The biggest concern for security teams in Microsoft’s August 2025 patch update — the second consecutive update with no actively exploited bugs — is several elevation-of-privilege (EoP) vulnerabilities that allow attackers to turn an initial foothold into total system compromise.
The August update contains fixes for 111 unique Common Vulnerabilities and Exposures (CVEs), of which as many as 44 (39%) are issues that attackers can use post-compromise to elevate privileges to admin level on a system, in many instances.
A Motley Collection of Flaws
Among them is a maximum severity vulnerability in Azure OpenAI, CVE-2025-53767 (CVSS score: 10.00), which organizations don’t have to do anything about because Microsoft has already fully mitigated the cloud-based service. Another is CVE-2025-53779 (CVSS score: 7.2), a publicly known Windows Kerberos EoP flaw dubbed BadSuccessor that Akamai disclosed in May as a zero-day.
While EoP flaws dominated Microsoft’s latest patch update, they are not the only issues demanding priority attention. The August release also included fixes for 34 remote code execution (RCE) vulnerabilities, many of them critical, and 16 information disclosure flaws that could leak sensitive data. Significantly, the update includes patches for two vulnerabilities in Microsoft’s AI technologies: the previously mentioned CVE-2025-53767 and CVE-2025-53773 in GitHub Copilot and Visual Studio.
In all, Microsoft designated 13 of the 111 new CVEs as being of “Critical” severity and the vast majority of the remaining as “Important.”
Among the EoP bugs that security researchers described as needing priority attention are CVE-2025-53155 (CVSS score: 7.8) in Windows Hyper-V, and four in Microsoft SQL Server, each with a CVSS score of 8.8: CVE-2025-24999, CVE-2025-49759, CVE-2025-47954, and CVE-2025-53727.
Two of the SQL server vulnerabilities enable SQL injection via unsanitized parameters, while the others allow injection via specially crafted database names, noted Mat Lee, senior security engineer at Automox, in prepared comments. “The threat here is straightforward: unvalidated input can execute commands with high-level privileges, leading to data compromise or complete server takeover.” The best approach to mitigate the threat from these vulnerabilities is to patch immediately. Those that cannot should look at implementing Web application firewalls or query validation layers and hardening their SQL environment by, for example, limiting admin access and via segmentation, Lee advised.
In an analysis of this month’s update, Tenable senior staff researcher Satnam Narang recommended that organizations pay attention to CVE-2025-53779 (the BadSuccessor flaw), though the likelihood of attackers being able to exploit it remains low. “While patching BadSuccessor is critical, our analysis indicates that the immediate impact is limited, as only 0.7% of [Active Directory] domains had met the prerequisite at the time of disclosure,” he said. “To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise.”
SharePoint Flaw Among High-Priority RCEs
After the scare caused by the so-called ToolShell vulnerabilities in Microsoft SharePoint in June, there is also some concern over a new SharePoint RCE vulnerability in Microsoft’s August security update. Like the ToolShell flaws, the new bug, CVE-2025-49712 (CVSS score: 8.8), enables RCE. Only an authenticated attacker can exploit the flaw — which is different from ToolSet — however, it still merits priority attention, Saeed Abbasi, senior manager of security research at Qualys, tells Dark Reading. “This RCE demands authentication but pairs dangerously with known auth bypasses,” Abbasi says. “Attackers chaining this with prior flaws could achieve full server compromise and data exfiltration.” He recommends that organizations prioritize and patch all SharePoint instances, rotate keys, and avoid exposing the systems to the Internet.
Two of the remotely exploitable CVEs patched this month have near-maximum severity scores of 9.8 on the CVSS scale: CVE-2025-50165, an RCE flaw in the Windows Graphics Component, and CVE-2025-53766 in Microsoft’s GDI+ graphics programming interface. Attackers can exploit both vulnerabilities without any user interaction. “Both of these should be considered high-priority items this month,” said Tyler Reguly, associate director of security R&D at Fortra, via an emailed statement. “While they are rated as ‘exploitation less likely,’ they are critical issues should [exploits] be developed.”
In a similar statement, Alex Vovk, CEO and co-founder of Action1, described CVE-2025-50165 in particular as an extremely high-risk vulnerability because it exists at a core level of the operating system’s image processing pipeline. “According to Microsoft, exploitation can happen automatically when decoding a malicious JPEG image, often embedded in Office or third-party files,” Vovk said. “Attackers could deliver weaponized JPEGs via email, websites, network shares, or social media, potentially allowing them to execute code with the affected process’s privileges.”
Two other critical flaws in Microsoft’s August update require no user action to resolve because they involve Microsoft’s cloud services. One of them is CVE-2025-53792 (CVSS score 9.1), an EoP in Azure Portal; the other is CVE-2025-49707 (CVSS score: 7.9), which allows attackers to spoof Azure Virtual machines.
