attackers may exploit Hyper-V vulnerabilities

Attackers are likely to pair initial access with local exploitation on any device running Hyper-V. Common entry points include:

• Browser plug-ins

• Malicious installers

• Living-off-the-land scripts

Pro and Enterprise workstations with optional virtualization features should be considered high-value targets.

What to look out for

Look for signs of local privilege escalation activity, especially following user-mode anomalies. Key indicators include:

• Service creation, token manipulation, or suspicious writes under C:\ProgramData\Microsoft\Windows\Hyper-V

• Unexpected enablement of the Hyper-V feature

• Creation of new virtual switches outside approved change windows

Mitigation guidance

It is recommended to patch all Hyper-V hosts and any workstations with the role enabled. On systems where virtualization is not required, it is best practice to disable Hyper-V, allowing for a reduced attack surface and fewer privilege escalation paths.

– Henry Smith, Senior Security Engineer, Automox

Windows NTFS Remote Code Execution Vulnerability

NTFS (New Technology File System) governs how Windows stores and retrieves files. CVE-2025-54916 (CVSS 7.8/10) is a stack-based buffer overflow in NTFS request handling. When an attacker feeds more data than a routine can safely process, the overflow can overwrite adjacent memory and allow injected instructions to run. Even a low-privilege account can use this flaw for code execution.

How attackers may exploit NTFS vulnerabilities

Attackers may use crafted file operations or malformed requests that target NTFS paths through SMB or local parsing routines. High-risk environments include:

• File servers with broad or legacy shares

• Mixed-trust networks

• Appliances still using older SMB dialects

Indicators of exploitation attempts

Watch for system instability and file activity anomalies, such as:

• NTFS-related crashes

• Spikes in SMB traffic volume or error rates

• Lateral movement after file activity, including new services, scheduled tasks, or ransomware precursors like mass file handle enumeration

Mitigation guidance

It is recommended to patch affected systems immediately. To reduce exposure, it is considered best practice to:

• Limit unnecessary file sharing

• Restrict write access on high-value shares

• Segment networks so user subnets cannot reach sensitive file servers

• Collect and forward file server logs and Windows Error Reporting data to your SIEM, alerting on unusual SMB requests, rapid file opens, or NTFS parser crashes

– Seth Hoyt, Senior Security Engineer, Automox

Attackers act fast when privilege boundaries break. Close the cracks with timely updates, strong application controls, and least-privilege defaults. 

Patching goes beyond routine maintenance — it blocks opportunistic moves and cuts off attacker momentum. 

Until next time: patch regularly, patch often.