Microsoft Patch Tuesday, August 2025: Kerberos Zero-Day (“BadSuccessor”) and Exchange Cloud Attack Vector Patched
In August 2025, Microsoft released security updates addressing over 100 vulnerabilities across its software ecosystem, including multiple critical flaws. This month’s patch batch is dominated by the discovery and mitigation of a Kerberos zero-day, nicknamed “BadSuccessor,” which presents the risk of total Active Directory compromise in certain environments, and a critical Exchange Server vulnerability that allows attackers to pivot from on-premises systems to organizational cloud assets.
Kerberos Zero-Day Exploitation and Remediation
The “BadSuccessor” vulnerability, addressed in this security release, enables an attacker to achieve full compromise of an enterprise’s Active Directory if at least one domain controller is running Windows Server 2025. The exploit chain depends on specific domain configuration prerequisites, but once in place, it allows privilege escalation and lateral movement, ultimately handing the attacker domain-wide administrative power. Although the immediate risk is considered limited—only a small fraction of domains met the conditions for exploitation at the time of disclosure—the impact on vulnerable environments could be catastrophic. All organizations with hybrid or mixed-version Active Directory deployments are strongly advised to patch immediately and audit domain controller configurations for exposure.
Exchange Server to Cloud Pivot Attack (CVE-2025-53786)
Another high-profile update addressed CVE-2025-53786, affecting Microsoft Exchange Server 2016, 2019, and Subscription Edition. This bug allows attackers with compromised on-premises Exchange access to escalate their privileges directly into Exchange Online and other Microsoft 365 connected services. The attack vector enables a seamless transition for intruders from local systems to the organization’s cloud infrastructure, amplifying the blast radius and making response efforts more complex. Microsoft’s fix for this vulnerability requires not only installing the security patch but also following detailed manual remediation steps, including configuring a dedicated service for hybrid connection lockdown.
Other Critical and Noteworthy Vulnerabilities
This month’s release also includes fixes for several other critical vulnerabilities:
- CVE-2025-53767 (CVSS 10.0): Azure OpenAI Elevation of Privilege Vulnerability
- CVE-2025-53766 (CVSS 9.8): GDI+ Remote Code Execution Vulnerability
- CVE-2025-50165 (CVSS 9.8): Windows Graphics Component Remote Code Execution Vulnerability
- CVE-2025-53792 (CVSS 9.1): Azure Portal Elevation of Privilege Vulnerability
- CVE-2025-53787 (CVSS 8.2): Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
- CVE-2025-50177 (CVSS 8.1): Microsoft Message Queuing Remote Code Execution Vulnerability
- CVE-2025-50176 (CVSS 7.8): DirectX Graphics Kernel Remote Code Execution Vulnerability
NTLM Elevation of Privilege Flaw
Among the authentication-related updates, a critical bug in Windows NTLM (NT LAN Manager) authentication allows attackers with basic user privileges and low-level network access to escalate to SYSTEM-level (highest privilege) on Windows systems. Although no active exploitation has been observed yet, Microsoft assesses exploitation as “more likely” and urges immediate deployment of the patch, especially in environments with legacy or exposed NTLM authentication.
Exposure of Legacy Exchange Installations
Security experts report that approximately 29,000 Exchange servers are publicly internet-facing and remain susceptible to both newly reported and legacy vulnerabilities. Many organizations lag in patching older systems, increasing the likelihood of chained exploits leading to significant breaches.
Fortinet and Ivanti Release Critical Security Patches for August 2025
Fortinet and Ivanti have both published significant security advisories as part of their August 2025 Patch Tuesday releases, addressing multiple vulnerabilities across their leading network and endpoint security products. These updates respond to newly discovered weaknesses that could have material impact if left unremediated, and organizations relying on these vendors are urged to assess, test, and deploy patches as quickly as possible.
Fortinet: Targeted Systems and Remediation Guidance
The latest patches from Fortinet resolve several vulnerabilities in FortiGate, FortiManager, and FortiAnalyzer systems. The advisories outline both remote code execution flaws and privilege escalation bugs, reflecting Fortinet’s continued position as a prime target for adversaries due to its widespread network integration. In multiple recent threat actor campaigns, attackers have leveraged unpatched Fortinet devices to obtain network footholds, launch lateral attacks, and exfiltrate sensitive internal data. Fortinet provides detailed remediation guidance, including disabling vulnerable services, applying firmware updates, and auditing device configuration for legacy exposure points.
Ivanti: Endpoint Security and Patch Management Concerns
Ivanti’s advisories address vulnerabilities across its endpoint management and patching solutions, closing holes that could facilitate arbitrary code execution, escalation of privilege, or unauthorized access to administrative management functions. Organizations should prioritize patching Ivanti platforms to prevent lateral movement into privileged IT infrastructure, especially given attackers’ increasing focus on exploiting vendor supply chain products as initial access vectors.
US Federal Cybersecurity Budget Cuts Creating Global Trust Erosion
A new report highlights the widespread impact of US government budget reductions on national and international cybersecurity collaboration, with pronounced spillover effects seen in both public and private sector threat response. Private companies are reporting increased anxiety regarding both the timeliness and reliability of federal cyber threat intelligence sharing, while international partners—particularly in the UK—are now more hesitant to maintain or initiate relationships with US-based vendors due to concerns about systemic stability and cyber risk.
Impact on Information Sharing and Private Sector Response
Budget cuts affecting agencies such as CISA (Cybersecurity and Infrastructure Security Agency) and associated joint defense initiatives have led to diminished analytic capacity and a drop in the volume and granularity of actionable threat intelligence disseminated to the private sector. This shift is prompting companies to seek alternative models for intelligence sharing, including more open and inclusive information sharing and analysis centers (ISACs) that remove traditional barriers to participation. Consequently, some organizations are reassessing vendor relationships, with a measurable share reporting delays, cancellations, or outright reconsideration of US supplier contracts.
International Concerns and Reassessment of Partnerships
Internationally, nearly 80% of surveyed British organizations express caution when engaging US vendors in light of ongoing federal cyber instability, with a significant portion reassessing or delaying commercial partnerships. These trends underscore the ripple effect that domestic policy changes can have on the broader global cybersecurity landscape, elevating risk both at the commercial and geopolitical levels.