Microsoft Patch Tuesday, August 2025 Edition

What’s new: Microsoft released updates addressing over 100 security vulnerabilities in its software, including 13 rated as “critical.” Notable vulnerabilities include CVE-2025-53786, which allows attackers to pivot from a compromised Microsoft Exchange Server to the cloud environment, and CVE-2025-53779, a weakness in the Windows Kerberos authentication system that can grant domain administrator privileges. Other critical flaws involve remote code execution in Windows GDI+ (CVE-2025-53766), vulnerabilities in Microsoft Word (CVE-2025-53733), and a bug in Windows NTLM (CVE-2025-53778) that could allow elevation to SYSTEM-level access.

Who’s affected

Organizations using Microsoft Exchange Server 2016, 2019, and Subscription Edition, as well as those utilizing Windows operating systems with the affected components, are at risk. Approximately 29,000 Exchange servers are publicly exposed and vulnerable to CVE-2025-53786.

What to do

• Apply the latest Microsoft security updates immediately to mitigate vulnerabilities.
• For CVE-2025-53786, follow Microsoft’s manual instructions to create a dedicated service for securing the hybrid connection.
• Monitor for any issues during the update process and consult resources like the SANS Internet Storm Center for further guidance.

Sources

• Krebs on Security