Here are some of the more interesting Patch Tuesday vulns we found this month, and what to monitor for!

Vulnerabilities in Windows UI XAML 

CVE-2025-54111 and CVE-2025-54913 (CVSS 7.8) Use-after-free in DatePickerFlyout & MapControlSettings → local priv-esc. Affects Microsoft Phone Link.What to monitor for: XAML-related crashes (Windows.UI.Xaml.dll, ShellExperienceHost.exe) and rapid UWP flyout abuse.

Windows Hyper-V Elevation of Privilege Vulnerability  

CVE-2025-54098 (CVSS 7.8/10) Improper access control → SYSTEM on Hyper-V hosts/workstations. Patch or disable Hyper-V if not needed.What to monitor: Service creation, token manipulation, new virtual switches, or new Hyper-V enablement.

Windows NTFS Remote Code Execution Vulnerability

CVE-2025-54916 (CVSS 7.8/10) Stack overflow in NTFS request handling → potential RCE via crafted file ops/SMB.What to monitor for: NTFS-related crashes, SMB traffic spikes, unusual file activity or lateral movement after file ops.

Listen to Automox’s Patch Tuesday podcast for more or read our analysis here.