Abstract illustration of a smartphone receiving security updates with a shield icon, representing Microsoft's Patch Tuesday fixes

Microsoft’s August 2025 Patch Tuesday fixes 111 flaws, including Kerberos ‘BadSuccessor’ zero day

by

RedSecNinja
in ,

OvOverview

On 13 August 2025, Microsoft released its August 2025 Patch Tuesday update, fixing 111 security vulnerabilities across Windows, Office, Azure and other products. According to The Hacker News, the tally includes 16 critical, 92 important, two moderate and one low‑severity bug. In addition, Microsoft patched 16 vulnerabilities in its Chromium‑based Edge browser since July’s Patch Tuesday.

Key vulnerabilities

  • CVE‑2025‑53779 – Kerberos privilege escalation (‘BadSuccessor’): This zero‑day vulnerability stems from a relative path traversal issue in Windows Kerberos. It allows attackers with prior access to a domain controller to abuse Managed Service Account (dMSA) attributes and pivot to a domain administrator account. Although exploitation requires the attacker to control certain dMSA attributes, researchers warn it could be the final step in a multi‑stage attack chain.
  • CVE‑2025‑53786 – Exchange Server hybrid deployment privilege escalation: Affects Microsoft Exchange hybrid setups and has a CVSS 8.0 score.
  • CVE‑2025‑53767 (Azure OpenAI), CVE‑2025‑53766 (GDI+), CVE‑2025‑50165 (Windows graphics component), CVE‑2025‑53792 (Azure Portal), CVE‑2025‑53787 (Microsoft 365 Copilot BizChat), CVE‑2025‑50177 (MSMQ) and CVE‑2025‑50176 (DirectX graphics): These critical vulnerabilities, with CVSS scores from 7.8 to 10.0, could enable elevation of privilege or remote code execution.
  • CVE‑2025‑50154 – NTLM hash disclosure spoofing: This flaw allows NTLM hashes to be extracted without user interaction, even on fully patched systems.

BadSuccessor explained

Researchers at Akamai and Rapid7 nicknamed CVE‑2025‑53779 BadSuccessor. The flaw allows an attacker who already has privileged access to abuse delegated Managed Service Account (dMSA) objects to impersonate higher‑privileged accounts and potentially take over an entire Active Directory domain. The attack could be chained with other techniques such as Kerberoasting or Silver Ticket attacks to maintain persistence. Rapid7 notes that only about 0.7 % of domains met the prerequisites for exploitation at disclosure, but organizations should still patch quickly.

Recommendations

  1. Apply the August 2025 updates: Administrators should prioritize patching domain controllers, Exchange servers and endpoints. For Azure and cloud services, note that some vulnerabilities have already been remediated on Microsoft’s side.
  2. Audit privileged accounts: Review dMSA permissions and group memberships to ensure attackers cannot abuse BadSuccessor.
  3. Monitor for unusual authentication behavior: Watch for signs of lateral movement, privilege escalation and NTLM hash leaks.
  4. Educate users: Remind employees not to open or process unknown files, as some vulnerabilities require user interaction.

Conclusion

The August 2025 Patch Tuesday demonstrates the ongoing breadth of Microsoft’s vulnerability landscape, from Windows kernel flaws to cloud service elevation bugs. The Kerberos zero‑day dubbed BadSuccessor is the headline issue, but the cumulative total of 111 vulnerabilities highlights the need for regular patch management. Organizations should stay current with updates, harden Active Directory configurations and closely monitor privileged account activity.erview

On 13 August 2025, Microsoft released its August 2025 Patch Tuesday update, fixing 111 security vulnerabilities across Windows, Office, Azure and other products. According to The Hacker News, the tally includes 16 critical, 92 important, two moderate and one low‑severity bug. In addition, Microsoft patched 16 vulnerabilities in its Chromium‑based Edge browser since July’s Patch Tuesday.

Key vulnerabilities

  • CVE‑2025‑53779 – Kerberos privilege escalation (‘BadSuccessor’): This zero‑day vulnerability stems from a relative path traversal issue in Windows Kerberos. It allows attackers with prior access to a domain controller to abuse Managed Service Account (dMSA) attributes and pivot to a domain administrator account. Although exploitation requires the attacker to control certain dMSA attributes, researchers warn it could be the final step in a multi‑stage attack chain.
  • CVE‑2025‑53786 – Exchange Server hybrid deployment privilege escalation: Affects Microsoft Exchange hybrid setups and has a CVSS 8.0 score.
  • CVE‑2025‑53767 (Azure OpenAI), CVE‑2025‑53766 (GDI+), CVE‑2025‑50165 (Windows graphics component), CVE‑2025‑53792 (Azure Portal), CVE‑2025‑53787 (Microsoft 365 Copilot BizChat), CVE‑2025‑50177 (MSMQ) and CVE‑2025‑50176 (DirectX graphics): These critical vulnerabilities, with CVSS scores from 7.8 to 10.0, could enable elevation of privilege or remote code execution.
  • CVE‑2025‑50154 – NTLM hash disclosure spoofing: This flaw allows NTLM hashes to be extracted without user interaction, even on fully patched systems.

BadSuccessor explained

Researchers at Akamai and Rapid7 nicknamed CVE‑2025‑53779 BadSuccessor. The flaw allows an attacker who already has privileged access to abuse delegated Managed Service Account (dMSA) objects to impersonate higher‑privileged accounts and potentially take over an entire Active Directory domain. The attack could be chained with other techniques such as Kerberoasting or Silver Ticket attacks to maintain persistence. Rapid7 notes that only about 0.7 % of domains met the prerequisites for exploitation at disclosure, but organizations should still patch quickly.

Recommendations

  1. Apply the August 2025 updates: Administrators should prioritize patching domain controllers, Exchange servers and endpoints. For Azure and cloud services, note that some vulnerabilities have already been remediated on Microsoft’s side.
  2. Audit privileged accounts: Review dMSA permissions and group memberships to ensure attackers cannot abuse BadSuccessor.
  3. Monitor for unusual authentication behavior: Watch for signs of lateral movement, privilege escalation and NTLM hash leaks.
  4. Educate users: Remind employees not to open or process unknown files, as some vulnerabilities require user interaction.

Conclusion

The August 2025 Patch Tuesday demonstrates the ongoing breadth of Microsoft’s vulnerability landscape, from Windows kernel flaws to cloud service elevation bugs. The Kerberos zero‑day dubbed BadSuccessor is the headline issue, but the cumulative total of 111 vulnerabilities highlights the need for regular patch management. Organizations should stay current with updates, harden Active Directory configurations and closely monitor privileged account activity.

Comments

Leave a comment