Microsoft August 2025 Patch Tuesday: Exchange Hybrid Escalation, BadSuccessor Kerberos, NTLM Bypass

Microsoft's August security rollup is one of those months that makes system administrators stop what they're doing and triage: this Patch Tuesday delivered fixes for a broad sweep of vulnerabilities across Windows, Exchange, Azure and related services — including a publicly disclosed Kerberos bug dubbed "BadSuccessor," a dangerous Exchange hybrid escalation, a post-patch NTLM bypass capable of leaking hashed credentials, and a set of remote code execution and kernel-impacting flaws that together make rapid, prioritized patching essential. (support.microsoft.com, thehackernews.com)

Overview​

Microsoft released its monthly security updates on August 12, 2025, distributing cumulative fixes and product-specific hotfixes that address roughly 100–111 vulnerabilities across Microsoft Windows, Office, Exchange, SQL Server, Azure services and AI components. Public reporting by several vulnerability teams and security vendors highlights a concentration of elevation-of-privilege (EoP) issues, remote code execution (RCE) bugs, and several high-severity cloud vulnerabilities that Microsoft says have been remediated on the service side. Multiple security advisories singled out two issues as particularly urgent: CVE-2025-53786, a hybrid Exchange privilege escalation, and CVE-2025-53779, a Windows Kerberos privilege escalation that was publicly disclosed prior to the patch. (blog.talosintelligence.com, thehackernews.com)
Note: public coverage shows small differences in reported totals (some vendors reporting 107 vs. 111 CVEs). That variance stems from different counting methods (e.g., counting Edge/Chromium vulnerabilities separately, or bundling per-product advisories differently). Administrators should rely on Microsoft's Security Update Guide and per-product KB articles for authoritative listings. (support.microsoft.com, blog.talosintelligence.com)

---

Background: why this month matters​

Patch aggregations that include both on-premises server components (Exchange, SQL Server, Windows Server domain controllers) and cloud-managed services (Azure OpenAI, Azure Portal, Microsoft 365 Copilot BizChat) raise two operational realities at once: the need to patch endpoint and server images under IT control, and the relief that some cloud-side fixes are already applied and require no customer intervention. The Mix of high-severity RCEs and EoP bugs — plus a publicly disclosed Kerberos chain — multiplies the urgency for firms that run hybrid environments or host public-facing Exchange/Remote Desktop services. (support.microsoft.com, cyberinsider.com)
Security teams should treat this release as a coordinated response event: identify internet-exposed services first, then critical identity assets (domain controllers, AD FS, Exchange servers), and schedule validated patch deployments that minimize business disruption while accelerating coverage for high-risk systems. The later sections explain how to triage and mitigate effectively.

---

The headline vulnerabilities — what you need to know​

CVE-2025-53786 — Exchange hybrid privilege escalation (high severity)​

This flaw affects hybrid Exchange deployments configured to share a service principal between on-premises Exchange and Exchange Online. An attacker who first gains administrative control of an on‑prem Exchange server could abuse the shared service principal/trust path to escalate privileges into the tenant’s Exchange Online environment, potentially enabling a hybrid cloud and on-premises domain compromise. Microsoft and CISA issued explicit guidance to apply the April 2025 hotfix or later, deploy a dedicated Exchange hybrid app, and reset the shared service principal credentials where applicable. The urgency is real for organizations still using the legacy shared service principal configuration. (cisa.gov, techcommunity.microsoft.com)
Why this is dangerous in practice:

• Hybrid configurations often blur audit boundaries; malicious activity on-prem can be less visible in cloud audit logs.
• The exploit requires admin access on an on-prem Exchange server — a high bar — but attackers already targeting Exchange servers means this can be an end-stage escalation in multi-step attacks.
• CISA issued emergency guidance and, for federal agencies, a hard remediation timeline, underscoring the threat to critical infrastructure. (cisa.gov, tenable.com)

CVE-2025-53779 — Kerberos "BadSuccessor" (publicly disclosed zero‑day)​

CVE-2025-53779 is a Windows Kerberos elevation-of-privilege vulnerability tied to a technique publicly described as BadSuccessor. The exploit abuses delegated Managed Service Account (dMSA) attributes (notably msds-groupMSAMembership and msds-ManagedAccountPrecededByLink) to create improper delegation relationships that allow an attacker with specific preexisting privileges to impersonate high‑privilege identities and escalate to domain administrator. This one was publicly detailed before Microsoft shipped a patch, which raises its profile for defenders. (thehackernews.com, tenable.com)
Key mitigation facts:

• Exploitation requires specific preconditions: access to particular dMSA attributes and at least one domain controller running Windows Server 2025 in the victim domain.
• Published telemetry indicates limited prevalence (estimates around 0.7% of AD domains had the precondition at disclosure), but the impact of a successful exploit is catastrophic — domain and forest compromise. (thehackernews.com, tenable.com)

CVE-2025-50154 — NTLM hash extraction / patch bypass (zero‑click possibilities)​

Researchers demonstrated a bypass of earlier NTLM mitigation work (originally fixed in March 2025 as CVE‑2025‑24054) that allows an attacker to coerce a system into sending NTLM hashes automatically — no user interaction required in some variants. The bypass hinges on subtle file-handling behaviors (e.g., icon/resource retrieval, UNC path handling or rendering of remote binary icon data) that still trigger SMB/NTLM authentication in Windows Explorer and related components. The practical outcome: attackers can extract NTLMv2 hashes silently, enabling offline cracking or NTLM relay attacks. (cymulate.com, research.checkpoint.com)
Operational consequences:

• NTLM relays remain a live, high-impact method for lateral movement and privilege escalation; a zero‑click hash leak amplifies that risk.
• Microsoft’s earlier mitigation reduced exposure, but the bypass shows patch verification and defense-in-depth are essential.
• Mitigations such as blocking outbound NTLM, Strict SMB/Firewall rules, and using Protected Users / disabling NTLM where feasible remain critical controls pending full fixes. (bleepingcomputer.com, research.checkpoint.com)

Check Point findings and Rust-based kernel component crashes​

Security teams should pay attention to vendor research that uncovered vulnerabilities in memory- and kernel-level components, including a rare finding implicating a Rust-based kernel component in Windows that could cause system-wide crashes and hard reboots. The discovery is notable because Rust was introduced to reduce memory safety issues; a vulnerability that causes crashes demonstrates that language-level safety reduces but does not eliminate systemic risk. Check Point also reported multiple memory corruption issues that enable remote code execution when users process crafted files — adding further impetus to patch image-handling and graphics components quickly. (thehackernews.com, itvoice.in)

---

How to prioritize and triage this release​

Security teams should adopt a risk-first triage: prioritize identity, internet-facing services, and payload vectors that require minimal attacker effort.

• Patch domain controllers and identity-critical servers (AD DCs, Kerberos-related infrastructure) first.
• Patch Exchange servers in hybrid environments immediately; implement Microsoft’s guidance for deploying a dedicated Exchange hybrid app and resetting service principal keyCredentials.
• Prioritize Windows servers and endpoints exposed to users who may be targeted by NTLM relay or zero-click file attacks (file servers, mail clients, RDP hosts).
• Apply fixes for high‑CVSS RCE bugs (graphics, GDI+, MSMQ, DirectX Graphics Kernel) on exposed systems where exploitation could lead to remote code execution.
• For Azure and Microsoft 365 tenants: verify that cloud-side CVEs (e.g., Azure OpenAI, Azure Portal, Copilot BizChat) are listed as remediated by the provider; Microsoft states some cloud CVEs were fixed on the service side with no customer action required, but tenants should confirm service health pages and internal logs to validate. (thehackernews.com, support.microsoft.com)

Why this order:

• Domain controllers and Exchange servers unlock the highest post‑exploit value for attackers: credential theft, mailbox access, and persistent control.
• NTLM bypasses and zero-click RCEs have low user-interaction requirements and often get weaponized quickly once published.
• Cloud-side remediations reduce immediate exposure, but hybrid linkages (like Exchange hybrid flaws) can convert an on-prem foothold into tenant compromise.

---

Step-by-step mitigation checklist (immediate actions)​

• Inventory and identify systems:
• Run domain-wide inventories to locate domain controllers, Exchange hybrid servers, and Windows Server 2025 instances.
• Use enterprise patch-management and vulnerability tools to map which endpoints need the August updates.
• Apply patches in a staged but fast manner:
• Stage updates in a controlled window, prioritizing domain controllers and Exchange servers.
• Validate backups and rollback plans before mass rollout.
• If patching domain controllers requires reboots, schedule during low-impact windows and stagger to avoid directory availability issues.
• Exchange hybrid-specific steps:
• Ensure the April 2025 hotfix or later is applied to on-prem Exchange servers, or apply the August SU if required.
• Deploy the dedicated Exchange hybrid application in Entra ID where recommended.
• Reset the shared service principal's keyCredentials where hybrid OAuth secrets/key material remains from legacy config. Follow Microsoft's Exchange health-check guidance and MDVM recommendations. (techcommunity.microsoft.com, cisa.gov)
• Harden NTLM and SMB exposure:
• Block outbound NTLM authentication to internet hosts via firewall policies where feasible.
• Apply "Restrict NTLM: Outgoing NTLM traffic to remote servers" group policy in audit/block mode as appropriate.
• Move critical accounts into Protected Users and consider adopting Kerberos-only or modern auth strategies.
• Monitor for anomalous SMB/NTLM traffic patterns and authentication attempts to attacker-controlled endpoints. (bleepingcomputer.com, research.checkpoint.com)
• Audit and lockdown dMSA creation and attributes:
• Review who can create or modify delegated Managed Service Accounts (dMSA) and enforce least privilege.
• Audit msds-groupMSAMembership and msds-ManagedAccountPrecededByLink writes; restrict edit rights to a limited admin group.
• Implement monitoring for changes to these attributes and alert on unexpected writes. (thehackernews.com, tenable.com)
• Compensating controls:
• Increase logging and SIEM rules for suspicious authentication, Exchange admin activity, and AD attribute edits.
• Use network segmentation to isolate management interfaces and reduce lateral movement potential.
• For organizations that cannot patch immediately, apply isolation or temporary disconnect for high-risk servers (e.g., take vulnerable Exchange servers offline from internet-facing channels). (socradar.io)
• Validate cloud service remediation:
• Check Azure, Microsoft 365 and Copilot tenant status pages and security advisories to confirm Microsoft’s service-side remediations for the noted cloud CVEs; document and retain evidence that tenant configurations remain safe. (thehackernews.com)

---

Detection and response — what to watch for​

• Unexpected changes to service principal keyCredentials in Entra ID or OAuth configurations linked to Exchange.
• New or unusual writes to dMSA attributes (msds-groupMSAMembership, msds-ManagedAccountPrecededByLink).
• Outbound SMB/NTLM authentication attempts from endpoint populations to external IPs — particularly repeated NTLMv2 handshakes that could indicate hash-leak attempts or relay staging.
• Large-scale Explorer.exe or graphics-process crashes across endpoints that coincide with kernel-level crash signatures (possible indicator for the Rust-related kernel crash behavior).
• Suspicious mailbox-access patterns, mail-forwarding rules being created, or admin role assignments altered — classic signs that hybrid escalation was used. (cisa.gov, research.checkpoint.com)

Forensics note: if an Exchange hybrid escalation or Kerberos privilege abuse is suspected, assume potential tenant-wide compromise and preserve logs across both on‑prem and Microsoft 365 audit records, then engage an incident response process that can validate lateral movement, persistence, and exfiltration. (cisa.gov)

---

Why some of these bugs are deceptively dangerous​

• Attackers can chain these issues: a low-scope foothold becomes a high-impact compromise when combined with Kerberos dMSA abuse or an Exchange hybrid escalation.
• High-severity RCEs in graphics or file-parsing components are routinely used as initial code-execution vectors (phishing-delivered documents, malicious images) and are often weaponized quickly.
• Public disclosure before patching (as with BadSuccessor/CVE-2025-53779) raises the probability of exploit development by third parties or opportunistic attackers.
• Cloud-side remediations reduce customer workload, but hybrid dependencies (service principals, OAuth) can create asymmetric attack surfaces where on-prem misconfigurations enable cloud takeover. (thehackernews.com, blog.talosintelligence.com)

---

Risk tradeoffs and patching pitfalls​

Applying security updates at speed is essential, but organizations must plan for:

• Reboots and service interruptions (domain controllers, Exchange servers).
• Potential compatibility issues with third-party drivers or security agents; test patch bundles in representative lab groups.
• The risk of incomplete mitigation: as research on NTLM bypasses shows, earlier fixes can leave subtle gaps. Patch validation, layered controls, and careful monitoring are required beyond simply applying the KB. (cymulate.com, research.checkpoint.com)

If immediate patching is impossible, rely on compensating controls (network isolation, outbound NTLM blocking, monitoring) and document the residual risk and compensations for audit purposes.

---

Long-term lessons for enterprise defenders​

• Identity-first security posture: attackers leverage identity abuses to maximize blast radius. Harden identity stores, limit dMSA privileges, and treat any privileged account changes as high‑priority alerts.
• Validate patches beyond their release notes: vendors can release fixes that change behavior in edge cases; independent testing and telemetry help catch bypasses quickly.
• Defense-in-depth still wins: blocking NTLM, enabling SMB hardening, segmenting management planes, and applying rigorous least-privilege reduce the odds of single-point failures.
• Hybrid architectures need explicit security reviews: hybrid service principals, OAuth flows, and admin tooling must be reviewed on a schedule — these are recurring high-risk surfaces. (techcommunity.microsoft.com, research.checkpoint.com)

---

What to tell executives and boards (concise briefing)​

• The August security release patches up to ~111 vulnerabilities across the Microsoft stack; of these, multiple flaws allow privilege escalation to domain admin or remote code execution with minimal interaction, and one Kerberos issue (BadSuccessor/CVE‑2025‑53779) was publicly disclosed before a patch. Our priority is identity and Exchange/hybrid patching and confirming cloud-side remediations. (blog.talosintelligence.com, thehackernews.com)
• Expected near-term actions: emergency patching for DCs and Exchange, targeted validation for NTLM mitigations, and tightened monitoring for dMSA attribute changes and suspicious outbound SMB. We are executing changes in a staged maintenance window to balance security and availability.

---

Final assessment and recommended next steps​

This month’s updates are a timely reminder that hybrid complexity and legacy authentication protocols remain primary exploitation enablers. The release addresses critical RCE and EoP bugs — and while some cloud services were remediated on Microsoft’s side, the hybrid and identity-focused issues require immediate on‑prem attention.
Recommended next steps (executive summary):

• Immediately assess and patch domain controllers and Exchange hybrid servers. (cisa.gov)
• Implement Microsoft’s Exchange hybrid remediation guidance (dedicated hybrid app and service principal key reset). (techcommunity.microsoft.com)
• Harden and audit dMSA permissions and NTLM/SMB outbound behavior; apply compensating controls if you cannot patch immediately. (research.checkpoint.com, thehackernews.com)
• Validate cloud remediations and preserve telemetry for any suspicious activity tied to the August updates. (thehackernews.com)

Cautionary note: public research shows that not all mitigations are final — some fixes have required follow-up once researchers attempted exploitation. Treat the August updates as a high-priority patch cycle combined with a verification and monitoring campaign. (cymulate.com, thehackernews.com)
Apply the fixes, test broadly, and assume that attackers will scan for unpatched hybrid identity surfaces. The practical security gains will come from rapid patching combined with tighter identity hygiene and targeted network controls.

---

Source: Softonic Microsoft fixes 111 vulnerabilities that exposed your computer to all kinds of threats - Softonic