Getty Images

News

August Patch Tuesday addresses 107 vulnerabilities

Admins have no zero-days this month but organizations that still rely on Exchange Server or SharePoint Server will have several serious flaws to resolve.

Tom Walat
By
Published: 12 Aug 2025

Admins have no zero-days to handle this month, but attackers could exploit a public disclosure to take over an organization's domain.

Microsoft issued security updates for 107 CVEs with 13 rated critical that span the company's product portfolio, but admins will want to focus on deploying patches for high-impact systems, such as domain controllers, Exchange Server and SharePoint Server.

The one public disclosure was a Windows Kerberos elevation-of-privilege vulnerability (CVE-2025-53779) rated moderate that affects Windows Server 2025, including Server Core installations.

Organizations that use Microsoft's latest server OS and its delegated Managed Service Account (dMSA) feature are vulnerable to a flaw in Kerberos, the Windows network authentication protocol, that allows an attacker to exploit the authentication process to elevate their privileges to the domain administrator level, which could lead to full domain and forest compromise.

Five corrections delivered for Exchange Server

After relatively little security news related to the Exchange Server this year, Microsoft dropped five fixes for the on-premises enterprise messaging and collaboration platform on August Patch Tuesday.

The most dangerous of this group is CVE-2025-53786, an elevation-of-privilege vulnerability rated important, which has the highest CVSS score of 8.0 with an "exploitation more likely" assessment. This vulnerability affects all supported Exchange Server versions, including the recently released Exchange Server Subscription Edition (SE). An attacker with administrative access to the on-premises Exchange Server environment could escalate privileges in the cloud environment.

On Aug. 7, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive related to CVE-2025-53786.

"This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance and immediate mitigation is critical. Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim's [Microsoft 365] Exchange Online environment," the CISA wrote.

The CISA refers to an April Microsoft blog that detailed the steps Microsoft plans to tighten security for hybrid Exchange customers, starting with using a script to move from a shared service principal to a dedicated Exchange hybrid app before an October deadline.

This month, Microsoft began blocking Exchange Web Services (EWS) traffic for Exchange hybrid organizations still using the shared service principal. EWS is the API that provides access to calendars, messages and other items in an Exchange mailbox.

Microsoft will lift the block for customers who deploy the dedicated Exchange hybrid app, which the company says is more secure and reliable.

The other Exchange Server vulnerabilities for August Patch Tuesday are:

  • CVE-2025-33051, information disclosure, CVSS 7.5
  • CVE-2025-25005, tampering, CVSS 6.5
  • CVE-2025-25006, spoofing, CVSS 5.3
  • CVE-2025-25007, spoofing, CVSS 5.3

SharePoint picks up interest from attackers

Microsoft corrected issues with 17 products in its Microsoft Office suite with one of the more notable fixes coming for the SharePoint Server product.

A SharePoint remote-code execution vulnerability (CVE-2025-49712) is rated important with a CVSS score of 8.8. Organizations should prioritize this patch, particularly if they use internet-exposed SharePoint instances, due to the low technical barrier to exploit once an attacker gains authenticated access.

"In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft wrote in its CVE notes.

This is one of two SharePoint CVEs. The other is an elevation-of-privilege vulnerability (CVE-2025-53760) rated important with a CVSS rating of 7.1.

"The SharePoint CVEs are definitely getting a lot of attention from the wrong players. Multiple nations states are targeting these and will capitalize on any laggards who do not get these updates in place quickly," said Chris Goettl, vice president of product management for security products at Ivanti.

A recent Microsoft blog highlighted the recent threats to the popular document management and collaboration platform. The company offered recommendations for admins to protect their on-premises SharePoint environments to prevent attacks, including use of Microsoft Defender Antivirus, configuring automatic attack disruption in Microsoft Defender XDR and enabling Local Security Authority protection and Credential Guard.

Goettl said admins should have already addressed the original chain exploit of CVE-2025-49706 and CVE-2025-49704 called ToolShell as well as newer vulnerabilities -- CVE-2025-53770 and CVE-2025-53771 -- that could bypass each of those original CVEs.

Additional security updates of note for August Patch Tuesday

  • For admins of Windows Server and desktops, a Graphics Device Interface Plus (GDI+) remote-code execution vulnerability (CVE-2025-53766) rated critical with a 9.8 CVSS rating should make patching those systems a priority. This type of vulnerability is attractive for exploit chains. The attacker can trigger the flaw by convincing a user to download and open a specially crafted document.
  • Customers who use Hyper-V should prioritize patching hosts to eliminate five vulnerabilities this month, including an elevation-of-privilege vulnerability (CVE-2025-50167) rated important with a CVSS score of 7.0 and an assessment of "exploitation more likely." This vulnerability affects Windows Server and desktop systems. An attacker with low privileges can gain system-level access without needing user interaction. The other vulnerabilities on the virtualization platform are CVE-2025-48807, CVE-2025-49751, CVE-2025-53155 and CVE-2025-53723.
  • A Remote Desktop spoofing vulnerability (CVE-2025-50171) rated important with a 9.1 CVSS score. The flaw could let unauthorized threat actors perform spoofing attacks over the network. Any internet-facing gateways or jump servers could be at risk and should be patched quickly.

Other items that require administrative attention

Beyond the August Patch Tuesday security updates, admins should be mindful of the following upcoming changes:

  • Extended support arrives for older Exchange Server products. Starting this month, Microsoft offers a six-month Extended Security Updates (ESU) purchase option for organizations that use Exchange Server 2016 or 2019. This ESU gives customers facing the end-of-life deadline on Oct. 14 some breathing room to migrate to Exchange Server SE if they choose to keep an on-premises email platform.
  • AzureAD PowerShell module retirement on the horizon. Microsoft will prevent the AzureAD PowerShell module from functioning in mid-October and plans outage tests in September to forewarn customers of the impending shutdown. Microsoft wants admins to use its Microsoft Graph API or its Microsoft Entra PowerShell module to handle identity and access management work in the Microsoft Entra platform. The company expects enterprises to migrate scripts and other automation methods before the October deadline to avoid operational issues.

Tom Walat is the site editor for Informa TechTarget's Search Windows Server site.

Dig Deeper on IT operations and infrastructure management