Microsoft released its August 2025 Patch Tuesday security updates on August 12, addressing a total of 107 vulnerabilities across its product portfolio. The update includes fixes for one publicly disclosed zero-day vulnerability and 13 classified as Critical, with the remainder spanning various severity levels. The most common vulnerability types this month are elevation of privilege, remote code execution (RCE), and information disclosure.
Why it matters
This month’s release targets several high-impact vulnerabilities that could enable attackers to escalate privileges or execute arbitrary code on affected systems. Notably, some vulnerabilities allow exploitation without user interaction, increasing the risk of successful attacks in enterprise environments. Organizations running Windows and Microsoft Office products are urged to apply these updates promptly to mitigate the risk of system compromise, data breaches, and unauthorized access.
Details
- Zero-day vulnerability (CVE-2025-53779): A moderate elevation of privilege flaw in Windows Kerberos (CVSS 7.2), which has been publicly disclosed with available exploit code. While exploitation is currently considered unlikely, a successful attack could grant domain administrator privileges to attackers who already possess high-level access.
- Critical RCE in Windows Graphics (CVE-2025-50165): This vulnerability (CVSS 9.8) allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in the Microsoft Graphics Component when processing JPEG images, potentially leading to full system compromise. The attack requires no user interaction and impacts confidentiality, integrity, and availability.
- Critical RCE in GDI+ (CVE-2025-53766): With a CVSS score of 9.8, this heap-based buffer overflow affects Windows GDI+. Attackers can exploit the flaw by delivering malicious metafiles via documents, with the potential to compromise web services that process such files, again without user involvement.
- Critical elevation of privilege in NTLM (CVE-2025-53778): Scoring 8.8 on the CVSS scale, this vulnerability enables authenticated attackers with low privileges to escalate to SYSTEM privileges via improper NTLM authentication, leading to full system takeover. Exploitation requires minimal privileges and no user interaction.
- Critical RCE in Microsoft Office (CVE-2025-53731, CVE-2025-53733): Both vulnerabilities (CVSS 8.4) allow unauthenticated attackers to execute code locally through use-after-free and numeric conversion flaws, respectively. The Preview Pane is an attack vector, though exploitation is considered unlikely.
In total, 42 vulnerabilities addressed this month relate to privilege escalation (39%), 35 to remote code execution (33%), and 16 to information disclosure (15%).
Background
Microsoft’s Patch Tuesday is a monthly event where the company releases security updates for its software products. The regular cadence aims to provide predictable and manageable updates for enterprise IT teams. Elevation of privilege vulnerabilities have consistently topped the list of risks in recent months, reflecting attackers’ focus on gaining higher-level access within compromised environments. Remote code execution flaws continue to pose significant threats due to their potential for system compromise without user involvement.
What’s next
Organizations are strongly advised to review the August 2025 security updates and prioritize patching of the critical vulnerabilities, especially those affecting Windows Kerberos, Graphics Components, GDI+, and NTLM authentication. IT administrators should assess their exposure, particularly in environments with domain-managed service accounts or externally accessible document processing services. Ongoing vigilance is required as exploit code for some vulnerabilities is publicly available, and the risk of active exploitation remains. Microsoft will continue to monitor for exploitation attempts and release further advisories as needed.
Source: Original source