Microsoft's Largest 2025 Patch Update Fixes 111 Flaws Including Kerberos Zero-Day

Microsoft released its August 2025 Patch Tuesday update addressing a massive 111 security vulnerabilities across its software portfolio, including one zero-day flaw that was already publicly disclosed.

The security update includes 16 critical-severity bugs, 92 important flaws, and addresses issues ranging from privilege escalation to remote code execution.

Among the most significant patches is CVE-2025-53779, a Windows Kerberos privilege escalation vulnerability with a CVSS score of 7.2.

This zero-day, discovered by Akamai researcher Yuval Gordon, relates to the "BadSuccessor" attack technique that allows threat actors to compromise Active Directory domains by misusing delegated Managed Service Account objects.

The vulnerability requires attackers to have existing privileges but can lead to full domain control.

Key Critical Vulnerabilities Fixed:

• CVE-2025-53767 (CVSS 10.0): Azure OpenAI privilege escalation.
• CVE-2025-53766 (CVSS 9.8): GDI+ remote code execution.
• CVE-2025-50165 (CVSS 9.8): Windows Graphics component RCE.
• CVE-2025-53792 (CVSS 9.1): Azure Portal privilege escalation.

Microsoft noted that cloud service vulnerabilities affecting Azure OpenAI, Azure Portal, and Microsoft 365 Copilot have already been remediated automatically and require no customer action.

The update also includes 16 additional fixes for Microsoft Edge browser vulnerabilities.

Security researchers recommend immediate patching, particularly for organizations using Active Directory environments where the Kerberos flaw poses the greatest risk.