August 2025 Patch Tuesday: Microsoft Fixes 111 CVEs & Publicly Disclosed Kerberos Zero-Day (CVE-2025-53779)

[Update] “Post-Patch Findings on BadSuccessor (CVE-2025-53779)”

Microsoft has rolled out its August 2025 Patch Tuesday updates, tackling 111 security flaws, including 13 rated as critical and one publicly disclosed zero-day vulnerability.

The vulnerabilities span multiple categories:

• 44 Elevation of Privilege (EoP)
• 35 Remote Code Execution (RCE)
• 18 Information Disclosure
• 8 Spoofing
• 4 Denial of Service (DoS)
• 1 Tampering
• 1 Cross-Site Scripting (XSS)

While the update set is broad, a significant portion targets flaws that could allow attackers to escalate privileges or execute malicious code remotely, making timely patching a top priority.

In this breakdown, we will examine the key updates from August 2025 Patch Tuesday, spotlight the zero-day flaw, and highlight the most critical vulnerabilities that organizations should address immediately.

Publicly Disclosed Zero-Day: CVE-2025-53779 “BadSuccessor”

Among the fixes in August’s Patch Tuesday is a Windows Kerberos vulnerability, tracked as CVE-2025-53779 (CVSS 7.2), which was publicly disclosed before a patch became available. While Microsoft has rated its exploitation as less likely, the flaw carries serious implications for organizations running Windows Server 2025 domain controllers.

Security researcher Yuval Gordon (@YuG0rd) first detailed the issue in May 2025, dubbing the technique “BadSuccessor”. The attack abuses delegated Managed Service Accounts (dMSA) in Active Directory to escalate privileges silently.

When the initial article was published, the researcher noted that Microsoft had confirmed the issue but decided it did not meet the criteria for an immediate out-of-band patch.

How CVE-2025-53779 Could Be Exploited

To exploit CVE-2025-53779, an attacker must have certain elevated permissions, specifically:

• msds-groupMSAMembership – Grants the ability to use the dMSA.
• msds-ManagedAccountPrecededByLink – Allows specifying another account that the dMSA can impersonate.

With these rights, an attacker can perform relative path traversal within Kerberos, ultimately granting themselves domain administrator privileges without directly compromising high-value accounts.

Security Risks of the BadSuccessor Kerberos Exploit

• Full Domain Compromise – Attackers can steal any user’s Kerberos keys.
• Broad Applicability – Impacts any organization with at least one Windows Server 2025 domain controller.
• Common Permissions – The ability to create or control a dMSA is more widespread than many assume.
• Stealth – The attack avoids common detection methods, bypassing typical SOC monitoring.
• Inherited Privileges – Once compromised, the attacker gains the same rights as the impersonated account without altering the original account or group memberships.

As @YuG0rd put it, the dMSA becomes “the unintended heir to a high-privilege identity” – a fitting reason the technique was named BadSuccessor.

Even though Microsoft classified exploitation as less likely, the combination of high privilege gain, stealth, and ease of abuse in certain environments makes this vulnerability a notable risk. Organizations should apply the patch promptly and review their dMSA creation permissions.

Leverage SOCRadar’s Vulnerability Intelligence Capabilities for Faster Response

Reducing the risk from newly disclosed vulnerabilities takes more than timely patching; it requires continuous visibility into emerging threats across your entire technology ecosystem. SOCRadar’s Cyber Threat Intelligence module helps security teams do exactly that by delivering detailed, real-time insights into newly disclosed flaws.

The platform enables your security team to:

• Filter vulnerabilities by vendor, product, and severity to focus on the issues most relevant to their environment.
• Prioritize patching based on exploit likelihood and potential impact.
• Track vulnerability timelines, from initial disclosure to exploitation trends, for proactive defense.

By integrating these capabilities into your security operations, your organization can respond quickly to high-priority threats, reduce exposure time, and maintain a stronger overall security posture.

Post-Patch Findings on BadSuccessor (CVE-2025-53779)

New analysis from Akamai highlights that while Microsoft’s patch for BadSuccessor (CVE-2025-53779) blocked the original privilege escalation path, the underlying technique still poses risks.

Before the fix, attackers could abuse dMSA (distributed Managed Service Accounts) to inherit privileges and obtain Kerberos keys of high-value accounts by linking objects in Active Directory. Microsoft’s patch hardened the Key Distribution Center (KDC) validation process. A simple one-way link no longer works; attackers must now control both sides of the relationship to succeed.

Despite the fix, Akamai researchers show that the same concept can still enable attackers to:

• Gain credentials and privileges by pairing a controlled dMSA with a target account (a stealthier alternative to shadow credentials).
• Dump targeted credentials in already compromised domains, mimicking DCSync-like results but with different detection signals.

In response, defenders should:

• Audit dMSA creation and link modifications via System Access Control Lists (SACLs).
• Watch for unusual behaviors such as rapid dMSA password fetches or enabled accounts linked to dMSAs.
• Patch domain controllers, limit OU/delegation rights, and restrict who can manage dMSAs.

Critical Microsoft Vulnerabilities Fixed in August 2025

This month’s Patch Tuesday addresses 13 security flaws rated as critical in Microsoft’s advisories. These vulnerabilities span multiple components, including Windows graphics, Office applications, Azure services, and core Windows subsystems. If left unpatched, many could allow Remote Code Execution (RCE) or privilege escalation with minimal user interaction.

Below is the list of critical CVEs:

• CVE-2025-50165 (CVSS 9.8) – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-53766 (CVSS 9.8) – GDI+ Remote Code Execution Vulnerability
• CVE-2025-53778 (CVSS 8.8) – Windows NTLM Elevation of Privilege Vulnerability
• CVE-2025-53740 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-53731 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-53784 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-53733 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-50177 (CVSS 8.1) – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• CVE-2025-53132 (CVSS 8.0) – Win32k Elevation of Privilege Vulnerability
• CVE-2025-49707 (CVSS 7.9) – Azure Virtual Machines Spoofing Vulnerability
• CVE-2025-50176 (CVSS 7.8) – DirectX Graphics Kernel Remote Code Execution Vulnerability
• CVE-2025-53781 (CVSS 7.7) – Azure Virtual Machines Information Disclosure Vulnerability
• CVE-2025-48807 (CVSS 7.5) – Windows Hyper-V Remote Code Execution Vulnerability

Because several of these flaws involve RCE in widely deployed components, Microsoft recommends applying these updates without delay, especially in internet-facing or mission-critical systems.

Vulnerabilities With High Exploitation Potential

Alongside the critical fixes, Microsoft has flagged several vulnerabilities in the August 2025 release as “more likely to be exploited.” These flaws have no official workarounds, making prompt patching essential to reduce exposure.

Some of the critical issues listed earlier, including CVE-2025-50177 (MSMQ RCE) and CVE-2025-53778 (Windows NTLM EoP), also appear in this high-risk category. Additional vulnerabilities with elevated exploitation likelihood are:

• CVE-2025-53786 (CVSS 8.0) – Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability
• CVE-2025-53132 (CVSS 8.0) – Win32k Elevation of Privilege Vulnerability
• CVE-2025-50168 (CVSS 7.8) – Win32k Elevation of Privilege Vulnerability
• CVE-2025-50167 (CVSS 7.0) – Windows Hyper-V Elevation of Privilege Vulnerability
• CVE-2025-53147 (CVSS 7.0) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2025-49743 (CVSS 6.7) – Windows Graphics Component Elevation of Privilege Vulnerability
• CVE-2025-53156 (CVSS 5.5) – Windows Storage Port Driver Information Disclosure Vulnerability

Given the absence of mitigations and the potential for these flaws to be leveraged in active attacks, organizations should prioritize deploying patches for these vulnerabilities immediately after testing.

Apply the August 2025 Microsoft Security Updates

With multiple critical flaws and high-risk vulnerabilities addressed this month, rapid deployment of the August 2025 Patch Tuesday updates is essential to minimize the window of opportunity for attackers. You can review the full list of addressed CVEs in Microsoft’s official release notes.

To further strengthen your defenses, implement SOCRadar’s Attack Surface Management (ASM) module. ASM provides continuous, real-time monitoring of your organization’s digital assets, alerting you to exposed services, misconfigurations, and new vulnerabilities as they appear.

By combining timely patching with proactive attack surface monitoring, you can reduce risk and respond to threats before they escalate into incidents.