Full Report
Despite serious alarm raised by officials, organizations have not applied the patch for Microsoft Exchange servers en masse. The post Microsoft Patch Tuesday follows SharePoint attacks, Exchange server warnings appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Microsoft Patch Tuesday Overview - August 2025
## CVE Details
- CVE ID: Multiple (Including CVE-2025-53786, CVE-2025-53770, CVE-2025-53771, CVE-2025-53779, CVE-2025-53767, CVE-2025-53766, CVE-2025-50165, CVE-2025-53792, CVE-2025-50171)
- CVSS Score: Not explicitly detailed for all, but CVE-2025-53767 is maximum severity; CVE-2025-53766 and CVE-2025-50165 are 9.8 (Critical). CVE-2025-53779 is rated 'moderate'.
- CWE: Not specified for all.
## Affected Systems
- Products: Microsoft Exchange Server (on-premises), Windows Kerberos, Azure OpenAI, Windows GDI+, Microsoft Graphics Component, Azure Portal, Remote Desktop Server, Microsoft Office.
- Versions: Specific versions are generally not listed in the summary, but the focus is on *on-premises* Microsoft Exchange Servers that have not applied previous hotfixes.
- Configurations: Azure OpenAI specifically mentioned. Windows GDI+/Graphics Component affected by image processing (e.g., JPEG processing).
## Vulnerability Description
The advisory highlights several critical vulnerabilities patched in Microsoft's August Security Update, including:
1. **CVE-2025-53786 (Exchange Server):** A high-severity vulnerability affecting on-premises Exchange servers that required a previously issued hotfix.
2. **CVE-2025-53779 (Windows Kerberos):** An Elevation of Privilege (EoP) vulnerability described as a zero-day with functional exploit code due to a path traversal issue in the core authentication component.
3. **CVE-2025-53767 (Azure OpenAI):** A maximum-severity defect affecting the cloud-based platform for OpenAI LLMs.
4. **CVE-2025-53766 & CVE-2025-50165 (Windows GDI+ / Graphics Component):** Critical Remote Code Execution (RCE) vulnerabilities triggered by processing specially crafted JPEG images, leading to a broad attack surface across any application rendering images.
5. **Related SharePoint Flaws:** Variants of previously disclosed vulnerabilities (CVE-2025-49706, CVE-2025-49704) were targeted in active attacks against SharePoint servers (CVE-2025-53770, CVE-2025-53771).
## Exploitation
- Status: Microsoft states none of the vulnerabilities in *this* update are actively exploited. However, **CVE-2025-53779 (Kerberos EoP)** is described as a zero-day because functional exploit code exists. Previously disclosed Exchange vulnerabilities remain unpatched at scale. SharePoint zero-days (CVE-2025-53770/53771) were actively exploited against major agencies.
- Complexity: Low for image-processing RCEs (CVE-2025-53766/50165). Exploitation likelihood for CVE-2025-53786 is rated "more likely." CVE-2025-53779 is rated "exploitation less likely" by Microsoft, but researchers note concern due to path traversal affecting a core component.
- Attack Vector: Broad across various components, including Network (RCE via image processing) and potentially Local/Adjacent (Kerberos EoP).
## Impact
- Confidentiality: High potential due to RCE and EoP flaws.
- Integrity: High potential, especially CVE-2025-53779 which could lead to full domain takeover if an account with privileges is compromised.
- Availability: Impact varies; RCE flaws present high impact.
## Remediation
### Patches
- Microsoft's latest security update addresses all disclosed vulnerabilities, including patches for CVE-2025-53786 and the four new Exchange defects. Specific patch versions are detailed in the MSRC release notes.
### Workarounds
- For **CVE-2025-53786 (Exchange)**: Organizations were previously urged to apply a hotfix (which many have not done). CISA directed federal agencies to disconnect outdated servers.
- For **CVE-2025-53766/50165 (Graphics RCE)**: Mitigation relies on limiting application exposure to untrusted, maliciously crafted JPEG files, though applying the patch is the definitive solution.
## Detection
- Indicators of Compromise: IOCs related to the actively exploited SharePoint zero-days (CVE-2025-53770/53771) are relevant context for organizations running older software.
- Detection methods and tools: Organizations should prioritize scanning for unpatched on-premises Exchange servers (over 28,000 reported vulnerable as of Monday). Detection for the Kerberos EoP (CVE-2025-53779) should focus on unusual authentication attempts or process activity related to path traversal exploitation.
## References
- Vendor advisories: [msrc.microsoft.com/update-guide/releaseNote/2025-Aug](https://msrc.microsoft.com/update-guide/releaseNote/2025-Aug)
- Relevant links - defanged:
- [cyberscoop.com/cisa-microsoft-exchange-vulnerability/](cyberscoop.com/cisa-microsoft-exchange-vulnerability/)
- [nvd.nist.gov/vuln/detail/CVE-2025-53786](nvd.nist.gov/vuln/detail/CVE-2025-53786)
- [dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=exchange&source=exchange6&tag=cve-2025-53766%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on] (Note: URL slightly modified range in original text, included CVE reference example)
- [cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability](cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability)