India CERT-In Warns of High-Risk Microsoft Flaws; Patch Windows, Office, Azure Now

The Indian Computer Emergency Response Team (CERT-In) on 18 August 2025 issued a high‑risk advisory warning that multiple critical vulnerabilities across Microsoft’s product portfolio place millions of Windows and Office users in India — from home desktops to enterprise Azure deployments — at elevated risk unless organisations and individuals apply patches and mitigations immediately. The advisory highlights a broad attack surface including Windows, Microsoft Office, SQL Server, Dynamics, System Center, Azure services and legacy products under Extended Security Updates (ESU), and comes on the heels of Microsoft’s August 2025 Patch Tuesday release that corrected scores of high‑severity flaws. (isc.sans.edu)

Background / Overview​

India’s CERT‑In flagged the issue as “high risk” following Microsoft’s mid‑August security rollup, which addressed well over one hundred vulnerabilities — a batch that included multiple critical remote code execution and privilege‑escalation flaws as well as at least one publicly disclosed zero‑day. Security agencies in Europe and the U.S. echoed urgency: CERT‑EU and major incident responders recommended prioritising public‑facing and critical assets for immediate patching. These coordinated advisories reflect the reality that modern enterprise stacks — mixing on‑premises Windows servers, Microsoft 365 apps, and Azure cloud resources — create cross‑product exposure that attackers can chain together for maximum impact. (cert.europa.eu, bleepingcomputer.com)
Across vendor and independent reporting the exact counts vary slightly (some outlets report 107 fixes, others 111), but the consistent message from CERT‑In and international incident responders is identical: apply Microsoft’s security updates without delay and treat affected services as high‑priority hardening targets. This article explains what was announced, which products carried the highest risk, how attackers might exploit the flaws, practical remediation steps for admins and home users, and a critical assessment of response options and residual risks.

---

What CERT‑In actually said​

CERT‑In’s high‑risk advisory (CIAD‑2025‑0028 as referenced in Indian press coverage) summarised that a set of vulnerabilities encompassed a very broad range of Microsoft products — from desktop Windows and Office to enterprise systems such as SQL Server, Microsoft Dynamics, System Center, and Azure components — and warned that successful exploitation could allow attackers to gain elevated privileges, steal data, execute arbitrary code, or trigger denial‑of‑service conditions. Indian media reporting of the advisory emphasised the immediate need for patching and tighter access controls across both public and private networks. (freepressjournal.in)
Key points in the advisory:

• The vulnerabilities include remote code execution, elevation of privilege, information disclosure, spoofing, and denial of service vectors.
• Affected products include current Windows desktop/server builds, Office family applications, Microsoft Azure services, developer tools, and legacy products still under ESU.
• CERT‑In urged administrators to prioritise patching of public‑facing systems and critical infrastructure, to restrict administrative privileges, and to enable continuous monitoring.

---

Which Microsoft products are affected — the scope​

The advisory and complementary international notices indicate a cross‑product problem, not a single‑component failure. The most commonly referenced categories include:

• Windows desktop and server (Windows 10/11, Windows Server 2016/2019/2022 and Server Core): kernel and graphics components among others had critical fixes. (isc.sans.edu, bleepingcomputer.com)
• Microsoft Office and Office server components (Word, Excel, Outlook, SharePoint): multiple RCEs in Office components can be triggered via crafted documents or preview panes. (bleepingcomputer.com, cert.europa.eu)
• Microsoft SQL Server and System Center: information‑disclosure and other high‑risk bugs that impact backend and management infrastructure. (qualys.com)
• Dynamics 365 (on‑premises): cross‑site scripting and information‑disclosure bugs affecting CRM installations. (qualys.com)
• Azure platform and Azure‑adjacent services: several Azure components and virtual machine interfaces were included in the patch set; cloud workloads must be treated as priority assets. (bleepingcomputer.com)
• Developer and tooling ecosystems (Visual Studio, GitHub Copilot integrations, SDKs): vulnerabilities in developer tooling can be used to stage supply‑chain or developer workstation compromise. (bleepingcomputer.com)
• Legacy ESU products: older Windows releases still receiving Extended Security Updates were flagged as vulnerable where applicable.

Multiple respected incident‑response summaries and vulnerability trackers emphasised that a number of these were critical severity, and at least one was a zero‑day disclosed prior to or during the patch cycle — raising the urgency level for remediation. (isc.sans.edu, techradar.com)

---

What attackers can do — realistic threat scenarios​

CERT‑In and incident responders outlined concrete exploitation outcomes. The most consequential attacker capabilities include:

• Remote code execution (RCE) enabling arbitrary code to run on vulnerable endpoints — a common precursor to ransomware or full system takeover. (bleepingcomputer.com)
• Elevation of privilege, allowing an attacker who has a foothold to escalate to SYSTEM or administrator level and pivot laterally. (isc.sans.edu)
• Information disclosure from database or backend services, creating direct exfiltration risk for sensitive data. (qualys.com)
• Denial‑of‑service attacks that crash servers or client software, impacting availability of critical services.
• Spoofing or certificate misuse leading to man‑in‑the‑middle (MITM) and credential theft.

Real‑world attack patterns to watch for:

• Crafted Office documents (e‑mail attachments or Preview Pane) leading to RCE on desktop or server Outlook/Exchange contexts. (bleepingcomputer.com)
• Chained exploits: use a low‑privilege RCE to drop a privilege‑escalation payload, then deploy ransomware or backdoors across the network. (isc.sans.edu)
• Targeted attacks against on‑premises SharePoint or Exchange (already seen in July/August activity) where adversaries weaponise unpatched critical CVEs. (lifewire.com, cert.europa.eu)

These actions make the advisory particularly relevant for organisations processing sensitive personal or commercial data and for any entity running public‑facing Microsoft services.

---

Technical verification: what independent sources say​

To validate and cross‑check the most load‑bearing claims:

• CERT‑EU’s security advisory dated 18 August 2025 summarised Microsoft’s August 2025 patch cycle and identified noteworthy high‑severity CVEs in graphics and Office components. CERT‑EU explicitly recommended immediate patching for public‑facing and critical assets. (cert.europa.eu)
• SANS Internet Storm Center and BleepingComputer documented the August 2025 Patch Tuesday release and enumerated the bulk of patched CVEs (SANS reported 111 vulnerabilities with 17 critical; BleepingComputer catalogued multiple Azure and Graphics kernel fixes). These independent trackers corroborate the severity and breadth of the August patches. (isc.sans.edu, bleepingcomputer.com)
• U.S. and international incident responders (CISA, CERT‑EU) previously issued specific guidance for Exchange/SharePoint and hybrid deployments earlier in August, reinforcing that Microsoft product vulnerabilities were under active scrutiny by national responders. (cisa.gov)

Note on counts: different security outlets reported slightly different totals for the number of fixed flaws (reports list 107, 111, or other counts). This discrepancy arises because vendors and trackers sometimes differ in how they de‑duplicate bundled fixes, count vendor‑wide mitigations, or include related advisories. Treat the precise number as secondary to the severity profile — multiple critical CVEs affecting cross‑product components. When facts vary across reputable trackers, that variation is flagged as such and does not change the core remediation imperative. (techradar.com, bleepingcomputer.com)

---

Immediate actions: what CERT‑In, Microsoft and incident teams recommend​

Both CERT‑In and international incident responders emphasised a short list of non‑optional actions. Organisations must treat these as the minimum baseline:

• Apply security updates immediately: prioritise internet‑facing and domain‑controller systems, Exchange/SharePoint servers, Azure virtual machines, SQL servers and any system serving external traffic. If automatic updates are enabled, verify successful deployment. (cert.europa.eu, qualys.com)
• Restrict administrative privileges: enforce the principle of least privilege, remove unnecessary local admin rights, and isolate service accounts.
• Enable multi‑factor authentication (MFA) for all privileged accounts and admin portals. Protect remote management interfaces with MFA and conditional access.
• Harden perimeter and network segmentation: isolate management interfaces, block unused ports, and segment critical infrastructure (databases, domain controllers) from user subnets. (qualys.com)
• Monitor and hunt for indicators of compromise (IoCs): check for unusual processes, scheduled tasks, persistence mechanisms, and unexpected outbound traffic. Ensure EDR/antivirus signatures and telemetry are up to date.
• Backups and disaster recovery: verify backups are complete, immutable where possible, and stored off‑network. Test restore procedures.
• Apply vendor mitigations and recommended workarounds: where patches cannot be applied immediately, follow Microsoft’s published mitigations for specific CVEs (e.g., disabling vulnerable features, restricting protocol access). Cross‑check Microsoft’s MSRC advisories and apply vendor guidance. (cert.europa.eu, qualys.com)

These are stack‑agnostic controls: whether an organisation runs mainly on Azure, on‑prem Windows servers, or a hybrid model, these steps materially reduce the likelihood and impact of exploitation.

---

Practical patching checklist (for IT teams)​

• Inventory: compile a short, authoritative list of public‑facing endpoints, domain controllers, Exchange/SharePoint servers, SQL servers, and Azure subscriptions.
• Prioritise: mark internet‑facing and domain controllers as highest priority, then production database and identity services.
• Test: in small staging windows, validate patches on representative systems and check critical application compatibility.
• Deploy: use patch management tooling (WSUS, SCCM/ConfigMgr, Intune, Azure Update Manager) for controlled rollouts.
• Verify: confirm reboots and patch presence via automated reporting; monitor event logs for unusual entries.
• Harden: apply access restrictions, MFA, and firewall rules as sweeps are completed.
• Hunt: run EDR/IDS scans for known IoCs and watch for post‑patch anomalous activity.
• Document: log patch windows, rollback plans, and incident contact lists.

---

Enterprise concerns: Azure, Dynamics, SQL Server, and legacy ESU workloads​

Large organisations face a more complex remediation landscape:

• Azure hosted workloads require coordinated patching across both guest OS and platform‑as‑a‑service components. Attackers may combine guest RCEs with misconfigured identity or role assignments to escalate through subscriptions; follow Azure security baseline guides and restrict contributor roles. (bleepingcomputer.com)
• Dynamics 365 on‑premises and System Center are often tied to business workflows and may not live on the same patch cycle as servers; vendors’ CVE writeups sometimes require application‑specific updates or content changes. Validate vendor patches in non‑production before rolling to live systems. (qualys.com)
• SQL Server vulnerabilities can disclose or corrupt data — particular care should be given to database backups, transaction logging and restricting SQL endpoints to known, internal IPs. (qualys.com)
• Legacy ESU‑covered OSes: organisations still receiving ESU patches must adhere to vendor timelines; however, continuing to run legacy stacks carries growing operational risk and should be paired with aggressive compensating controls (network isolation, strict ACLs).

In short, cloud‑first and hybrid enterprises must treat patching as a cross‑discipline effort (security, platform, application teams) with clear rollback and verification plans.

---

Strengths and weaknesses of the vendor response — critical analysis​

Strengths:

• Microsoft’s monthly Patch Tuesday cadence remains a predictable mechanism to deliver fixes across a sprawling product portfolio. Independent advisories (CERT‑EU, SANS) indicate Microsoft addressed multiple high‑severity issues in the August release, showing coordinated remedial action. (cert.europa.eu, isc.sans.edu)
• National CERTs and agencies (CISA, CERT‑EU, CERT‑In) quickly amplified the message, which helps reduce windows of exposure by encouraging rapid adoption of patches. (cisa.gov, cert.europa.eu)

Weaknesses and risks:

• The breadth of affected products means patch testing and deployment takes time in enterprise environments; adversaries often exploit that window. Organisations with slow change control processes remain vulnerable. This operational friction is the single largest risk vector after the vulnerability exists.
• Discrepancies in public reporting about the exact number of patched CVEs (e.g., 107 vs 111) create confusion for non‑technical stakeholders; transparency around bundled fixes and patch groupings could be improved. (techradar.com, bleepingcomputer.com)
• Where Microsoft issues mitigations rather than full fixes, the burden falls on administrators to implement complex workarounds; this can create configuration drift and potential misconfigurations that attackers may exploit. (cert.europa.eu)

Overall, Microsoft’s response fixed the underlying code, but the reality of large organisations and mixed‑vendor ecosystems means residual risk persists until patches are universally applied and compensating controls are in place.

---

The India angle — why this matters nationally​

India’s software and services sectors host millions of Windows endpoints across government, banking, education and small business sectors. That concentration makes India a high‑impact target: successful attacks can mean large‑scale data exfiltration, operational outages, and ransomware incidents that cascade through supply chains. The CERT‑In advisory rightly framed the issue as national risk management — urging both administrators and ordinary users to act swiftly. Local media coverage and community threads show rapid concern among administrators and individuals attempting to triage updates in small offices and educational institutions alike.
There is also policy and sovereignty concern: critical national infrastructure often runs a mix of legacy systems and cloud services, and outages or breaches have both economic and public‑safety implications. The India advisory’s public posture signals that governments will increasingly expect organisations to demonstrate timely patching and reasonable cyber hygiene as part of national risk posture.

---

Guidance for home users — practical and immediate​

• Check Windows Update and install all pending security updates now. Confirm updates completed and restart the machine.
• Update Office and email clients (Outlook, Teams) to the latest builds available through Microsoft Update or Office Update channels.
• Enable MFA on any Microsoft accounts and other critical online services.
• Run a full antivirus/EDR scan and ensure definitions are current.
• Back up important files to an external device or cloud backup that is not continuously writable from the endpoint (to reduce ransomware risk).
• Be cautious with attachments and links — crafted Office documents remain a common exploitation vector. If you don’t recognise an attachment, do not open it.

---

Residual risks and what to watch next​

• Ongoing exploitation: some CVEs in the wild (e.g., prior SharePoint/Exchange incidents) continue to be weaponised; organisations must assume scanning and opportunistic exploitation will continue. (lifewire.com)
• Supply‑chain attack vectors via developer tooling or compromised packages remain a concern; attacker groups often move from initial access to persistent backdoors via build systems and CI/CD. Monitor developer environments. (bleepingcomputer.com)
• Patch rollback or compatibility failures can force delayed deployments; ensure rollback plans are tested and communication with business units is clear.

Where public reporting is inconsistent (e.g., differing totals of patched vulnerabilities), treat the technical details as evolving — verify MSRC published advisories directly for the most authoritative CVE lists and patch guidance.

---

Conclusion​

The CERT‑In high‑risk advisory is not a theoretical alarm bell; it reflects a real, cross‑product set of vulnerabilities addressed in Microsoft’s August 2025 patch cycle that carry tangible exploitation risk. National and international incident responders — CERT‑EU, CISA, SANS and independent security trackers — corroborate the urgency. The correct response is operational and immediate: identify vulnerable assets, apply available patches, restrict administrative exposure, enable MFA, and verify backups and monitoring.
Organisations that use Microsoft technologies should treat this advisory as a programmatic lesson: security depends not only on vendor patches but on the speed and discipline of operational execution. For individuals, the practical steps are straightforward and lifesaving — keep systems updated, back up data, and harden accounts. The greatest remaining risk is the time it takes to reach full patch parity across thousands of endpoints; reduce that time and the attack surface shrinks accordingly. (cert.europa.eu, bleepingcomputer.com, qualys.com)

---

Source: Hindustan Times Microsoft Windows, Office users in India under high risk, government issues warning