Microsoft Patch Tuesday August 2025: Over 100 Flaws Addressed, Including Cloud Pivot and Kerberos Zero-Day Risks
Microsoft’s August 2025 Patch Tuesday delivers extensive remediation for critical vulnerabilities, including a high-impact Exchange Server flaw with cloud pivot risk and a newly discovered Kerberos zero-day threatening Active Directory domains. Organizations face urgent technical challenges to secure both legacy and hybrid cloud environments and adapt to evolving exploitation methods.
Critical Flaw in Exchange Server Allows Cloud Pivot Attacks
Microsoft addressed CVE-2025-53786, a vulnerability that facilitates privilege escalation from a compromised on-premises Microsoft Exchange Server directly into connected cloud services like Exchange Online and Microsoft Office 365. Security researchers observed roughly 29,000 exposed Exchange servers on the internet susceptible to this issue. The exploit chain leverages weaknesses in hybrid authentication pathways, enabling attackers to inherit administrative credentials and manipulate cloud resources once local privileges are gained.
Remediation guidance extends beyond default patch deployment; administrators must follow Microsoft’s manual procedures to establish a dedicated service for hybrid connections and explicitly restrict elevated rights associated with the vulnerable integration components. This approach is vital as many exposed servers likely carry legacy vulnerabilities exploitable in tandem with CVE-2025-53786 for lateral movement within hybrid networks and cloud infrastructures.
Kerberos “BadSuccessor” Zero-Day Enables Full Active Directory Compromise
The “BadSuccessor” flaw in Windows Kerberos (patched as of August 2025) enables complete compromise of Active Directory domains under specific conditions. Attackers require a domain running Windows Server 2025 with domain controllers exposed—a scenario that, while not widespread, presents potential for catastrophic privilege escalation. Exploitation could allow a hostile actor to gain full control over identity systems, manipulate authentication flows, and deploy persistent malware or ransomware throughout an enterprise.
The patch addresses code execution and privilege mismanagement in the Kerberos security protocol stack, as endpoint exposure can allow construction of counterfeit ticket-granting tickets via cryptographic attacks. Organizations with mixed Active Directory versions must assess and prioritize upgrades, as partial fixes may leave residual risk depending on domain topology and controller patching status.
Other Notable High-Risk Vulnerabilities Patched
The August 2025 update cycle also remedies several critical-rated bugs:
- Azure OpenAI Elevation of Privilege (CVE-2025-53767, CVSS 10.0): Improper access controls could grant unauthorized privilege escalation within AI resource management components.
- GDI+ Remote Code Execution (CVE-2025-53766, CVSS 9.8): Flaw in graphics processing library allows arbitrary code execution via malformed visual content.
- Windows Graphics Component Remote Code Execution (CVE-2025-50165, CVSS 9.8): Exploitable by rendering corrupted graphical data, potentially automating attacks via web or document vectors.
- Azure Portal and Microsoft 365 Copilot Privilege/Elevation Flaws: Exposes sensitive business logic and Chat AI integrations to data leakage and privilege manipulation.
- MSMQ Remote Code Execution: Messaging queue vulnerability could enable widespread malware propagation or unauthorized access to backend application workflows.
NTLM Authentication Flaw Permits SYSTEM-Level Access
Microsoft fixed a significant bug in the NTLM authentication stack used across networks. An attacker with basic user access and network presence could manipulate NTLM protocols to escalate to SYSTEM—the highest permission tier on Windows endpoints. Although exploitation has not yet been observed in the wild, threat researchers recommend immediate patching due to the fundamental nature of NTLM across enterprise authentication environments.
Fortinet and Ivanti Issue August 2025 Security Patches for Critical Infrastructure Vulnerabilities
In the August 2025 Patch Tuesday cycle, Fortinet and Ivanti released advisories for numerous vulnerabilities, many of which impact security appliances and access gateways deployed in highly sensitive network environments. These updates address technical weaknesses actively targeted by threat actors in both commercial and government networks.
Fortinet Fixes Affect Firewalls and Authentication Services
Several vulnerabilities were patched within Fortinet’s next-generation firewall platforms and VPN components. These issues included flaws enabling remote code execution, privilege escalation, and session manipulation under specific configurations. Some attacks leveraged logic errors in session management to bypass multi-factor authentication protections and gain administrative control.
Fortinet’s advisory instructs administrators to review custom policies, disable deprecated modules, and ensure all firmware is upgraded to the latest version. Strong emphasis is placed on monitoring external access attempts, particularly where legacy configurations may persist in production environments.
Ivanti Security Gateway and Remote Access Flaws Addressed
Ivanti issued updates for its enterprise access gateways and management consoles, mitigating vulnerabilities that could allow attackers to hijack remote sessions, inject unauthorized commands, or pivot laterally through “trusted” management networks. Certain bugs exploited weaknesses in input validation and session integrity, and some were observed being weaponized in recent criminal campaigns. The updates include hardening of authentication scenes and revision of output handling logic exposed to internet-facing endpoints.
Credential Theft Campaigns Using Fake Microsoft OAuth Applications Escalate
Cybersecurity researchers have detected a surge in attacks impersonating major brands via fake Microsoft OAuth applications, designed to circumvent multi-factor authentication and exfiltrate credentials from enterprise users. The threat landscape is evolving rapidly, leveraging highly convincing phishing and abuse of legacy authentication protocols.
Technical Anatomy of Fake OAuth Attacks
Threat actors distribute phishing emails containing links to OAuth consent screens that mimic brands such as RingCentral and SharePoint. Once a target grants consent, the malicious app inherits persistent access to cloud resources, including email, calendar, and file shares. Attackers obfuscate detection by leveraging application registration APIs and dynamically adjusting their consent scopes based on user response patterns.
The attack kit dubbed “Tycoon” streamlines this process, enabling organized groups to automate application creation and credential harvesting at scale. Defense strategies must now focus on application governance, conditional access policies, and revocation of suspicious OAuth tokens. Microsoft’s planned improvements—blocking legacy protocols—are expected to reduce exposure, yet enforcement gaps remain until organizations fully retire deprecated endpoints.
Ransomware Group INC Ransom Targets Discount Retail Chains in Data Theft Dispute
The INC Ransom group claims to have stolen 1.2 terabytes of sensitive information related to retail operations from Dollar Tree. However, analysis shows the compromised data originates from 99 Cents Only, whose assets were recently acquired by Dollar Tree following bankruptcy. This highlights supply chain complexities in data custodianship and target selection by cybercriminals.
Technical Implications and Data Ownership Challenges
The breach leverages legacy access and infrastructure left by the defunct 99 Cents Only chain, now partly integrated into Dollar Tree properties and systems. The retrospective attack raises questions around due diligence during asset acquisition, particularly concerning residual employee records, operational data, and authentication artifacts maintained post-bankruptcy. While current Dollar Tree employees are reportedly unaffected, former 99 Cents Only personnel face exposure of identity and HR details, underscoring the necessity for comprehensive data migration security assessments.
