September 2025: [Hyper-V on the Hot Seat, Phone Link Priv-Esc, and NTFS RCE]

September 2025 Patch Tuesday includes a heavy run of buffer and memory overflow vulnerabilities, with six rated exploitation more likely and use-after-free appearing roughly 12 times across the month's CVEs.

CVE-2025-54098 is a Windows Hyper-V elevation of privilege from improper access control that escalates a local user straight to SYSTEM. It is one of five Hyper-V CVEs this month and one of roughly 11 Hyper-V flaws tracked this year, about seven of them privilege escalation.

CVE-2025-54111 and CVE-2025-54913 are Windows UI XAML use-after-free flaws tied to the DatePickerFlyout; a standard user can chain them to local privilege escalation, and Ryan ties the risk to Phone Link adding iPhone support alongside Android on Windows 10 and 11.

CVE-2025-54916 is a stack-based buffer overflow in NTFS request handling that gives even a low-privilege account remote code execution once an attacker has a foothold, with hospitals, government agencies, and corporate networks as prime targets. Seth advises patching immediately, segmenting networks, limiting file sharing, shutting off SMB where possible, and enforcing least privilege.

Ryan ties initial access back to credential exposure from the Drift breach, urging teams to rotate any service-account or Intune-linked credentials even when they were not directly affected.