August 2025 Patch Tuesday Fixes Critical Windows Kerberos Zero-Day

Microsoft's latest Patch Tuesday security update has addressed a total of 107 vulnerabilities in various Windows and Microsoft products, including a publicly disclosed Windows Kerberos zero-day. The critical fix is particularly noteworthy, as it can be exploited by an authenticated attacker to gain domain admin rights via relative path traversal.

A Publicly Disclosed Zero-Day Flaw

The publicly disclosed flaw, tracked as CVE-2025-53779 (CVSS score 7.2), is a Windows Kerberos zero-day that can be triggered by an attacker with elevated access to the dMSA. According to Microsoft's advisory, "An attacker who successfully exploited this vulnerability could gain domain administrator privileges." This highlights the significant severity of the flaw and the potential risks it poses.

A High-Risk Buffer Overflow Flaw

The most severe vulnerability addressed by Microsoft is a heap-based buffer overflow in Windows GDI+, tracked as CVE-2025-53766 (CVSS score of 9.8). This flaw can be exploited via a crafted metafile in a document, potentially even through web uploads without user interaction, posing high-risk scenarios. According to Microsoft's advisory, "An attacker doesn’t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause Remote Code Execution or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user."

This buffer overflow flaw is particularly concerning because it can be triggered by an attacker with minimal privileges, and the attack vector is quite sophisticated. The fact that it can be exploited through web uploads without user interaction adds to the complexity of the threat.

Full List of Addressed Vulnerabilities

The full list of CVEs addressed by Microsoft with the release of Patch Tuesday security updates for August 2025 is available here. This includes a total of 107 vulnerabilities, 12 rated Critical, 93 rated Important, one rated Moderate, and one rated Low in severity.

Stay Safe Online

In today's digital landscape, cybersecurity threats are ever-evolving and increasingly sophisticated. Staying informed about the latest security patches and updates is crucial to protecting your devices and data from potential vulnerabilities. Follow us on Twitter (@securityaffairs), Facebook, and Mastodon for the latest security news and updates.