Home > Security > Security News

Microsoft August Patch Tuesday Fixes Critical Exchange, SharePoint, and Kerberos Flaws

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor
microsoft windows

Microsoft’s Security Update Guide confirms the August 2025 Patch Tuesday release addresses 107 vulnerabilities across Windows, Exchange Server, SharePoint, and developer tools. Thirteen are rated critical, including remote code execution and elevation-of-privilege flaws. 

The update highlights CVE-2025-53786 in Exchange Server, which could allow lateral movement from compromised on-premises environments into Microsoft cloud platforms such as Exchange Online and Office 365. 

Microsoft urges administrators to prioritize identity-related and collaboration component patches, monitor for unusual authentication or privilege changes, and deploy updates promptly to limit attacker persistence.

Identity and Privilege Risks

Filipi Pires, Head of Identity Threat Labs at Segura, said the high number of elevation-of-privilege and RCE flaws could enable credential compromise and lateral movement. 

He recommended urgent Kerberos patching, multi-factor authentication enforcement, privileged access management, regular credential rotation, and monitoring for abnormal authentication activity.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, said Patch Tuesday’s timing after Black Hat underscores the need for prompt action. He called out the Kerberos vulnerability from Yuval Gordon and noted it will be detailed at SecTor in September, highlighting the importance of rigorous testing in security feature design.

Saeed Abbasi, Senior Manager at Qualys Threat Research Unit, discussed CVE-2025-49712, a SharePoint remote code execution flaw that requires authentication but could be combined with known bypass methods. He said such chaining could result in full server compromise and data exfiltration, urging organizations to patch, rotate keys, and restrict internet exposure.

Satnam Narang, Senior Staff Research Engineer at Tenable, noted that for the second month in a row, elevation-of-privilege flaws outnumber code execution bugs, accounting for 39.3% of patches. 

He also referenced CVE-2025-53779, the BadSuccessor privilege escalation bug, which poses limited immediate risk due to specific prerequisites, such as a domain controller running Windows Server 2025.

Add a Comment
Related
NYT Report Links Federal Court Breach to Russia, Cites Unnamed Sources
Hacker in Interview
Six Months On: Manpower Confirms Data Breach After RansomHub’s December–January Access
ClickFix
ClickFix PowerShell Attack Chain Leverages Email Invite Lures, Spoofed MS Teams Login Pages
Hacker - Police - Laptop
BreachForums Takeover Allegedly Orchestrated by Law Enforcement, ShinyHunters Say
BlackSuit Ransomware Takedown Disables 9 Domains and 4 Servers, Seizes $1M
Apartment - Laptop - Hacker
Kimsuky APT Hackers Exposed in Alleged Breach Revealing Phishing Tools and Operational Data
Most Popular
NYT Report Links Federal Court Breach to Russia, Cites Unnamed Sources
Hacker in Interview
Six Months On: Manpower Confirms Data Breach After RansomHub’s December–January Access
Proton VPN Brings Split Tunneling Beta to Linux Users
Proton VPN Brings Split Tunneling Beta to Linux Users
ExpressVPN Named LinkedIn Premium Perk of the Month for August 2025
ExpressVPN Named LinkedIn Premium Perk of the Month for August 2025
Wikipedia Loses UK Online Safety Act Legal Challenge, but Age Checks May Not Apply Yet
Wikipedia Loses UK Online Safety Act Legal Challenge, but Age Checks May Not Apply Yet
ClickFix
ClickFix PowerShell Attack Chain Leverages Email Invite Lures, Spoofed MS Teams Login Pages
NYT Report Links Federal Court Breach to Russia, Cites Unnamed Sources
Six Months On: Manpower Confirms Data Breach After RansomHub’s December–January Access
Proton VPN Brings Split Tunneling Beta to Linux Users
ExpressVPN Named LinkedIn Premium Perk of the Month for August 2025
Wikipedia Loses UK Online Safety Act Legal Challenge, but Age Checks May Not Apply Yet
ClickFix PowerShell Attack Chain Leverages Email Invite Lures, Spoofed MS Teams Login Pages

Most Popular
NYT Report Links Federal Court Breach to Russia, Cites Unnamed Sources
Hacker in Interview
Six Months On: Manpower Confirms Data Breach After RansomHub’s December–January Access
Proton VPN Brings Split Tunneling Beta to Linux Users
Proton VPN Brings Split Tunneling Beta to Linux Users
ExpressVPN Named LinkedIn Premium Perk of the Month for August 2025
ExpressVPN Named LinkedIn Premium Perk of the Month for August 2025
Wikipedia Loses UK Online Safety Act Legal Challenge, but Age Checks May Not Apply Yet
Wikipedia Loses UK Online Safety Act Legal Challenge, but Age Checks May Not Apply Yet
ClickFix
ClickFix PowerShell Attack Chain Leverages Email Invite Lures, Spoofed MS Teams Login Pages
NYT Report Links Federal Court Breach to Russia, Cites Unnamed Sources
Six Months On: Manpower Confirms Data Breach After RansomHub’s December–January Access
Proton VPN Brings Split Tunneling Beta to Linux Users
ExpressVPN Named LinkedIn Premium Perk of the Month for August 2025
Wikipedia Loses UK Online Safety Act Legal Challenge, but Age Checks May Not Apply Yet
ClickFix PowerShell Attack Chain Leverages Email Invite Lures, Spoofed MS Teams Login Pages

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: