Microsoft’s September 2025 Patch Tuesday brings security fixes for 81 vulnerabilities, including two zero-day flaws that could directly impact healthcare organizations running Windows-based systems and SQL Server. With nine critical issues also resolved, healthcare IT teams are being urged to treat this update cycle as high priority to protect sensitive systems that store or process patient data.
The most concerning issue, CVE-2025-55234, is an elevation of privilege vulnerability in the Windows SMB Server. If left unpatched, attackers could exploit it through relay attacks, gaining elevated privileges and potentially moving laterally across hospital networks. SMB is widely used for file sharing in healthcare environments, including diagnostic imaging and electronic health records, making this a serious risk for service disruption and unauthorized access to protected health information (PHI).
The second zero-day, CVE-2024-21907, affects Microsoft SQL Server through its use of the Newtonsoft.Json library. Improper handling of data could allow attackers to cause denial-of-service conditions. For hospitals that rely on SQL Server databases to run clinical applications, a targeted attack could temporarily disrupt scheduling, patient record access, or medication systems.
Microsoft has also fixed a broad set of other flaws: 41 privilege escalation bugs, 22 remote code execution vulnerabilities, and 16 information disclosure issues. These categories represent some of the most common vectors used by ransomware groups targeting healthcare, who exploit unpatched systems to gain initial access and then move quickly to lock critical services.
As part of the SMB fix, Microsoft recommends enabling SMB Server Signing and Extended Protection for Authentication (EPA). However, these may cause compatibility issues with legacy medical devices and software. To reduce disruption, Microsoft has introduced new auditing tools so healthcare IT teams can test compatibility before enabling enforcement.
For healthcare and medical organizations, applying these patches is urgent to prevent downtime in critical care systems and to safeguard PHI. Administrators should prioritize updating Windows servers and SQL Server deployments, enable auditing for SMB hardening, and closely monitor for signs of relay or DoS attacks. In an environment where delayed patching can directly affect patient safety, proactive action is the best defense.
