August 2025 Patch Tuesday: Kerberos EoP CVE-2025-53779 and 9.8 RCE Fixes

Microsoft pushed its August Patch Tuesday cumulative updates on August 12–13, 2025, delivering the monthly security rollups that fix a broad range of vulnerabilities across Windows client and server platforms—most notably a publicly disclosed privilege‑escalation bug in Windows Kerberos (CVE‑2025‑53779) and several high‑severity remote code execution flaws that carry CVSS scores up to 9.8. The release is packaged as combined Servicing Stack Updates (SSU) plus Latest Cumulative Updates (LCU) for affected build families, and Microsoft urges administrators to prioritize deployment of the August updates to reduce exposure to active and high‑impact vulnerabilities. (msrc.microsoft.com) (support.microsoft.com)

Background / Overview​

Microsoft delivered the August 2025 monthly security updates on the regular Patch Tuesday cadence (US time, second Tuesday of the month). The principal Windows 11 packages identify as KB5063878 (24H2, OS Build 26100.4946) and KB5063875 (22621/22631 families, OS Builds 22621.5768 / 22631.5768), with matching cumulative rollups for server SKUs and older client branches. These bundles are shipped as combined SSU+LCU packages to reduce installation failures and ensure the servicing stack itself is current. (support.microsoft.com) (support.microsoft.com)
Microsoft’s Security Response Center (MSRC) highlights that August’s set includes a publicly disclosed Kerberos elevation‑of‑privilege (EoP) vulnerability and multiple remote code execution (RCE) vulnerabilities—two of which (in GDI+ and the Windows graphics component) are scored at 9.8. The MSRC release notes explicitly call out CVE‑2025‑53779 (Kerberos) as being publicly disclosed prior to the availability of the patch, underscoring the urgency to apply fixes for domain controllers and other Kerberos‑dependent infrastructure. (msrc.microsoft.com)
Industry trackers and community reports differ on the raw CVE count for August; initial industry tallies reported between roughly 107 and 119 affected items depending on whether related non‑Windows components and separately published advisories are included. This variation reflects differences in how vendors and outlets aggregate Microsoft’s Security Update Guide entries. Treat numerical differences cautiously and rely on Microsoft’s Security Update Guide for authoritative filtering per product. (threatprotect.qualys.com)

---

What’s included: headline fixes and platform changes​

Major Windows cumulative packages (what admins will see)​

• KB5063878 — Windows 11 version 24H2 cumulative update (LCU + SSU bundled). Installs as OS Build 26100.4946 and includes quality fixes plus targeted AI component refreshes for Copilot+ hardware. (support.microsoft.com)
• KB5063875 — Windows 11 servicing branches on 22621/22631 (22H2/23H2) cumulative update with bundled SSU. Installs as OS Builds 22621.5768 / 22631.5768. (support.microsoft.com)
• KB5063709 and corresponding server KBs — cumulative security rollups for Windows 10 and Windows Server branches, respectively, also shipped as combined SSU+LCU payloads in the same window. (support.microsoft.com)

These packages are distributed via Windows Update, Windows Update for Business, WSUS and Microsoft Update Catalog. The combined SSU+LCU model reduces sequencing issues, but note that SSUs cannot be removed once applied—the LCU can only be removed using DISM with the package name. (support.microsoft.com)

Security highlights​

• CVE‑2025‑53779 — Windows Kerberos privilege escalation (publicly disclosed). Microsoft recommends rapid patching of domain controllers and systems that process Kerberos authentication. (msrc.microsoft.com)
• Multiple RCE vulnerabilities with CVSS 9.8, including:
• CVE‑2025‑53766 — GDI+ remote code execution.
• CVE‑2025‑50165 — remote code execution in the Windows graphics component.
  These are prioritized because they can be exploited without authentication or user interaction under the right conditions. (msrc.microsoft.com, threatprotect.qualys.com)
• Additional high‑impact fixes across Exchange Server, SQL Server, RRAS, Win32k and drivers—many of which are rated high or critical and require staged deployment in enterprise environments. (support.microsoft.com, threatprotect.qualys.com)

Notable non‑security content in the August packages​

• AI / Copilot+ component updates (conditional): KB5063878 carries AI component binaries for Copilot+ devices; these files update behavior of features such as Image Search and Semantic Analysis for compatible hardware. These AI binaries are conditionally installed. (support.microsoft.com)
• Resiliency and UX improvements: August’s 24H2 build introduces features like Quick Machine Recovery and enhancements to Windows Recall and Settings (region/hardware gated). Independent reporting lists several user‑facing improvements now shipping in the cumulative build; administrators should treat these as optional feature rollouts where hardware and licensing permit. (pureinfotech.com, cybersecuritynews.com)
• Secure Boot certificate rollout warning: Microsoft reiterated that several 2011‑era Secure Boot trust certificates are scheduled to begin expiring in mid‑2026; administrators must inventory firmware/UEFI trust stores and coordinate OEM firmware updates to avoid boot‑time trust problems later. August’s KBs call this out as an operational concern beyond OS patching. (support.microsoft.com)

---

What to prioritize now: triage and remediation guidance​

Immediate priorities (apply within 24 hours for exposed systems)​

• Patch domain controllers and any system that acts as a Kerberos authority for your domain—CVE‑2025‑53779 is publicly disclosed and can lead to privilege escalation. Prioritize Windows Server domain controllers first. (msrc.microsoft.com)
• Remediate remote code execution flaws that affect internet‑facing services (graphics stacks used by remote rendering services, RDP/Remote Desktop Server vulnerabilities) and services with network exposure. These are high‑risk because they can be chained into remote compromise. (threatprotect.qualys.com, splashtop.com)
• Apply patches to any exposed Exchange Server and SQL Server instances where Microsoft listed high‑impact CVEs; Exchange cumulative SUs for August were published with specific guidance for hybrid deployments. (techcommunity.microsoft.com, support.microsoft.com)

High priority (apply within 72 hours)​

• Servers and endpoints that host sensitive workloads (domain controllers, certificate authorities, RDP gateways, VPN concentrators, RRAS) but are not internet‑exposed.
• Systems with legacy or unsupported configurations that rely on NTLM or older authentication mappings—these should be hardened and patched in the immediate window. (threatprotect.qualys.com)

Routine deployment (next maintenance window)​

• Standard workstations and noncritical servers after verification in a pilot ring.
• Conditional Copilot+ component installations for targeted hardware should be staged to devices within tested cohorts.

---

Recommended deployment checklist for IT teams​

• Inventory and map exposure: Identify domain controllers, RDP/RDS endpoints, Exchange and SQL servers, and any machines exposing Windows graphics services to the network.
• Create a three‑tier rollout:
• Pilot: 5–10% of systems including domain controllers in a controlled test domain or lab.
• Targeted: Servers and infrastructure with high exposure (RDP, Exchange, VPN).
• Broad: Endpoints and noncritical servers after pilot verification.
• Validate backups and recovery plans before mass deployment.
• Use staged WSUS/Intune rings for enterprise rollouts—prevent wide blast radius by delaying broad deployment until WU behavior is confirmed. (support.microsoft.com)
• Monitor Windows Release Health and Microsoft’s KB pages for any emergent known issues after installation. Microsoft currently lists no known issues for the August 12 cumulative KBs at publication time, but this can change as telemetry arrives. (support.microsoft.com)

---

Technical notes and mitigations for critical CVEs​

Kerberos: CVE‑2025‑53779 (privilege escalation, publicly disclosed)​

• Risk: An attacker who can interact with Kerberos‑processing components may leverage the flaw to elevate privileges. Because this is an authentication subsystem vulnerability, exploitation of Kerberos on domain controllers or systems that validate Kerberos tickets can enable broad lateral movement. (msrc.microsoft.com)
• Mitigation: Apply the August cumulative updates to all domain controllers and Kerberos clients. Where immediate patching is impossible, harden Kerberos endpoints—reduce administrative access, monitor Kerberos audit events, and tighten logging of unusual ticket activity. Use Microsoft’s provided guidance to audit certificate mappings and unusual altSecID usages when certificate‑based auth is in use. (msrc.microsoft.com, support.microsoft.com)

Graphics and GDI+ RCEs (CVE‑2025‑50165, CVE‑2025‑53766)​

• Risk: Both CVEs are high severity RCEs (CVSS 9.8) and can be exploited without user interaction under certain conditions—this makes them priority for systems that render untrusted graphics or process remote images. Attackers can chain these into kernel‑level compromise for full system control. (msrc.microsoft.com, threatprotect.qualys.com)
• Mitigation: Patch immediately. Limit untrusted rendering on servers; in high‑risk environments, restrict the rendering engine by isolating services or using application control to restrict execution contexts.

Exchange and SQL Server patches​

• Risk: Several Exchange and SQL vulnerabilities in the August cycle affect privileged server components and may allow for privilege escalation or information disclosure.
• Mitigation: Follow the Exchange Team’s deployment guidance for SUs, run Health Checker tools, and ensure updated management tools are deployed in step with server patches. SQL Server GDRs were published with specific CVE listings—apply the recommended GDRs and review any post‑install restart behaviors. (techcommunity.microsoft.com, support.microsoft.com)

---

Operational risks and known issues to watch​

• SSU combined with LCU means you cannot remove the servicing stack portion; rollback is more complex and typically requires full offline servicing images or restore from a pre‑patch backup. Plan for longer rollback windows if pilot testing fails. (support.microsoft.com)
• Secure Boot certificate lifecycle: August notes repeat an earlier advisory that several CA certificates used by Secure Boot will begin expiring in June 2026, with additional expirations in October 2026. Firmware‑level trust anchors reside in OEM/UEFI variables; OS updates alone cannot fully remediate firmware that blocks new certificate trust. Organizations should inventory hardware, coordinate OEM firmware updates, and test certificate provisioning procedures now. This is an operational program, not a single KB fix. (support.microsoft.com)
• Variant CVE counts in press reporting: Different outlets reported varying vulnerabilities total (e.g., 107, 111, 119). This is not an error in reporting so much as a difference in inclusion criteria (whether non‑Windows product advisories and separately published items are tallied). Use the Security Update Guide to generate product‑filtered lists for precise patch planning. (threatprotect.qualys.com)

---

Detection, logging and post‑patch validation​

• Enable and monitor Kerberos, NTLM and LSASS‑related audit events on domain controllers during and after the Kerberos patch deployment window. Watch for unusual TGT/TGS requests and unexpected PAC validation failures if PAC enforcement settings were changed in prior updates. (msrc.microsoft.com, support.microsoft.com)
• Collect pre‑ and post‑deployment telemetry for critical services (RDP, Exchange, SQL). Run application and service sanity checks and user‑journey tests on representative devices.
• Validate that Copilot+ optional AI components install only on eligible hardware if you do not intend to enable those features; review the AI component versions listed in the KB when auditing update payloads. (support.microsoft.com)

---

What the differences in CVE counts mean (and why the number you read matters less than what’s patched)​

Public reporting sometimes emphasizes the total number of CVEs in a release. That metric is noisy: some tallies include CVEs fixed in non‑Windows components (Office, Edge engines, Azure companions) or include advisories published separately from the monthly rollup. For practical operations, the important data points are:

• Which CVEs affect your environment (product + build).
• Which CVEs are publicly disclosed or known to be exploited.
• The CVSS/severity and exploitability context for each CVE.

Use Microsoft’s Security Update Guide to filter by product and date to generate an actionable list for patching rather than relying on headline CVE counts. The MSRC monthly blog and the KB articles together provide the authoritative guidance on which components were fixed and which items are public disclosure priorities. (msrc.microsoft.com, support.microsoft.com)

---

Community testing and early field reports​

Independent reporting and community patch‑analysis firms quickly surfaced the same core priorities (Kerberos, GDI+/graphics RCEs and Exchange/SQL fixes) and recommended the same triage order used above. Several community threads and WindowsForum analyses published deployment notes and checklists for KB5063878/5063875 as the patches rolled, echoing Microsoft’s advice on staged rollouts and the Secure Boot certificate program. These community signals align with vendor guidance and help shape practical rollout steps for heterogeneous environments. (pureinfotech.com)

---

Practical checklist — step‑by‑step (for administrators)​

• Confirm inventory: list domain controllers, Exchange servers, SQL servers, RDP gateways, VPN/RRAS appliances.
• Download applicable KBs and patch catalogs for each product family (use Microsoft Update Catalog for offline/air‑gapped images).
• Create a pilot ring (domain controllers and a few production servers in a controlled subgroup).
• Snapshot/backup and verify restoration for critical systems before applying patches.
• Apply patches to pilot, monitor for 24–48 hours; validate authentication flows, RDP sessions, Exchange mail flow, SQL services.
• If pilot is clean, proceed to targeted rollout for exposed servers, then broader rollout to endpoints.
• Monitor Windows Release Health, MSRC advisories and community reports for emergent known issues and mitigations post‑deployment. (support.microsoft.com, techcommunity.microsoft.com)

---

Final analysis: strengths, risks and takeaways​

• Strengths
• Microsoft’s combined SSU+LCU packaging reduces update sequencing errors and simplifies enterprise deployment pipelines; included servicing‑stack refreshes help ensure future patchability. (support.microsoft.com)
• The August cycle addresses several high‑impact vulnerabilities and explicitly flags a Kerberos zero‑day—Microsoft’s prompt publication and coordinated advisories help administrators triage and respond. (msrc.microsoft.com)
• Conditional AI/capability updates are gated by hardware and licensing, reducing unwanted feature rollouts to incompatible fleets. (support.microsoft.com)
• Risks and caveats
• Publicly disclosed Kerberos EoP raises the stakes for domain controllers; delayed remediation can enable attackers to escalate privileges and move laterally.
• The Secure Boot certificate transition (mid‑2026 expirations) is a cross‑vendor firmware readiness program; failure to coordinate OEM firmware updates and OS certificate management can lead to boot or update trust failures long after this KB cycle. Treat it as an operational program, not a one‑time patch. (support.microsoft.com)
• Combined SSU packages complicate rollback strategy; ensure backups and offline images are tested for recovery if a roll‑forward causes unforeseen issues. (support.microsoft.com)
• Bottom line
• Deploy August 2025 fixes according to risk: domain controllers and internet‑exposed services first, then targeted server workloads, and finally broad endpoint coverage. Use Microsoft’s Security Update Guide to generate precise, product‑filtered CVE lists and follow KB guidance for server‑specific mitigations and hotpatches. Community coverage and independent security vendors reinforce Microsoft’s triage but always validate behavior in a pilot before broad rollout. (msrc.microsoft.com, threatprotect.qualys.com)

---

The next scheduled monthly update window is the second Tuesday of September (Microsoft’s published schedule), which corresponds to September 9–10, 2025 depending on time zone; monitor Microsoft’s release channels for any out‑of‑band advisories or emergency updates that affect your environment before then. (msrc.microsoft.com)
(WindowsForum’s internal patch guidance threads and community notes provide step‑by‑step deployment checklists, troubleshooting tips, and early telemetry from the field that complement Microsoft’s KB documentation and the MSRC blog. Administrators should combine official Microsoft guidance with tested, staged rollouts in their own environment to minimize operational impact while closing high‑risk exposure quickly.)

---

Source: GIGAZINE Today is the monthly 'Windows Update' day.