August 2025 Patch Tuesday: Kerberos EoP, Graphics RCEs, and Urgent Windows Fixes

Microsoft’s August Patch Tuesday closed a dangerous mix of high‑impact remote code execution (RCE) flaws and a publicly disclosed Kerberos elevation‑of‑privilege (EoP) vulnerability that together raise the operational urgency for domain controllers, document‑processing servers, and any service that decodes images or metafiles. (support.microsoft.com)

Background​

Patch Tuesday remains the single most important predictable security event for Windows administrators; Microsoft’s August 12, 2025 monthly rollup shipped combined Servicing Stack Updates (SSU) plus Latest Cumulative Updates (LCU) for client and server branches (notably KB5063878 for 24H2 and KB5063875 for the 22H2/23H2 families). These packages include both security fixes and a handful of conditional AI component updates for Copilot+ hardware, but the security headlines are dominated by a cluster of critical RCEs in the graphics and document‑parsing stacks and a publicly disclosed Kerberos flaw that can enable full domain compromise under constrained conditions. (support.microsoft.com)
This analysis summarizes the most consequential vulnerabilities, verifies key technical claims against independent sources, highlights the operational impact for enterprises and service providers, and offers a prioritized remediation and mitigation playbook security teams can use during the August rollout.

---

Overview of the headline vulnerabilities​

• Publicly disclosed Kerberos elevation‑of‑privilege — CVE‑2025‑53779 (Moderate, CVSS 7.2). This is a relative path‑traversal style issue in Windows Kerberos that specifically interacts with delegated Managed Service Accounts (dMSAs). Exploitation requires write access to particular dMSA attributes and an attacker with certain preexisting privileges; if the preconditions are met, successful exploitation can yield domain administrator-level compromise. (thehackernews.com)
• Graphics component RCE — CVE‑2025‑50165 (Critical, CVSS 9.8). An untrusted pointer dereference and use of uninitialized resources in the Microsoft Graphics Component can be triggered by specially crafted JPEG images embedded in Office or other supported file types, enabling unauthenticated remote code execution. The NVD and Microsoft update guide list this CVE and its memory‑safety weaknesses. (nvd.nist.gov)
• GDI+ RCE — CVE‑2025‑53766 (Critical, CVSS 9.8). A heap‑based buffer overflow in GDI+ that can be triggered by malformed metafiles and exploited without user interaction; web and document processing services are particularly at risk because the Preview Pane is not the only vector—server-side document parsing can be abused to achieve RCE. (nvd.nist.gov)
• NTLM elevation‑of‑privilege — CVE‑2025‑53778 (Critical, CVSS 8.8). An improper authentication issue in NTLM that allows a low‑privileged authenticated actor to escalate to SYSTEM privileges over the network; Microsoft’s advisory flags the attack as network‑triggerable without user interaction.
• Additional critical fixes across Microsoft Office, MSMQ, DirectX Graphics Kernel, Hyper‑V, and Azure components. Several Office and Word CVEs enable remote code execution via the Explorer/Preview Pane, while MSMQ and Hyper‑V patches address race conditions and isolation failures that can be weaponized to escalate privileges or achieve code execution in multi‑tenant or hosted environments.

Each of the above items is accompanied by vendor fixes in the August cumulative packages; organizations should consult their Microsoft update catalog entries and the Security Update Guide to confirm KB mapping to each CVE and affected builds. (support.microsoft.com)

---

Deep dive: CVE‑2025‑53779 — Kerberos “BadSuccessor” and dMSA abuse​

What the vulnerability is and why it matters​

CVE‑2025‑53779 is a relative path traversal / dMSA processing vulnerability in Windows Kerberos that was publicly disclosed prior to the August patch. The underlying research—often referenced under the name “BadSuccessor”—shows how delegated Managed Service Accounts (dMSAs), introduced in modern Windows Server releases to improve service account hygiene, can be misused when specific directory attributes are writable or otherwise misconfigured. An attacker who controls the required attributes (for example, msds‑groupMSAMembership and msds‑ManagedAccountPrecededByLink) can manipulate delegation semantics and obtain tickets that allow impersonation of privileged accounts, enabling a domain‑level takeover in worst cases. (specterops.io, thehackernews.com)
Microsoft rates the CVE as Moderate (CVSS 7.2) and describes the exploitation prerequisites that limit broad, opportunistic abuse, but the consequence when prerequisites are met is severe: domain administrator privileges and full forest compromise are realistic outcomes for targeted attacks. Because Kerberos lives at the heart of Windows authentication, even a narrowly exploitable Kerberos flaw is operationally critical for enterprise AD environments.

Verified technical specifics​

Independent technical writeups from multiple practitioners and research groups confirm the core mechanics reported by the initial researcher: the attack leverages writable or misconfigured dMSA attributes and abuses the KDC/PAC handling to include attacker‑controlled principals in PAC/authorization data. SpecterOps’ deep technical analysis and other community writeups corroborate the required preconditions and the enumerated mitigations (attribute ACLs, restricted dMSA creation controls, and monitoring for unusual TGS/TGS‑REQUEST patterns). This cross‑validation reduces the chance that vendor messaging underreports exploitability while confirming that the attack is not trivially exploitable in every AD environment. (specterops.io, blog.quest.com)

Practical exposure model​

• Required privileges: Exploitation requires an attacker to already hold higher than normal privileges (the blog analyses stress “authorized attackers with high privileges”) and write capability to particular dMSA attributes. That means the bug is not a blind remote takeover for unprivileged attackers, but it is a one‑way escalator when combined with an existing foothold in an Active Directory domain.
• Affected assets: Domain controllers and any host that processes Kerberos delegation flags or dMSA objects. In multi‑forest or hybrid topologies the risk amplifies if dMSAs and cross‑forest trusts exist.
• Real‑world likelihood: Security vendors and researchers estimate limited immediate exposure (a minority of domains met the exact prerequisites at initial disclosure), but warn that the weakness is an attractive final step in multi‑stage intrusions and should be treated as high priority for identity owners. (csoonline.com, thehackernews.com)

Mitigations and hardening (immediate and short term)​

• Apply the Microsoft security update that addresses CVE‑2025‑53779 to domain controllers and Kerberos‑handling servers as a priority. The vendor patch is the primary remediation.
• Restrict and audit dMSA creation and write permissions. Tighten ACLs on msds‑groupMSAMembership, msds‑ManagedAccountPrecededByLink, and other dMSA‑related attributes so only trusted identity admins can modify them. Community guidance and vendor mitigations both call this out as an immediate, effective control. (blog.quest.com, specterops.io)
• Monitor Kerberos telemetry for anomalies: TGS/TGS‑REQUEST spikes, unusual use of service accounts, and Ticket‑Granting Service failure patterns (Event IDs related to Kerberos authentication) are early indicators of abuse. Implement SIEM rules for anomalous dMSA ticket operations and unexpected service ticket requests originating from non‑standard hosts. (blog.quest.com)
• Isolate and patch jump hosts and administrative workstations first; these devices are both high‑value and common staging grounds for the privilege chain that would exploit this vulnerability.

---

Graphics stack and document parsing RCEs: why they matter now​

CVE‑2025‑50165 and CVE‑2025‑53766 (Graphics Component & GDI+)​

Two of the highest‑scoring CVEs this month hit the Windows graphics and imaging stacks with CVSS ratings near 9.8. These flaws share common operational risk factors:

• They can be triggered by processing image or metafile data—a ubiquitous server and client workload (web browsing, email previews, document previews, image catalogs). (nvd.nist.gov)
• Exploits require little or no user interaction in many scenarios; server‑side document processing or web services that automatically parse user uploads are particularly exposed. Microsoft’s advisories explicitly note that document processing on web services can be an attack conduit for GDI+ issues.
• These primitives are frequently weaponized as initial access vectors, or as wormable components when combined with network vectors, because they can be delivered via common content vectors—email attachments, web ads, file sharing portals, and cloud storage.

Spectators should note that both the NVD and vendor advisories list memory‑safety weaknesses such as untrusted pointer dereference, use of uninitialized resources, and heap overflows—classic triggers for RCE in unmanaged C/C++ codebases. These bugs are attractive to exploit developers because they often lead to reliable code execution when successfully triggered. (nvd.nist.gov)

Operational priorities for these RCEs​

• Patch immediately any systems that ingest untrusted graphics or document content: mail servers (preview processing), web services that accept user uploads, document conversion services, and endpoints that display untrusted content. Apply the August cumulative updates and ensure server‑side processing stacks are updated.
• For services that cannot be patched instantly, implement compensating controls: disable automated preview/thumbnail generation where feasible, restrict file types accepted, deploy content‑sanitization proxies, and ensure EDR/AV engines are tuned to detect malformed image/metafile exploitation indicators. (blog.quest.com)
• Review exposure of document ingestion endpoints that process Office or image content in cloud or third‑party services—these are prime exploitation targets because they often run headless parsers with elevated privileges.

---

NTLM elevation, Office preview‑pane RCEs, MSMQ race conditions, and other critical fixes​

NTLM — CVE‑2025‑53778​

NTLM-related improper authentication can let low‑privileged authenticated actors escalate to SYSTEM. Microsoft ranks this as critical (CVSS 8.8), and while it requires authentication, the low prerequisite makes it an attractive lateral movement primitive for attackers who already gained a foothold. Prioritize patching systems that still accept NTLM authentication or are in mixed‑mode environments, and where possible move away from legacy NTLM usage.

Office and Word RCEs (CVE‑2025‑53731, CVE‑2025‑53733, CVE‑2025‑53740, CVE‑2025‑53784)​

Multiple Office and Word vulnerabilities allow RCE via the Preview Pane or by processing crafted documents. The Preview Pane remains a recurring attack vector that bypasses macro restrictions; organizations should enforce stricter preview controls on mail and file servers and ensure on‑device scanning is operational. Apply patches to mail servers, desktop fleets, and content ingestion services as part of the prioritized rollout.

MSMQ — CVE‑2025‑50177​

A use‑after‑free and race condition in Microsoft Message Queuing (MSMQ) can result in remote code execution on a server receiving maliciously crafted MSMQ HTTP traffic; successful exploitation requires winning a timing/race condition and thus has higher complexity but remains dangerous for MSMQ‑exposed servers. If MSMQ is not required, consider disabling the service or restricting access until patched.

---

Patch prioritization and rollout playbook​

Immediate (apply within 24 hours to exposed systems)​

• Domain controllers, KDC proxies, and any server that processes Kerberos or hosts Active Directory services — to remediate CVE‑2025‑53779 and related identity fixes.
• Internet‑facing services that parse images, documents, or metafiles (mail servers with preview, web document conversion services, file upload endpoints) — to remediate CVE‑2025‑50165, CVE‑2025‑53766, and Office RCEs. (nvd.nist.gov)
• Exchange and SharePoint servers with hybrid configurations — because unpatched on‑prem components can enable tenant‑level compromises in hybrid topologies.

High priority (apply within 72 hours)​

• Administrative jump hosts, domain‑joined management workstations, and certificate authorities.
• Servers with MSMQ, RDP gateways, RRAS, and virtualization hosts (Hyper‑V), especially when nested guests or local management interfaces are in use.

Routine rollout (next maintenance window)​

• Standard user endpoints and non‑critical servers after pilot validation.
• Conditional Copilot+ component installations for eligible hardware can be staged to minimize driver/firmware variability during patching. (support.microsoft.com)

Deployment checklist for IT teams​

• Inventory affected SKUs and map KBs to systems using Microsoft’s Security Update Guide and the KB pages (KB5063878, KB5063875). (support.microsoft.com)
• Create a three‑tier rollout: Pilot (small test group), Targeted (infrastructure and exposed services), Broad (remaining fleet).
• Prepare rollback and recovery plans for SSU‑and‑LCU combined packages (note: SSUs cannot be removed once applied; care with rollback). (support.microsoft.com)

---

Detection, telemetry, and post‑patch verification​

• Tune SIEM to watch Kerberos and dMSA activity (e.g., anomalous TGS requests, unusual PAC content), and deploy detections for suspicious service account ticket requests and msDS‑related attribute changes. Industry analysis points to Event ID patterns and TGS anomalies as early indicators. (blog.quest.com)
• Validate successful patch application by checking OS builds after the cumulative rollups (Windows 11 24H2 moves to OS Build 26100.4946 after KB5063878; other branches have equivalent build numbers). Confirm OS build and KB‑level on domain controllers first. (support.microsoft.com)
• For services that cannot be immediately patched, apply network segmentation, restrict inbound Kerberos/KDC proxy exposure at the perimeter, and consider disabling non‑essential features like automated preview generation.

---

CrowdStrike Falcon exposure management and operational considerations​

CrowdStrike’s August analysis highlights that vulnerability management is only one piece of the posture puzzle — their Falcon Exposure Management and Patch Tuesday Dashboard provide automated asset classification, attack‑path visualization (including client‑side exploitation chains), and prioritized remediation guidance to help teams focus on the highest business‑impact fixes first. These platform capabilities can be useful to identify where dMSA or Kerberos handling services reside and to visualize likely lateral‑movement paths so responders can reduce blast radius while patching. Integrating vulnerability telemetry with SIEM/EDR significantly reduces mean time to detect and remediate high‑risk CVEs.

---

Strengths in vendor response — and the gaps defenders must mind​

Strengths​

• Microsoft shipped coordinated cumulative packages (SSU+LCU) and published KB pages mapping to the August fixes, allowing operational teams to locate vendor patches and build numbers quickly. (support.microsoft.com)
• The security community quickly produced technical writeups and detection guidance for the Kerberos dMSA issue (BadSuccessor), enabling defenders to apply targeted hardening even before broad fleet patching completes. (specterops.io, blog.quest.com)

Gaps and risks​

• Public disclosure of CVE‑2025‑53779 and PoC material increases the risk of follow‑on exploitation in environments that haven’t yet applied patches or tightened dMSA ACLs. Even when a vulnerability requires prior privileges, attackers commonly chain multiple flaws to escalate from low privileges to the high‑privileged state needed to abuse Kerberos. (thehackernews.com)
• Some CVEs affect server‑side parsing and document ingestion pipelines where patching is operationally complex (third‑party stacks, hosted services, or appliances). Organizations that rely on third‑party SaaS or legacy software for document processing must coordinate patching and mitigation with vendors or apply network‑level compensations.
• The combined SSU+LCU model simplifies rollout but reduces rollback flexibility (SSUs are effectively permanent once installed). This calls for stricter pilot testing and careful rollback planning when deploying the August packages at scale. (support.microsoft.com)

---

Special operational notes​

• Exchange and SharePoint hybrid configurations present extra risk: on‑prem Exchange fixes are necessary to prevent hybrid trust bridging to cloud tenants, and SharePoint servers that process HTTP body content require AMSI and updated machine keys to mitigate some attack vectors described by the vendor advisories. Follow Microsoft’s targeted guidance for SharePoint and Exchange while applying these patches. (msrc.microsoft.com)
• Microsoft has reiterated an operational program for Secure Boot certificate replacement tied to 2011 CA expirations (first expirations scheduled mid‑2026). August’s KBs remind administrators to inventory firmware/UEFI stores and coordinate OEM updates to avoid unanticipated boot‑time trust failures later. This is an important maintenance item that is separate from the immediate security patches but has long‑term operational impact. (support.microsoft.com)
• Windows 10 end of support (October 2025) is an operational deadline that will affect the long‑term exposure profile of many organizations; plan migrations so older systems do not linger as unpatchable islands. CrowdStrike and several community advisories emphasize this planning as part of a robust security posture.

---

Final verdict and guidance​

Microsoft’s August 2025 Patch Tuesday is a consequential release: while not every CVE is trivially exploitable in every environment, the set includes multiple high‑impact RCEs and a publicly disclosed Kerberos EoP that together can enable rapid escalation and domain takeover in targeted attacks. The combination of high CVSS scores for graphics/Office parsing bugs and the identity‑centric risk of CVE‑2025‑53779 means defenders should treat this cycle as a high‑urgency operational window.
Actionable priorities:

• Patch domain controllers and Kerberos‑processing hosts first, then servers that process untrusted documents or images.
• Harden dMSA attribute ACLs and restrict creation/modification privileges. (blog.quest.com)
• Disable or restrict automated preview/thumbnail generation for untrusted content until patched.
• Deploy or tune detections for Kerberos ticket anomalies and suspicious TGS/TGS‑REQUEST activity. (blog.quest.com)
• Stage updates carefully (pilot → targeted → broad) and validate build numbers and SSU/LCU status after deployment. (support.microsoft.com)

The August patches restore critical memory‑safety and authentication correctness guarantees and should be deployed with priority, but defenders must not rely on patching alone: layered mitigations, access reduction for identity artifacts, telemetry-driven detection, and well‑drilled incident response playbooks remain essential to contain attackers who exploit multi‑stage chains that culminate in Kerberos or graphics stack abuse. (specterops.io)
Conclusion: apply the August updates, harden dMSA and Kerberos controls, and treat graphics/document ingest surfaces as first‑class attack vectors — doing so will materially reduce the most significant attack paths exposed in this month’s release.

---

Source: CrowdStrike August 2025 Patch Tuesday: Updates and Analysis | CrowdStrike