Today we’re covering a critical security update that Windows Server administrators need to implement immediately. Microsoft’s September 2025 Patch Tuesday release addressed CVE-2025-55234, a significant vulnerability in the Server Message Block (SMB) server that exposes systems to relay attacks.

This vulnerability carries a high CVSS score of 8.8 and has been publicly disclosed, making immediate response essential. Let’s dive into the details and explore how to properly secure your systems against this threat. For complete technical details, refer to the official Microsoft security advisory.

 

 

1. Understanding CVE-2025-55234 and Its Risk Profile

CVE-2025-55234 is an Elevation of Privilege vulnerability affecting Windows SMB servers. The core issue is that SMB servers may be susceptible to relay attacks depending on their configuration.

Key vulnerability characteristics:

• CVSS Score: 8.8 (High severity)
• Classification: Elevation of Privilege vulnerability
• Attack method: SMB relay attacks
• Authentication requirement: Unauthenticated attackers can exploit this

When successfully exploited, attackers can perform relay attacks to capture user authentication credentials and escalate privileges. This poses a serious security threat, particularly in enterprise environments with active file sharing.

 

 

2. Checking If Your Systems Are at Risk

This vulnerability affects the following Windows systems:

Windows Server versions:

• Windows Server 2025
• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012/2012 R2

Windows Client versions:

• Windows 11 (all versions)
• Windows 10 (all supported versions)

To check if your system is affected:

1. Verify system information
   • Go to Start > Settings > System > About to check your Windows version
   • Run winver command in Command Prompt
2. Check installed updates
   • Navigate to Settings > Windows Update > Update history

 

 

3. How Attackers Exploit This Vulnerability

SMB relay attacks work through the following process:

1. Man-in-the-middle setup: Attackers position themselves to intercept SMB traffic on the network
2. Authentication interception: SMB authentication exchanges between clients and servers are captured
3. Credential relay: Intercepted authentication information is forwarded to other servers
4. Privilege escalation: Relayed credentials enable unauthorized access and privilege escalation

These attacks are possible when SMB server signing or Extended Protection for Authentication (EPA) is not properly configured.

 

 

4. Critical Security Updates to Install Now

Microsoft released patches for this vulnerability on September 9, 2025, as part of Patch Tuesday.

Key patch KB numbers:

Windows Version	KB Number	Build Number	Download Link
Windows Server 2025	KB5065426	26100.6584	Download
Windows Server 2022	KB5065432	20348.4171	Download
Windows 11 24H2	KB5065426	26100.6584	Download
Windows 11 23H2/22H2	KB5065431	22631.5909	Download
Windows 10 22H2	KB5065429	–	Download

Installation Methods

Automatic update method:

1. Go to Settings > Windows Update
2. Click “Check for updates”
3. Install all available updates
4. Restart the system

Manual patch download:

• Microsoft Update Catalog – search by KB number
• Windows Server 2025 patch download
• Download and install the appropriate patch for your system

 

 

5. Enabling SMB Server Signing – Step by Step

Along with installing patches, you must enable SMB server signing.

Group Policy Configuration

1. Launch Group Policy Editor
   • Run gpedit.msc or search for “Group Policy Editor” from Start
2. Configure SMB server signing policies
   • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
   • Set “Microsoft network server: Digitally sign communications (always)” to Enabled
   • Set “Microsoft network server: Digitally sign communications (if client agrees)” to Enabled

Registry Configuration

# Run in Administrator Command Prompt
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "EnableSecuritySignature" /t REG_DWORD /d 1 /f

Important: System restart is required after registry changes.

 

 

6. Implementing Extended Protection for Authentication (EPA)

EPA provides an additional security layer alongside SMB signing to prevent relay attacks. For detailed information about EPA, refer to the Extended Protection for Authentication official documentation.

PowerShell EPA Configuration

# Check EPA configuration
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "SuppressExtendedProtection"

# Enable EPA (value 0 = enabled)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "SuppressExtendedProtection" -Value 0

# Enable NTLMv2 (EPA prerequisite)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 3

Audit Functionality Guide

Microsoft provided audit capabilities alongside CVE-2025-55234 to safely evaluate SMB environments. For detailed configuration instructions, see the SMB Server Hardening Audit Events Support documentation.

1. Enable audit policies
   • Navigate to Computer Configuration > Administrative Templates > Network > Lanman Server
   • Set “Audit client does not support signing/encryption” to Enabled
2. Monitor event logs
   • Check Applications and Services Logs\Microsoft\Windows\SMBClient\Audit for Event IDs 31998, 31999
   • Check Applications and Services Logs\Microsoft\Windows\SMBServer\Audit for Event IDs 3021, 3024-3027

 

 

7. Environment-Specific Security Configuration

Domain Controller Environment

Domain controllers require additional security measures:

# Enforce SMB signing on DCs
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

# Secure SYSVOL and NETLOGON shares
Set-SmbShare -Name "SYSVOL" -EncryptData $true
Set-SmbShare -Name "NETLOGON" -EncryptData $true

File Server Environment

File servers require gradual implementation considering client compatibility:

1. Enable audit mode
   • First activate audit functionality to identify incompatible clients
2. Phased implementation
   • Enable SMB signing in test environment
   • Check event logs for compatibility issues
   • Apply to production after confirming compatibility

Small Business Environment

Recommended settings for resource-limited small business environments:

# Basic SMB security configuration
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 1 /f

 

 

8. Post-Patch Verification and Monitoring

Patch Installation Verification

# Verify installed patches
Get-HotFix | Where-Object {$_.HotFixID -eq "KB5065426"}

# Check SMB server configuration status
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature

Security Event Monitoring

Monitor these important event IDs:

SMB server related events:

• Event ID 3021: SMB signing compatibility issues
• Event ID 3024-3027: EPA related events

Security log events:

• Event ID 4625: Logon failures (possible relay attack indicators)
• Event ID 4648: Logon attempts with explicit credentials

PowerShell Automated Monitoring Script

# SMB security event monitoring script
$StartTime = (Get-Date).AddDays(-1)
$SMBEvents = Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-SMBClient/Audit"; StartTime=$StartTime; ID=31998,31999}

if ($SMBEvents) {
    Write-Host "SMB compatibility issues detected:" -ForegroundColor Yellow
    $SMBEvents | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -AutoSize
}

 

 

9. Legacy System Compatibility Solutions

Legacy systems or third-party equipment may experience compatibility issues.

Compatibility Issue Resolution

1. Phased implementation strategy
   • First verify compatibility using audit mode
   • Identify problematic systems and develop alternatives
   • Gradually strengthen security policies
2. Exception handling

   # Temporary exceptions for specific clients (not recommended)
   # Instead, recommend network isolation or VPN usage
   

3. Alternative security measures
   • Network segmentation
   • Secure connections via VPN
   • Enhanced firewall rules

 

 

CVE-2025-55234 represents a critical security vulnerability in Windows environments. Given the nature of SMB relay attacks, this vulnerability can impact entire networks, making swift response essential.

Essential checklist:

• ✅ Install relevant patches (KB5065426 etc.)
• ✅ Enable SMB server signing
• ✅ Apply EPA configuration
• ✅ Enable audit functionality for compatibility verification
• ✅ Establish event log monitoring systems

This vulnerability should be viewed not just as a patching requirement, but as an opportunity to fundamentally strengthen SMB security configurations. We recommend thoroughly testing your environment using audit capabilities before gradually implementing security settings.

 

Useful additional resources:

• Windows Server 2025 Update History
• Windows Security Update Guide
• SMB Security Best Practices