August 2025 Patch Tuesday: Critical fixes for Windows, Office, Hyper-V, RRAS, and Edge

Microsoft’s August security roll-up arrived with muscle: a broad set of fixes across Windows, Office, Hyper‑V, RRAS, and Edge that closes dozens of high‑risk holes — but the tally of affected CVEs, the presence of a publicly disclosed Kerberos issue, and multiple graphics‑parsing remote code execution bugs make this month’s Patch Tuesday a must‑action for both consumer and enterprise administrators. (support.microsoft.com, techtarget.com)

Background​

Microsoft published its August 2025 cumulative updates on August 12, distributing monthly security fixes via the usual channels: Windows Update, WSUS, and the Microsoft Update Catalog. The same release bundles include servicing‑stack updates and a set of AI component refreshes that ship with the Windows 11 servicing builds. Administrators should expect the usual combined servicing‑stack + LCU packages (for example, KB5063878 for certain Windows 11 builds). (support.microsoft.com)
There is, however, some variation in how outlets count the total number of CVEs in this release. Several reputable trackers reported 107 distinct vulnerabilities, while others counted 111 — differences that typically stem from whether cloud‑only, mitigated‑by‑service fixes, or third‑party library issues are grouped with the monthly Patch Tuesday totals. Those discrepancies matter when prioritizing patch windows but do not change the practical urgency posed by the high‑severity items described below. (cybersecuritynews.com, blog.talosintelligence.com)

---

What Microsoft patched this month — a high‑level inventory​

• Microsoft’s August update addresses a broad cross‑section of product families: Windows desktop and server, Microsoft Office, Hyper‑V / virtualization, Routing and Remote Access Service (RRAS), and the Edge browser (Chromium‑based). The most impactful items cluster in graphics processing, document parsing, remote code execution (RCE), and a publicly disclosed Kerberos elevation‑of‑privilege issue. (techtarget.com, blog.talosintelligence.com)
• Counts reported by security outlets vary: some tallies show 107 CVEs in the monthly release, others list 111. This is not unusual; the Microsoft Security Update Guide and vendor advisories sometimes categorize cloud‑side mitigations and service patches separately from the on‑premises patch bundles used by traditional Patch Tuesday summaries. Administrators should rely on Microsoft’s Security Update Guide filters for authoritative lists relevant to their product mix. (cybersecuritynews.com, blog.talosintelligence.com)
• Microsoft indicated that none of the vulnerabilities patched on Patch Tuesday were being observed as active exploitation in the wild at the time of the release. That said, one vulnerability had been publicly disclosed prior to the patch bundle (Windows Kerberos CVE‑2025‑53779), elevating the urgency for domain‑controller patching in susceptible environments. (techtarget.com, blog.talosintelligence.com)

---

Deep dive: the most consequential patches and why they matter​

CVE‑2025‑53766 — GDI+ (Graphics Device Interface Plus) remote code execution​

CVE‑2025‑53766 is a critical remote code execution (RCE) vulnerability in the Windows GDI+ component. Because GDI+ handles vector graphics and metafiles used widely by documents, emails, and web content, this class of vulnerability is particularly dangerous: an attacker could trigger code execution by getting a vulnerable system to parse a malicious metafile — potentially without additional privileges or user interaction depending on the attack context. Multiple security trackers flagged this as a 9.8 CVSS‑rated critical issue that should be prioritized. (techtarget.com, cybersecuritynews.com)
Why this is urgent: graphics parsing bugs are frequently weaponized as silent, low‑interaction vectors — especially when content previewers, web services, or automated document processors parse files server‑side. Organizations that host document viewers or ingest external content should treat this as a top remediation target.

CVE‑2025‑50165 — Windows Graphics Component RCE​

Similar in impact to the GDI+ issue, CVE‑2025‑50165 is another critical RCE in the Windows Graphics Component that can be triggered by crafted image data such as a malicious JPEG. Microsoft’s analysis indicates that this flaw affects specific modern Windows releases (for example, Windows 11 24H2 and certain Server SKUs), and the attacker’s path could be as simple as having a vulnerable component decode a crafted image embedded in a web page or document. Prioritize patches for Windows hosts that process untrusted image content. (blog.talosintelligence.com, cybersecuritynews.com)

The Kerberos disclosure — CVE‑2025‑53779​

One publicly disclosed vulnerability — CVE‑2025‑53779 — affects Windows Kerberos and was highlighted across multiple advisories. This is an elevation‑of‑privilege issue tied to delegated Managed Service Accounts (dMSA) attributes and could permit an authenticated attacker with the required write‑access to specific dMSA attributes to escalate to domain administrator in affected Active Directory environments. Microsoft marked the issue as publicly disclosed and recommended immediate remediation on domain controllers where the dMSA features are present. (techtarget.com, thehackernews.com)
Operational note: successful exploitation requires pre‑existing access to dMSA attributes, so this is not an unauthenticated internet worm; however, because the outcome is full domain compromise, the consequences are severe and patching domain controllers must be prioritized.

Hyper‑V: host escape and information‑disclosure risks​

Hyper‑V received multiple important and critical fixes this month. Notable entries include:

• CVE‑2025‑48807 — RCE that could allow code execution on the host from a guest VM.
• CVE‑2025‑53781 — information disclosure (data leak) in virtualization environments.
• CVE‑2025‑49707 — spoofing / identity impersonation in VM communication.

The possibility of a guest‑to‑host escape or of a VM impersonating another identity during external communications raises substantial risk for shared hosting, cloud providers, or multi‑tenant virtualization hosts. Hyper‑V hosts should be patched quickly and, where possible, access to management channels should be further restricted until host updates are applied. (redmondmag.com, blog.talosintelligence.com)

RRAS: a cluster of high‑risk remote issues​

Microsoft patched 12 vulnerabilities affecting the Routing and Remote Access Service (RRAS), with a mix of RCE and information‑disclosure problems. Any internet‑facing RRAS endpoints — or internal gateways that accept untrusted traffic — should be considered at higher risk until patched. Many of these RRAS issues can be leveraged for lateral movement or to expose confidential network details, so administrators should schedule RRAS updates early in their patch cycles. (cybersecuritynews.com, techtarget.com)

Microsoft Office: preview‑pane RCEs and document parsing​

Microsoft fixed numerous vulnerabilities in the Office family this month, including a cluster of critical RCEs that use the Preview Pane as an attack vector. Several Word vulnerabilities were specifically flagged: by exploiting the preview functionality, an attacker could cause code execution simply by having a malicious document displayed in Explorer’s preview panel — meaning no explicit user “open” action is required. The rest of the Office fixes are high severity and typically require an attacker to trick a user into opening a malicious document. Given the ubiquity of Office in business workflows, these are high‑priority patches. (redmondmag.com, blog.talosintelligence.com)

---

Edge browser updates: Chromium fixes and platform alignment​

Microsoft shipped Edge 139.0.3405.86 to the stable channel in early August 2025 (release window around August 7), built on Chromium 139.x. The Edge update includes multiple patches for CVEs in the Chromium base as well as Edge‑specific fixes. Mobile variants followed with coordinated builds for Android and iOS. Administrators managing Edge in enterprise fleets should validate the update roll‑out through their management tooling (Intune, AD‑group policies, or Edge Update Service) and confirm compatibility testing for web apps that rely on cutting‑edge platform features. (learn.microsoft.com, neowin.net)

---

Prioritization guidance — what to patch first​

With dozens of important and critical fixes, a structured remediation plan is essential. Prioritization should be risk‑driven and account for public disclosure, exploitability, exposure (internet‑facing services), and the potential blast radius.

• Patch domain controllers and Kerberos‑dependent infrastructure immediately where dMSA is in use (CVE‑2025‑53779). (techtarget.com)
• Remediate hosts and services that process untrusted images or documents next (CVE‑2025‑53766, CVE‑2025‑50165, Office preview‑pane RCEs). These are attractive to attackers because of low interaction requirements. (blog.talosintelligence.com, cybersecuritynews.com)
• Patch Hyper‑V hosts promptly: guest‑to‑host RCEs and VM spoofing issues threaten multi‑tenant integrity. (blog.talosintelligence.com)
• Update internet‑facing gateways and RRAS endpoints, and inspect firewall rules for any legacy exposures. (cybersecuritynews.com)
• Apply Edge updates to managed browsers and verify that Chromium‑level CVEs are addressed across desktop and mobile fleets. (learn.microsoft.com)

Additional tactical steps: disable document preview in file explorers where feasible, harden document‑processing services to reject untrusted files, and employ network segmentation to reduce potential lateral movement following a successful exploit.

---

Mitigations and compensating controls while patching​

Not every environment can patch immediately. When rapid patching is operationally infeasible, consider these compensating controls:

• Disable or limit preview panes for email clients and file explorers where exploits can be triggered by preview alone.
• Block file types commonly used in attacks (e.g., specific image formats, legacy metafiles, or Office macro‑enabled documents) at email gateways and perimeter proxies.
• Apply network‑level filtering to restrict inbound access to RRAS, RDP, Hyper‑V management interfaces, and any management interfaces to internal systems.
• For virtualization hosts, restrict inter‑VM communications, and enforce strict RBAC for VM management and certificate issuance workflows.
• Monitor and hunt for anomalous authentication and Kerberos changes (especially writes to dMSA attributes), as those could signal pre‑exploitation activity against the Kerberos issue. (techtarget.com, blog.talosintelligence.com)

---

Enterprise deployment checklist​

• Inventory: map which servers and workstations are affected by the August patches (filter Microsoft’s Security Update Guide by product family and CVE). (support.microsoft.com)
• Test: run targeted tests in staging for high‑impact patches (document rendering, graphics libraries, Office integrations, Hyper‑V workloads).
• Staggered rollout: apply to a pilot cohort first, monitor telemetry for stability, then expand to critical systems.
• Backup and rollback plan: ensure recent backups and a tested rollback process for critical services.
• Communication: inform help desks and incident response teams about the changes and expected user impact windows.
• Verify: after patching, validate the fixes via vulnerability scanners, endpoint telemetry, and EDR signals.

---

The “unsupported OS” problem: don’t forget older endpoints​

Windows 7 and Windows 8.1 stopped receiving regular security updates long ago; continuing to run those platforms exposes organizations to unpatched vulnerabilities that are not covered by the current Patch Tuesday releases. Microsoft’s lifecycle pages and support notes recommend upgrading unsupported devices to currently supported Windows releases or replacing hardware that cannot meet Windows 11 system requirements. Organizations with legacy fleets should accelerate migration planning before vendor support sunsets (for example, Windows 10 mainstream security updates are scheduled to end in October 2025). (support.microsoft.com, microsoft.com)
For eligible devices, upgrading to Windows 11 24H2 will restore access to current security updates and platform hardening; however, upgrade planning must account for hardware requirements and enterprise application compatibility. (windowscentral.com)

---

Risk analysis — strengths and remaining concerns​

Notable strengths of this release​

• Microsoft pushed fixes for numerous high‑severity graphics and document‑parsing RCEs that commonly underpin broad exploitation campaigns. Addressing these reduces the immediate risk of mass delivery vectors (malicious email attachments, drive‑by image decoding). (blog.talosintelligence.com)
• Hyper‑V and virtualization fixes close paths that could lead to severe multi‑tenant compromise in cloud or hosting environments. Those patches materially reduce guest‑to‑host attack surfaces. (blog.talosintelligence.com)
• Edge updates aligned with Chromium security fixes ensure browser surfaces are hardened across the Chromium stack, reducing exploit windows for web‑delivered attacks. (learn.microsoft.com)

Potential risks and open questions​

• The reporting discrepancy in the total CVE count (107 vs 111) highlights a practical challenge for operations: different trackers may include or omit cloud‑side mitigations or vendor‑managed fixes. Relying on a third‑party tally without filtering the Microsoft Security Update Guide can mislead prioritization. Administrators must use product‑filtered views to determine exactly which CVEs apply to their environment. (cybersecuritynews.com, blog.talosintelligence.com)
• Although Microsoft stated there were no observed active exploitations for the patched CVEs at release time, public disclosure of certain bugs (notably the Kerberos issue) increases the chance that weaponized exploits or proof‑of‑concepts will appear quickly. Public disclosure shortens the window for defensive patching. (techtarget.com)
• Some of the most severe bugs affect components that are difficult to update in isolation (for instance, graphics stacks used by server‑side document processors). Enterprises that run automated content‑ingestion or document‑conversion services may need to coordinate vendor updates or change processing architectures to mitigate exposure while patches are validated. (cybersecuritynews.com)

---

Practical advice for small businesses and consumers​

• Run Windows Update soon: for most users the simplest, fastest protection is to let Windows Update install the cumulative patches. Consumer Edge users should also accept Edge updates or allow their browsers to auto‑update. (support.microsoft.com, learn.microsoft.com)
• Disable previews temporarily if you cannot patch immediately, especially for email clients and File Explorer preview panes. This simple change reduces exposure to preview‑pane RCE vectors. (redmondmag.com)
• If you run older operating systems (Windows 7, Windows 8.1), plan an upgrade path. Unsupported systems will not receive these patches and remain exposed to new exploitation techniques. (support.microsoft.com)

---

Conclusion​

August’s Patch Tuesday is a heavy‑lift month: the updates neutralize multiple high‑risk remote code execution flaws in graphics and document parsing stacks, close virtualization host avenues, and remediate a publicly disclosed Kerberos elevation flaw. Whether your environment sees a count of 107 or 111 CVEs depends on how trackers tabulate cloud and service‑side fixes; that debate is largely academic compared with the operational reality: several critical, low‑interaction vulnerabilities were fixed and should be prioritized immediately. Use Microsoft’s Security Update Guide to filter the CVEs that apply to your assets, prioritize domain controllers and hosts that process untrusted content, and apply the Edge updates across managed fleets. Rapid, tested deployment — combined with temporary mitigations like disabling preview panes and restricting exposed services — will materially reduce the window for attackers to weaponize these issues. (support.microsoft.com, blog.talosintelligence.com, learn.microsoft.com)

---

Source: Dataconomy Microsoft August Patch Tuesday fixes 107 vulnerabilities