CERT-In Warns of Broad Microsoft Vulnerabilities—Patch Now Across Windows and Cloud

India’s national cybersecurity agency has issued a high‑severity warning about a broad set of vulnerabilities across Microsoft products — a multi‑component risk that demands immediate patching and tighter operational controls from both home users and enterprise IT teams. (cert-in.org.in)

Background / Overview​

CERT‑In’s advisory is not an isolated alert about a single buggy component; it is a cross‑product alarm pointing to dozens of fixes that Microsoft included in recent security updates. The agency’s message is straightforward: the vulnerabilities range from remote‑code‑execution (RCE) and elevation‑of‑privilege (EoP) to cryptographic spoofing and security‑feature bypasses, and successful exploitation could result in system takeover, data theft, ransomware, or system outages. (cert-in.org.in)
Microsoft’s August 2025 Patch Tuesday and accompanying out‑of‑band guidance addressed more than a hundred flaws — including at least one publicly disclosed Kerberos elevation‑of‑privilege issue — which is the practical trigger for CERT‑In’s elevated severity rating and the flurry of national advisories. Independent trackers and incident responders counted between ~107 and ~111 CVEs in the August rollup; the exact tally varies by how fixes are grouped, but the security imperative is the same: patch quickly. (bleepingcomputer.com, thehackernews.com)

---

What CERT‑In actually said (and why it matters)​

CERT‑In published multiple advisories in 2025 that highlight Microsoft vulnerabilities and repeatedly urged administrators and users to apply vendor updates and mitigations as a matter of urgency. The advisories point IT teams toward Microsoft’s Security Update Guide for the full CVE list and specific workarounds, reflecting the reality that vendor patches are the authoritative remediation path. (cert-in.org.in)
Key elements of the advisory:

• Severity: CERT‑In labelled the situation “high severity” because the combined exploit surface spans consumer, enterprise, and cloud components.
• Impact: A successful exploit chain could yield arbitrary code execution, privilege escalation, certificate/spoofing attacks, or denial‑of‑service.
• Who should act: Everyone — from single desktop users to cloud‑native enterprises — but with priority on internet‑facing services, domain controllers, Exchange/SharePoint servers, and Azure workloads.
• Action: Apply Microsoft’s security updates immediately; restrict and audit administrative accounts; enable multi‑factor authentication (MFA); and monitor telemetry for indicators of compromise.

---

Which Microsoft products are highlighted​

CERT‑In and multiple vulnerability trackers point to a cross‑product problem rather than a single component. The items repeatedly mentioned in vendor advisories and national writeups include:

• Microsoft Edge (Chromium‑based) — multiple Chromium CVEs remediated in Edge updates. (bleepingcomputer.com)
• Windows Server (storage components and kernel‑level drivers) — fixes across Server cores and storage stacks. (petri.com)
• Windows Certificates component — cryptographic signature verification / certificate spoofing issues. (cvedetails.com)
• Windows MBT Transport driver (netbt.sys) — an integer underflow / privilege escalation class flaw. (cvedetails.com)
• Microsoft PC Manager — local privilege escalation via insecure file/path handling and symlink issues. (zerodayinitiative.com, cvedetails.com)
• Azure Databricks (and related Purview/Data Governance components) — improper access control permitting network‑level privilege escalation. (nvd.nist.gov, tenable.com)

Several of the above correspond to distinct CVE IDs that are tracked publicly (for example CVE‑2025‑47996 for the MBT driver, CVE‑2025‑47993/CVE‑2025‑29975 family for PC Manager issues, and CVE‑2025‑53763 for Azure Databricks). These CVEs appear in Microsoft’s Security Update Guide and in NVD/Tenable/industry trackers. (cvedetails.com, nvd.nist.gov)

---

Why this cluster of fixes increases risk​

• Cross‑product chaining: Many modern attacks chain a seemingly low‑privilege bug into an EoP flaw and then into an RCE on high‑value targets (domain controllers, databases, cloud APIs). When multiple products in the same ecosystem require fixes simultaneously, attackers can pivot across unpatched surfaces. (thehackernews.com)
• Publicly disclosed zero‑day(s): Microsoft’s August rollup fixed at least one publicly disclosed Kerberos elevation‑of‑privilege (CVE‑2025‑53779 — “BadSuccessor”) that had technical writeups circulating prior to remediation. Public disclosure increases the chance of exploit development and opportunistic scanning. (bleepingcomputer.com, thehackernews.com)
• Cloud and hybrid exposure: Cloud components (Azure OpenAI, Azure Portal, Azure Databricks) received high‑severity fixes. Cloud misconfigurations or stale service principals significantly amplify risk because exploitation can yield network‑level control of data stacks. (thehackernews.com, tenable.com)
• Patch complexity and rollback risk: Large cumulative updates can introduce compatibility or recovery‑tool regressions (reported by multiple outlets for the August updates), which can make some administrators delay patching — a risky choice when active exploit windows are short. Administrators need to weigh the immediate patching imperative against potential service disruption and plan staged rollouts. (tomshardware.com, itpro.com)

---

Technical snapshot: notable CVEs and what they mean for defenders​

• CVE‑2025‑53779 (Windows Kerberos — “BadSuccessor”): A Kerberos relative‑path issue permitting privilege escalation in controlled precondition environments. Exploitation requires specific delegated Managed Service Account (dMSA) attribute access, so immediate risk is focused but serious when prerequisites exist. (bleepingcomputer.com, thehackernews.com)
• CVE‑2025‑53763 (Azure Databricks): Improper access control (CWE‑284) allowing remote elevation of privileges; rated critical with a high CVSS and requires urgent mitigation in cloud workloads and controlled token lifecycles. (nvd.nist.gov, tenable.com)
• CVE‑2025‑47996 (Windows MBT Transport driver): An integer‑underflow / out‑of‑bounds kernel vulnerability that can enable local privilege escalation on affected Windows versions; patching is required across a wide set of client and server SKUs. (cvedetails.com)
• CVE‑2025‑47993 / CVE‑2025‑29975 and related (Microsoft PC Manager): Local escalation via uncontrolled search paths and link‑following; practical for post‑compromise escalation and lateral movement if allowed on endpoints. (zerodayinitiative.com, cvedetails.com)
• CVE‑2025‑55229 (Windows Certificates component): Improper cryptographic signature verification that could allow spoofing; medium severity but security‑sensitive because certificates underpin trust in many protocols. (cvedetails.com)
• Multiple Chromium CVEs affecting Microsoft Edge (Chromium): Typical of the browser supply chain — when Chromium OSS fixes are rolled into Edge, customers must update to avoid web‑driven RCE/DOM issues. (bleepingcomputer.com)

Each of these has an official Microsoft entry in the Security Update Guide; defenders should consult the vendor CVE pages for patch KB numbers and known‑issue notes before deployment. (petri.com, cvedetails.com)

---

Immediate, practical steps for administrators (a prioritized checklist)​

The following is a practical 24–72 hour response playbook for IT teams managing Microsoft stacks.

• Identify exposed assets (inventory):
• Map internet‑facing endpoints, domain controllers, Exchange/SharePoint servers, Azure subscriptions, databricks workspaces and any systems running Microsoft PC Manager. Use CMDB and cloud inventory tools.
• Apply vendor patches:
• Prioritise public‑facing services and domain controllers first. Use Microsoft’s Security Update Guide and the specific KBs listed on vendor CVE pages to stage updates. (bleepingcomputer.com, cvedetails.com)
• Staged deployment:
• Test updates on a representative pilot group before mass rollout. For critical cloud fixes that may require restarts (Databricks runtimes, Azure services), schedule maintenance windows.
• Enforce least privilege and MFA:
• Remove unnecessary administrative rights, strengthen conditional access policies, and ensure MFA on privileged accounts.
• Rotate and harden secrets:
• Rotate service principal credentials, short‑lived tokens and any long‑lived keys for Databricks, Azure, and on‑prem integrations.
• Network hardening:
• Apply segmentation to isolate management planes (DCs, databases) and use Private Link / IP restrictions for cloud control planes where possible.
• Threat hunting and monitoring:
• Search EDR/telemetry for suspicious symlink activity, abnormal Kerberos events, unexpected privilege escalations, odd scheduled tasks and unusual outbound data exfil patterns.
• Backups and recovery:
• Verify secure, immutable backups and recovery readiness before rolling updates in production, given reports of recovery‑tool regressions with recent updates. (tomshardware.com)

Numbered priorities make rollouts repeatable and auditable — treat public‑facing services and identity boundaries as the top two priorities.

---

Recommendations for home users and small businesses​

• Update Windows, Edge, and installed Microsoft apps immediately via Windows Update and the Microsoft Store.
• If you use third‑party recovery utilities, pause large resets or heavy file transfers until Microsoft’s hotfixes for reported recovery regressions are applied. If you rely on “Reset this PC” or vendor remote wipe features, verify post‑patch behavior. (tomshardware.com, itpro.com)
• Remove unnecessary third‑party tools that run with elevated privileges (including outdated system utilities).
• Maintain reliable, tested backups and keep restores offline or immutable where possible.

---

Strengths in the response — what went right​

• Vendor speed: Microsoft rolled out a large Patch Tuesday bundle and, when issues were reported (e.g., recovery tools and SSD regressions), followed up with out‑of‑band fixes. Rapid patching reduces the exploit window for many vulnerabilities. (bleepingcomputer.com, itpro.com)
• Coordinated national advisories: CERT‑In and international incident responders (CERT‑EU, CISA, others) amplified urgency and provided consistent guidance to prioritize public‑facing and privileged assets. Cross‑agency messaging reduces confusion and helps organisations prioritize. (cert-in.org.in)
• Public disclosure enables rapid defensive work: Public research (e.g., the Kerberos writeups) pushed both vendor fixes and defensive guidance into the hands of defenders quickly. While disclosure can accelerate exploit development, it also accelerates mitigation. (thehackernews.com)

---

Gaps and risks that remain​

• Patch adoption lag: Large environments with compatibility concerns may delay patching, which leaves a window for attackers to weaponize proof‑of‑concepts or scans. The reporting of recovery and SSD issues following an update illustrates the real tension between speed and safety. (tomshardware.com, itpro.com)
• Attack surface complexity: The remediation spans endpoint, kernel, cloud, and developer tooling. Organizations that lack centralized asset inventories or cloud governance will struggle to remediate comprehensively.
• Cloud identity hygiene: Azure Databricks and other cloud fixes underscore how service principal and role‑based misconfigurations can magnify the impact of a single vulnerability. Many organisations habitually over‑privilege cloud identities. (windowsforum.com)
• Residual trust issues: Certificate and cryptographic signature checks are foundational. Any weakness in certificate verification (e.g., CVE‑2025‑55229) requires careful auditing of certificate authorities, templates and CBA policies. Until those are examined and tightened, residual spoofing risk persists. (cvedetails.com)

Where vendors and national teams have limited telemetry (for example, unknown exploitation prevalence), defenders must assume adversaries will probe aggressively.

---

Long‑term measures: beyond the immediate patch cycle​

• Adopt automated patch testing pipelines: Use blue/green or canary deployments for updates and a short rollback window to balance risk and continuity.
• Zero Trust identity posture: Enforce least privilege, conditional access, just‑in‑time privileged access and continuous proofing of identity signals.
• Harden cloud governance: Enforce subscription‑level role‑scoping, secrets rotation policies, and Private Link or service endpoints to reduce public exposure of cloud control planes.
• Invest in detection engineering: Build specific hunts for symlink creation abuse, kernel exploit signatures, Kerberos anomalies, and abnormal Databricks workspace activity.
• Periodic tabletop and incident response rehearsals: Practise rapid patch rollout and emergency rollback plans so operational teams can respond safely under time pressure.

---

Final assessment — how urgent is this?​

The CERT‑In “high‑severity” label is warranted because the August patch set addressed multiple critical, network‑exploitable flaws and a publicly disclosed Kerberos issue that could be chained into domain compromise. For organizations running mixed on‑prem / cloud Microsoft stacks, the situation is high risk until key internet‑facing services and identity boundaries are patched and hardened. Even single desktops benefit from immediate update because browser and Office‑based RCEs can serve as initial access vectors. (bleepingcomputer.com)
For defenders, the immediate operating goal is:

• Patch public‑facing and identity services now.
• Harden and monitor privileged accounts.
• Perform targeted hunt activity for IoCs tied to the specific CVEs and any anomalous Kerberos activity.
• Stage patches and fallbacks for systems where Microsoft updates may affect recovery functions — test restores before mass rollout. (tomshardware.com)

---

Closing summary​

CERT‑In’s high‑severity advisory is a clear signal: this is not a narrow, easily-contained event — it is a broad, cross‑product patching imperative affecting browsers, kernel drivers, certificate processing, endpoint utilities, and cloud services. The most defensible posture is fast, prioritized patching (public‑facing and identity systems first), principle‑of‑least‑privilege, rotated secrets, and active monitoring for post‑patch exploitation attempts. National advisories and industry trackers confirm the scope and urgency; organizations that treat these alerts as optional risk expensive consequences. (bleepingcomputer.com, tenable.com)
Apply the vendor fixes now, test recovery procedures, and harden identities and telemetry — the next successful exploit will almost always find the slowest patch cadence in an environment.

---

Source: Mathrubhumi English CERT-In issues high-severity alert for Microsoft products