
LackyVis - stock.adobe.com
Eight critical RCE flaws make Microsoft’s latest Patch Tuesday list
Microsoft rolls out fixes for over 100 CVEs in its August Patch Tuesday update
No fewer than eight critical flaws that could allow a threat actor to achieve remote code execution (RCE) on a targeted system are listed in Microsoft’s August Patch Tuesday update, which once again tops out at over 100 common vulnerabilities and exposures (CVEs).
Alongside the critical RCE bugs, which occur in a variety of Microsoft products and services including DirectX Graphics Kernel, GDI+, Hyper-V, Message Queuing, Office and Word, are a solitary elevation of privilege (EoP) flaw in Windows NTLM, two information disclosure vulnerabilities in Hyper-V and Azure Stack Hub, and a spoofing vulnerability in Hyper-V.
The latest monthly drop contains no full zero-day exploits, bar one EoP vulnerability in Windows Kerberos, CVE-2025-53779, that by itself does not quite meet all the criteria as while exploit code has been made public, there is no evidence any threat actor has yet taken advantage of it.
This stems from a path traversal flaw in which Kerberos improperly validates path inputs when handling the relatively new delegated Managed Service Account (dMSA) feature in Windows Server 2025. This in turn enables an attacker to create improper delegation relationships, impersonate privileged accounts, escalate to domain admin privileges, and potentially gain control of the Active Directory domain.
However in order to do so they would need to already have elevated access to certain attributes of the dMSA, so exploitation is supposedly less likely, according to Microsoft.
This said, Mike Walters, president and co-founder of Action1, said the danger from CVE-2025-53779 grows when combined with other techniques and as such, large organisations with complex Active Directory environments, those that lean into dMSAs for service account management, and high-risk targets like banks, government agencies or hospitals, should take heed.
“The combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” said Walters.
“The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralised IT environments. Once compromised, they can quickly lead to full domain takeover.
“The presence of functional exploit code means attackers may pursue this flaw despite Microsoft’s assessment. Vulnerabilities in core authentication mechanisms are attractive additions to advanced attack chains, especially in targeting high-value environments,” he warned.
SharePoint flaws should be addressed
Although less immediately dangerous in their scope, defenders may also wish to pay attention to a pair of vulnerabilities in SharePoint, CVE-2025-53760, which enables EoP, and CVE-2025-49712, which enables RCE.
These come hot on the heels of the so-called ToolShell vulnerabilities in SharePoint – which were so serious they received an out-of-synch patch in July, and were exploited in short-order by China-linked threat actors against government targets.
Qualys Threat Unit senior manager for security research, Saeed Abbasi, said CVE-2025-49712 in particular warranted some concern.
“This RCE demands authentication but pairs dangerously with known auth bypasses,” explained Abbasi.
“Attackers chaining this with prior flaws could achieve full server compromise, and data exfiltration. It's not yet exploited in the wild, but history shows these evolve fast. Exposed SharePoint instances are prime footholds for lateral movement.
“Prioritise and patch all SharePoint updates, rotate keys, and eliminate internet exposure. Delaying invites regulatory scrutiny and breaches since SharePoint's exploit streak isn't over,” added Abbasi.
Read more about Patch Tuesday
- July 2025: Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is mercifully light on zero-days.
- June 2025: Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention.
- May 2025: Microsoft fixes five exploited, and two publicly disclosed, zero-days in the fifth Patch Tuesday update of 2025.
- April 2025: Microsoft is correcting 124 vulnerabilities in its April Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’.
- March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days.
- February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’.
- January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws.
- December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol.
- November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update.
- October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.
- September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy.
- August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update.