No fewer than eight critical flaws that could allow a threat actor to achieve remote code execution (RCE) on a targeted system are listed in Microsoft’s August Patch Tuesday update, which once again tops out at over 100 common vulnerabilities and exposures (CVEs).
Alongside the critical RCE bugs, which occur in a variety of Microsoft products and services including DirectX Graphics Kernel, GDI+, Hyper-V, Message Queuing, Office and Word, are a solitary elevation of privilege (EoP) flaw in Windows NTLM, two information disclosure vulnerabilities in Hyper-V and Azure Stack Hub, and a spoofing vulnerability in Hyper-V.
The latest monthly drop contains no full zero-day exploits, bar one EoP vulnerability in Windows Kerberos, CVE-2025-53779, that by itself does not quite meet all the criteria as while exploit code has been made public, there is no evidence any threat actor has yet taken advantage of it.
This stems from a path traversal flaw in which Kerberos improperly validates path inputs when handling the relatively new delegated Managed Service Account (dMSA) feature in Windows Server 2025. This in turn enables an attacker to create improper delegation relationships, impersonate privileged accounts, escalate to domain admin privileges, and potentially gain control of the Active Directory domain.
However in order to do so they would need to already have elevated access to certain attributes of the dMSA, so exploitation is supposedly less likely, according to Microsoft.
This said, Mike Walters, president and co-founder of Action1, said the danger from CVE-2025-53779 grows when combined with other techniques and as such, large organisations with complex Active Directory environments, those that lean into dMSAs for service account management, and high-risk targets like banks, government agencies or hospitals, should take heed.
“The combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” said Walters.
“The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralised IT environments. Once compromised, they can quickly lead to full domain takeover.
“The presence of functional exploit code means attackers may pursue this flaw despite Microsoft’s assessment. Vulnerabilities in core authentication mechanisms are attractive additions to advanced attack chains, especially in targeting high-value environments,” he warned.
SharePoint flaws should be addressed
Although less immediately dangerous in their scope, defenders may also wish to pay attention to a pair of vulnerabilities in SharePoint, CVE-2025-53760, which enables EoP, and CVE-2025-49712, which enables RCE.
These come hot on the heels of the so-called ToolShell vulnerabilities in SharePoint – which were so serious they received an out-of-synch patch in July, and were exploited in short-order by China-linked threat actors against government targets.
Qualys Threat Unit senior manager for security research, Saeed Abbasi, said CVE-2025-49712 in particular warranted some concern.
“This RCE demands authentication but pairs dangerously with known auth bypasses,” explained Abbasi.
“Attackers chaining this with prior flaws could achieve full server compromise, and data exfiltration. It’s not yet exploited in the wild, but history shows these evolve fast. Exposed SharePoint instances are prime footholds for lateral movement.
“Prioritise and patch all SharePoint updates, rotate keys, and eliminate internet exposure. Delaying invites regulatory scrutiny and breaches since SharePoint’s exploit streak isn’t over,” added Abbasi.
