Today marks Microsoft’s August 2025 Patch Tuesday, a significant day for cybersecurity as it brings essential security updates addressing a total of 107 vulnerabilities. Among these updates is a critical fix for a publicly disclosed zero-day vulnerability in Windows Kerberos, emphasizing the importance of timely patching for system security.
This month’s Patch Tuesday resolves thirteen Critical vulnerabilities, which pose severe risks to users. Notably, nine of these vulnerabilities are categorized as remote code execution vulnerabilities, while others include three cases of information disclosure and one instance of elevation of privileges. Below is a breakdown of vulnerabilities by category:
44 Elevation of Privilege Vulnerabilities 35 Remote Code Execution Vulnerabilities 18 Information Disclosure Vulnerabilities 4 Denial of Service Vulnerabilities 9 Spoofing VulnerabilitiesIt is crucial to note that the figures reported pertain exclusively to the vulnerabilities addressed on Patch Tuesday. For a comprehensive understanding, previous fixes for platforms like Mariner, Azure, and Microsoft Edge released earlier this month are not included in this count.
This month, Microsoft has fixed one publicly disclosed zero-day vulnerability, specifically identified as CVE-2025-53779, which is an Elevation of Privilege Vulnerability in Windows Kerberos. This flaw enables an authenticated attacker to potentially gain domain administrator privileges.
The vulnerability arises from a relative path traversal issue in Windows Kerberos, permitting an authorized attacker to elevate their privileges over a network. According to Microsoft, exploitation of this flaw necessitates elevated access to specific dMSA attributes:
msds-groupMSAMembership: This attribute enables the user to utilize the dMSA. msds-ManagedAccountPrecededByLink: The attacker must have write access to this attribute to specify a user that the dMSA can act on behalf of.This serious vulnerability was discovered and reported by Yuval Gordon of Akamai, who published a technical analysis of the flaw in May.
In addition to Microsoft's updates, various other vendors have also released security advisories or patches throughout July 2025. Notable updates include:
7-Zip: Released a security update addressing a path traversal flaw that could lead to remote code execution. Adobe: Issued emergency updates for AEM Forms to mitigate zero-days after proof-of-concept exploits were made public. Cisco: Provided patches for vulnerabilities in WebEx and Identity Services Engine. Fortinet: Released security updates for multiple products, including FortiOS and FortiManager. Google: Addressed two actively exploited vulnerabilities in Qualcomm affecting Android devices. Microsoft Exchange: Warned about a flaw tracked as CVE-2025-53786, which could be leveraged to hijack cloud environments. Proton: Fixed a bug in its new Authenticator app for iOS that stored users' sensitive TOTP secrets in plaintext. SAP: Released July security updates addressing numerous vulnerabilities rated at 9.9. Trend Micro: Introduced a fix tool for an actively exploited remote code execution vulnerability in Apex One. WinRAR: Released a security update for a path traversal bug that could lead to remote code execution.The August 2025 Patch Tuesday underscores the critical nature of cybersecurity updates in protecting systems from vulnerabilities. Users are strongly advised to install these updates promptly to safeguard against potential exploits. For further insights and details on the non-security updates released today, additional articles are available focusing on the cumulative updates for Windows 11 and Windows 10.
