Microsoft’s August Patch Tuesday flaw-fixing festival addresses 111 problems in its products, a dozen of which are deemed critical, and one moderate-severity flaw that is listed as being publicly known.
The good news is that Microsoft says none of the August security holes are under active exploitation. But before you put your feet up and relax, or pop some champagne, remember that the software giant said July’s patches didn’t address any active exploits…and we all know how that turned out (cough) SharePoint (cough).
Let’s start with the known bug, an elevation of privilege flaw in Windows Kerberos network authentication protocol. It’s tracked as CVE-2025-53779. Microsoft rates it 7.2 on the ten-point CVSS scale, and the software giant deems “exploitation less likely,” probably because to abuse this vulnerability an attacker would first need to be authenticated with explicit permissions to the delegated Managed Service Account (dMSA):
- msds-groupMSAMembership: This attribute allows the user to utilize the dMSA.
- msds-ManagedAccountPrecededByLink: The attacker needs write access to this attribute, which allows them to specify a user that the dMSA can act on behalf of.
Assuming the stars aligned, someone who “successfully exploited this vulnerability could gain domain administrator privileges,” Redmond warned.
Microsoft credited Akamai researcher Yuval Gordon with disclosing this bug.
Microsoft critical flaws
Moving on to the critical flaws: CVE-2025-50165 and CVE-2025-53766 both can lead to remote code execution (RCE) and scored 9.8/10.
CVE-2025-53766 is due to a heap-based buffer overflow in Windows Graphics Device Interface (GDI+), which could allow an unauthorized attacker to execute code over a network. Thank Check Point Research’s Gábor Selján for finding and reporting this one to Microsoft.
While it’s deemed “exploitation less likely,” an attacker doesn’t require any privileges on the systems hosting the flawed web services. As Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI) noted: “it allows for code execution just by browsing to a malicious webpage.”
“A worst-case scenario would be an attacker uploading something through an ad network that is served up to users,” he added.
While that’s the worst-case scenario, an attacker could also exploit this bug by embedding a specially crafted metafile into a document and tricking the victim into downloading and opening the document.
Either way, this one clearly deserves attention.
CVE-2025-50165 is an RCE flaw in the Windows Graphics Component and it can also be exploited without any user intervention – simply by viewing a specially crafted JPEG image that’s embedded in Office and third-party files. While Redmond also states “exploitation less likely” for this CVE, disclosure of the flaw means that advice could be wishful thinking. Zcaler’s Arjun G U gets credit for finding this bug.
Remember SharePoint?
And speaking of SharePoint, it has an RCE bug tracked as CVE-2025-49712. It’s critical, with an 8.8 severity score, and allows any authenticated user to trigger the vulnerability. It’s also remotely exploitable.
“While this bug is not listed as under active attack, it is the same type of bug used in the second stage of existing exploits,” Trend Micro’s Childs wrote. “The first stage is an authentication bypass, as this vulnerability does require authentication. However, several auth bypasses are publicly known (and patched).”
Childs suggests ensuring all your SharePoint patches are up to date, and considering whether you need the app to be accessible from the public internet. Hint: You don’t!
Here’s a quick look at the other critical flaws fixed this month:
CVE-2025-50177 – A Microsoft Message Queuing RCE
CVE-2025-53731 and CVE-2025-53740 – A pair of Office RCEs
CVE-2025-53733 and CVE-2025-53784 – Windows RCEs
CVE-2025-53781 – A Hyper-V information disclosure vulnerability
CVE-2025-49707 – A Hyper-V spoofing flaw
CVE-2025-48807 – A Hyper-V RCE
CVE-2025-53778 – A Windows New Technology LAN Manager (NTLM) elevation of privilege vulnerability
CVE-2025-53793 – An Azure Stack Hub information disclosure bug
Adobe fixes 68 CVEs
In other patching news, Adobe published fixes for 68 CVEs this month.
The patches for InCopy seem a good place to start as they address eight bugs, all deemed critical and all allowing RCE. There are also six critical and important bug fixes in the Commerce patch collection. Adobe considers 12 of the 14 patches InDesign to be critical.
Meanwhile, updates to Substance 3D Modeler fix 13 critical and important CVEs and the Substance 3D Painter addresses nine critical and important flaws. Substance 3D Stager, fixes two bugs, one of which is critical, and the Substance 3D Sampler fix plugs a hole in one important-rated flaw. Finally, there’s two critical CVEs in the Substance 3D Viewer update.
Adobe also patched two bugs in Animate, one of which is critical, and four in Illustrator, two of which are critical RCEs.
Photoshop fixes one critical flaw, and the updates for FrameMaker contains fixes for five critical and important bugs.
And a single, important-rated flaw gets a fix in this month’s Dimension update.
Patching SIG
No, The Register has not formed a patching Special Interest Group. Instead, we’re now going to cover patches from SAP, Intel, and Google.
The ERP giant released 15 new security notes today plus four updates to previously released notes.
Three of these are critical, 9.9-rated flaws, so start with those. CVE-2025-42957 is a new code injection vulnerability in SAP S/4HANA that affects both private cloud and on-premises versions. CVE-2025-42950 is another new code injection vulnerability in SAP’s Landscape Transformation analysis platform. The third critical issue is an update to a security note released in April related to CVE-2025-27429. It addresses a code injection vulnerability in SAP S/4HANA.
Intel joined the patch party this month with 34 advisories addressing 66 vulnerabilities across its firmware, hardware, and software products. Among the most serious: the chipmaker addressed high-severity vulnerabilities for some Xeon 6 processors that may allow escalation of privilege, and high-severity bugs in some Intel Ethernet Drivers for Linux that may allow escalation of privilege, information disclosure, or denial of service.
Google delivered no patches in July but this month pushed security updates for Android that, among other flaws, fix two actively exploited Qualcomm vulnerabilities: CVE-2025-27038 and CVE-2025-21479. Qualcomm disclosed the bugs in June, warning that they “may be under limited, targeted exploitation.” ®
Source link
