Microsoft’s August Patch Tuesday: Kerberos Drama and 110 Close Friends
Microsoft’s August 2025 Patch Tuesday fixes 111 vulnerabilities across Windows and wider Microsoft products. One flaw, CVE-2025-53779 in Windows Kerberos, was publicly disclosed and could help an attacker with certain delegated-account permissions pivot to full Active Directory compromise. In total there are 16 Critical, 92 Important, 2 Moderate and 1 Low issues, spanning privilege escalation, remote code execution, information disclosure, spoofing and DoS. Microsoft also notes 16 Chromium-Edge fixes released since last month. Notable items include a CVSS 10.0 Azure OpenAI elevation-of-privilege bug and high-severity graphics and MSMQ issues. Admins should prioritise Kerberos, Azure/identity-related fixes, and enable monitoring for NTLM hash exposure bypasses. Patch promptly and review delegation settings for managed service accounts.
It’s that time again—Patch Tuesday—when we brew a strong tea and watch Windows shed vulnerabilities like a labrador in summer. This month, Microsoft ships fixes for 111 bugs, including a publicly disclosed Kerberos zero-day (CVE-2025-53779) that crafty attackers could chain to grab domain admin if your delegation settings are a bit too friendly.
What’s in the pile?
• Severity mix: 16 Critical, 92 Important, plus a few Moderate/Low for good measure. Categories range from privilege escalation (44) and RCE (35) to info disclosure (18), spoofing (8) and DoS (4). Translation: there’s something here for everyone—please patch.
• Edge extras: Another 16 Chromium-Edge fixes landed since last month.
Headliners you should actually care about
• Kerberos zero-day (CVE-2025-53779): a relative path traversal issue that can be the final hop to owning AD, especially where delegated Managed Service Accounts are in play. It needs specific attribute control to exploit, but once chained, it’s bad news. Check your dMSA permissions.
• Cloud & identity hot-spots: Azure OpenAI EoP (CVSS 10.0) and Azure Portal EoP (CVSS 9.1)—because the cloud deserves love too.
• Graphics & MSMQ RCEs: High-scoring bugs in GDI+/Windows Graphics and MSMQ that could bite via malicious files or crafted traffic.
• NTLM hash exposure bypass: A new spoofing flaw (CVE-2025-50154) sidesteps a March mitigation to tease out NTLM hashes—cue relay and offline-cracking worries.
What to do before the kettle boils
1. Prioritise: Kerberos/identity, Azure, graphics/MSMQ.
2. Review delegation on managed service accounts; lock down who can set msds-groupMSAMembership and related attributes.
3. Harden NTLM: enforce SMB signing/LDAP signing; monitor for suspicious NTLM auth.
4. Patch Edge alongside Windows so your browser doesn’t lag behind.
Bottom line: Patch now, prod change control if you must, and schedule a quick permission tidy-up in AD. Your future self will thank you.