121
Microsoft has launched the scheduled Patch Tuesday updates for August 2025. This month’s replace bundle holds utmost significance because it addresses over 100 vulnerabilities, together with a zero-day.
A Publicly Disclosed Zero-Day Flaw Addressed
Crucial safety repair within the August Patch Tuesday updates addressed a zero-day vulnerability in Microsoft Home windows Kerberos. Whereas Microsoft confirmed no lively exploitation of this flaw, they confirmed public disclosure of this vulnerability earlier than a repair.
Recognized as CVE-2025-53779, Microsoft described this vulnerability as a privilege escalation difficulty in Home windows Kerberos, the authentication protocol in Home windows Server 2025. Of their advisory, Microsoft described the flaw as,
Relative path traversal in Home windows Kerberos permits a licensed attacker to raise privileges over a community.
This vulnerability achieved a average severity score with a CVSS rating of seven.2. Microsoft acknowledged the safety researcher Yuval Gordon of Akamai for reporting this vulnerability.
The researcher has already shared particulars about this flaw, dubbed “BadSuccessor,” in a separate weblog publish, the place he confirmed reporting the vulnerability to Microsoft in April 2025. Nevertheless, the tech big seemingly downplayed the severity of the matter, deferring a right away repair.
Fortuitously, regardless of being recognized for months, the vulnerability escaped lively exploitation makes an attempt. Now that the repair is obtainable, customers should guarantee updating their methods to obtain the patch.
Different Essential Fixes From Microsoft With August Patch Tuesday
Aside from the zero-day vulnerability, Microsoft addressed 107 different vulnerabilities this month. These embody 12 essential severity vulnerabilities and 92 essential severity flaws. Furthermore, it additionally mounted a average severity (CVE-2025-49736) and a low severity difficulty (CVE-2025-49755) within the Microsoft Edge browser.
Concerning the kind of these vulnerabilities, the replace addressed 4 denial of service vulnerabilities, 41 privilege escalation points, 16 data disclosure flaws, 35 distant code execution vulnerabilities, 8 spoofing points, 1 tampering, and 1 cross-site scripting vulnerability.
Some noteworthy vulnerabilities from these embody the next.
- CVE-2025-53766 (essential; CVSS 9.8): A heap-buffer overflow in Home windows GDI+ that would enable distant code execution over a community. An unauthenticated adversary might exploit the flaw by tricking the goal person into opening a maliciously crafted file.
- CVE-2025-50165 (essential; CVSS 9.8): A distant code execution vulnerability in Home windows Graphics Element that existed attributable to untrusted pointer dereference. An unauthenticated attacker might exploit the flaw even with out person interplay.
- CVE-2025-50171 (essential; CVSS 9.1): As a consequence of lacking authorization in Distant Desktop Server, a licensed attacker might carry out spoofing over the goal community.
Microsoft implements automated roll-out of these scheduled updates to all eligible units. But, customers ought to nonetheless guarantee updating their methods in time through handbook evaluation to obtain all safety fixes and keep away from potential assaults through unpatched vulnerabilities.
Tell us your ideas within the feedback.
Get actual time replace about this publish class immediately in your machine, subscribe now.
