Microsoft’s August 2025 Patch Tuesday delivers fixes for 107 vulnerabilities, including one publicly disclosed zero-day in Windows Kerberos. Thirteen vulnerabilities are classified as critical, with nine involving remote code execution, three tied to information disclosure, and one elevation of privilege flaw.
Breakdown of Vulnerabilities
- 44 Elevation of Privilege vulnerabilities
- 35 Remote Code Execution vulnerabilities
- 18 Information Disclosure vulnerabilities
- 9 Spoofing vulnerabilities
- 4 Denial of Service vulnerabilities
These totals exclude security fixes for Mariner, Azure, and Microsoft Edge addressed earlier in the month. Non-security updates released include Windows 11 KB5063878 and KB5063875, and Windows 10 KB5063709.
Zero-Day Vulnerability
CVE-2025-53779 | Windows Kerberos Elevation of Privilege Vulnerability
This publicly disclosed flaw allows an authenticated attacker to escalate privileges to domain administrator over a network. The issue arises from relative path traversal in Kerberos, which can be abused if an attacker has elevated access to specific dMSA attributes:
- msds-groupMSAMembership: Enables the user to utilize the dMSA.
- msds-ManagedAccountPrecededByLink: Allows specifying a user the dMSA can act on behalf of.
The vulnerability was disclosed in a technical report by Yuval Gordon of Akamai in May 2025.
Other Critical Vulnerabilities
This month’s critical patches also address multiple remote code execution flaws in core Windows components and Microsoft Office, as well as high-impact information disclosure issues that could lead to data exposure in enterprise environments.
Adobe and Other Vendor Updates
Several major vendors released important updates alongside Microsoft’s August patches:
- 7-Zip: Patched a path traversal flaw leading to potential remote code execution.
- Adobe: Issued emergency updates for AEM Forms zero-days after public proof-of-concept code appeared.
- Cisco: Released patches for WebEx and Identity Services Engine vulnerabilities.
- Fortinet: Updated FortiOS, FortiManager, FortiSandbox, and FortiProxy to address multiple security issues.
- Google: Fixed two actively exploited Qualcomm vulnerabilities in Android.
- Microsoft: Issued a separate warning for CVE-2025-53786, a Microsoft Exchange flaw that could be used to hijack cloud environments.
- Proton: Patched its iOS Authenticator app to prevent plaintext logging of sensitive TOTP secrets.
- SAP: Released updates for multiple products, with some vulnerabilities rated at 9.9 severity.
- Trend Micro: Published a temporary fix tool for an actively exploited Apex One RCE flaw, with a full update to follow.
- WinRAR: Issued an update for an actively exploited path traversal vulnerability that could lead to RCE.
Recommendations for Users and Administrators
Given the public disclosure of CVE-2025-53779, organizations should prioritize patching Windows Kerberos services, especially in domain controller environments. Limiting access to sensitive dMSA attributes, monitoring for abnormal Kerberos activity, and applying the August updates across Windows systems is recommended.
Attention should also be given to third-party patches from vendors such as Adobe, Cisco, and Fortinet, particularly where vulnerabilities are actively exploited.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
