As part of the August Patch Tuesday, Microsoft fixed 107 vulnerabilities in its products. Among them was one zero-day vulnerability in Windows Kerberos.
This month, thirteen critical vulnerabilities were fixed, nine of which were remote code execution vulnerabilities, three were information disclosure vulnerabilities, and one was related to privilege escalation.
Recall that Microsoft classifies as zero-day any vulnerabilities whose details were publicly disclosed before patches were released, as well as issues that are being actively exploited in the wild.
The only zero-day vulnerability this month, CVE-2025-53779 (CVSS score 7.2), was not used in attacks; information about it surfaced before a fix was available. That’s because the zero-day bug was discovered by Akamai researchers, who published a report on the issue back in May 2025.
Microsoft reports that the vulnerability allowed an authenticated attacker to obtain domain administrator privileges.
“Relative path traversal in Windows Kerberos allows an authenticated attacker to elevate privileges on the network,” Microsoft explains.
It is noted that to exploit this vulnerability, an attacker would need elevated access to the following dMSA attributes:
- msds-groupMSAMembership (allows a user to use the dMSA);
- msds-ManagedAccountPrecededByLink (an attacker needs write access to this attribute, which would allow specifying the user on whose behalf the dMSA can act).
Among other issues fixed this month, the following stand out:
- CVE-2025-53767 (CVSS score: 10) — an Azure OpenAI vulnerability resulting in privilege escalation;
- CVE-2025-53766 (CVSS score: 9.8) — a GDI+ vulnerability allowing remote code execution;
- CVE-2025-50165 (CVSS score: 9.8) — a Windows Graphics Component vulnerability that enables remote code execution;
- CVE-2025-53792 (CVSS score: 9.1) — an Azure Portal vulnerability resulting in privilege escalation;
- CVE-2025-53787 (CVSS score: 8.2) — an information disclosure vulnerability in Microsoft 365 Copilot BizChat.