Aggregator

You must login to view this content

We’ve made it through hacker summer camp and made our way to the second Tuesday of the month. Adobe and Microsoft seemed to have survived as well, as they released their latest security patches. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for August 2025

For August, Adobe released 13 bulletins addressing 68 unique CVEs in Commerce, Substance 3D Viewer, Animate, Illustrator, Photoshop, Substance 3D Modeler, Substance 3D Painter, Substance 3D Sampler, InDesign, InCopy, Substance 3D Stager, FrameMaker, and Dimension. If you’re looking to prioritize, start with the update for Commerce, which fixes six bugs and is listed as Priority 2. There are eight bugs in the patch for InCopy and all are rated Critical and lead to code execution. The patch for InDesign is quite large with 14 different CVEs being addressed – 12 of which are Critical. The fix for Substance 3D Modeler is also quite large with 13 CVEs. However, most of these are rated Important. That’s a similar story for the fix in Substance 3D Painter. Of the nine CVEs fixed, only one is Critical. There’s also one Critical fix in the patch for Substance 3D Stager, which fixes two bugs in total. The patch for Substance 3D Sampler fixes a single, Important CVE. The Substance 3D family is rounded out with two Critical CVEs for Substance 3D Viewer.

The fix for Animate addresses two bugs, one of which is Critical. The patch for Illustrator contains four fixes. Two of those bugs lead to arbitrary code execution. The single fix for Photoshop also addresses a bug that could lead to code execution. Both of these are typical open-and-own exploits. The patch for FrameMaker contains fixes for five CVEs. The final patch from Adobe this month fixes a single Important-rated bug in Dimension.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the patch for Commerce, all updates are listed as deployment priority 3.

Microsoft Patches for August 2025

This month, Microsoft released a whopping 107 new CVEs in Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, GitHub Copilot, Dynamics 365, SQL Server, and Hyper-V Server. Seven of these bugs were submitted through the Trend ZDI program.

Of the patches released today, 12 are rated Critical, one is rated Moderate, one is rated Low, and the rest are rated Important in severity. This puts Microsoft slightly ahead of where they were last year in terms of volume. In fact, this year is the largest volume of fixes from Redmond since 2020, although it’s unlikely they will eclipse that total.

Microsoft lists one bug as being publicly known at the time of release, but nothing is noted as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug rated as a CVSS 9.8:

-   CVE-2025-53766 - GDI+ Remote Code Execution Vulnerability
As mentioned, this bug is a CVSS 9.8 as it allows for code execution just by browsing to a malicious webpage. An attacker could also embed a specially crafted metafile into a document and have the target open the file. A worst-case scenario would be an attacker uploading something through an ad network that is served up to users. Ad blockers aren’t just to remove annoyances; they also protect for malicious ads. They’re rare, but they have occurred in the past. Since GDI+ touches so many different components (and users tend to click on anything), test and deploy this one quickly.

-   CVE-2025-50165 - Windows Graphics Component Remote Code Execution Vulnerability
Speaking of browse-and-own, that's exactly what this bug allows as well. Rating a CVSS 9.8, this could lead to code execution by viewing a specially crafted image. Browse-and-own bugs always gain attention from researchers, so even though this is listed as “exploitation less likely”, I would treat this as a critical patch for deployment. 

-    CVE-2025-53731/ CVE-2025-53740 - Microsoft Office Remote Code Execution Vulnerability
This is the seventh month in a row where at least one Office component allowed code execution through the Preview Pane. With so many different components impacted, I doubt these are all patch bypasses. Instead, it appears attackers are mining code that hasn’t been looked at much and finding some gems. Perhaps it’s time to consider disabling the Preview Pane for a bit while the security gnomes in Redmond sort this out.

-    CVE-2025-49712 - Microsoft SharePoint Remote Code Execution Vulnerability
SharePoint has definitely been a hot topic over the last month, with exploits hitting several U.S. government targets. While this bug is not listed as under active attack, it is the same type of bug used in the second stage of existing exploits. The first stage is an authentication bypass, as this vulnerability does require authentication. However, several auth bypasses are publicly known (and patched). Be sure you are up-to-date with ALL of your SharePoint patches and reconsider having them be internet accessible.

Here’s the full list of CVEs released by Microsoft for August 2025:

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical patches, there are two for Word that also include the Preview Pane as an attack vector. There are three Critical bugs in Hyper-V. One could disclose the ever mysterious “sensitive information” while the other allows VM to spoof their identity in communications with external systems. The other allows code execution on the hypervisor from a guest. The bug in Azure Stack also allows an attacker to disclose information over a network. There’s a juicy code execution bug in the DirectX Graphics Kernel, but it does require authentication. The bug in NLTM is an interesting case. It allows an authenticated attacker to elevate privileges over the network. We’re used to seeing these as local exploits only. Lastly, there’s a Use-After-Free bug in the Windows Message Queuing (MSMQ) component. In this case, the attacker would need to series of specially crafted MSMQ packets in a rapid sequence over HTTP to an affected server. The attacker still needs to win a race condition, but we’ve seen plenty of race condition bugs win Pwn2Own, so don’t rely on that alone.

Including those already discussed, there are over 30 code execution bugs receiving fixes this month. The Important-rated Office components do not have Preview Pane as an attack vector and are the open-and-own variety. There’s also this month’s crop of RRAS fixes. I’m still waiting for any of these to be exploited in the wild, but I’m not holding my breath. There are three additional bugs in MSMQ. Their description seems identical to the Critical-rated bug already discuss, so it’s not clear why these are only listed as Important. If you’re running Web Deploy (msdeploy), you definitely want to test and deploy the patch quickly. An unauthenticated attacker could get code execution simply by sending specially crafted requests to an affected server. The SMB bug requires a user to initiate a connection to an SMB server – usually by clicking a link in email. The bug in Teams came through ZDI. The bug exists within the real time media manager. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. The bug in Desktop Windows Manager requires authentication and reads more like an LPE. The final code execution bug is an AI bug in GitHub Copilot and Visual Studio. It does require a user to trigger the payload, so some form of social engineering will be involved. Still – AI bug – woo hoo!

There are more than 40 elevation of privilege (EoP) bugs in the July release. Thankfully, most of these bugs lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bugs in SQL Server allow an attacker to gain sysadmin privileges. These bugs also require special attention when patching, so pay close attention to version numbers to ensure you are fully protected. There’s a bug in Hyper-V that could allow attackers to overwrite arbitrary file content in the security context of the local system. The SharePoint vulnerability would let attackers gain the privileges of the compromised user. The four bugs in Push Notifications allow for sandbox escapes. The vulnerability in the Connected Devices Platform Service allows someone to go from Medium Integrity Level to Local Service. The bug in Desktop Windows Manager just states that an attacker could gain access to “system resources” leading to further compromise. The EoP in StateRepository API Server file could lead to accessing the rights of the user that is running the affected application. Lastly, if you are an Exchange admin, you have some work ahead of you. Microsoft released a hot fix back in April and is making that change more official. You’ll need to apply the hot fix and implement changes in your Exchange Server and hybrid environment. Dominus tecum.

The August release contains more than a dozen information disclosure patches. As expected, most of these only result in info leaks consisting of unspecified memory contents or memory addresses. This is useful info to have when exploiting components on a system, but otherwise not quite riveting. There are a few exceptions. The info disclosure bug in Exchange allows attackers to determine if an email address is valid. The bugs in MSDTC and Dynamics 365 could leak the ephemeral “sensitive information”. One of the bugs in Azure is listed as public and could leak deployment API and system internal configurations. The bug in Azure Stack Hub is more serious as it could leak administrator account passwords in the logs.

There are only four patches for Denial-of-Service (DoS) bugs in this release. However, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network to that component. The only exception is the bug in Hyper-V. In this case, a low-privileged guest VM could deny service on the Hyper-V host environment.

Moving on to the spoofing bugs in this month’s release, the bug in Remote Desktop manifests as an authorization bypass. Not much is clear around the File Explorer bug other than that user interaction is required. There’s no clear info of the bug in the Security App either, but one could assume an attacker could bypass Security App protections. The spoofing bugs in Exchange are a bit clearer. These vulns allow an attacker to spoof the “5322.From” email address that is displayed to a user – a handy trick for social engineering. Finally, the spoofing bug in Edge would allow for a traffic redirect.

There’s a single tampering bug in Microsoft Exchange, but the only information Microsoft provides in that, “an authorized attacker to perform tampering over a network.” I would guess that means they could mess with people’s inboxes and/or calendars, but who knows. The August release is rounded out by a single cross-site scripting (XSS) bug in Dynamics 365.

No new advisories are being released this month.

Looking Ahead

The next Patch Tuesday of 2025 will be on September 9, and I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

1. 13Critical
2. 91Important
3. 2Moderate
4. 1Low

Microsoft addresses 107 CVEs, including one zero-day vulnerability that was publicly disclosed.

Microsoft patched 107 CVEs in its August 2025 Patch Tuesday release, with 13 rated critical, 91 rated as important, one rated as moderate and one rated as low.

This month’s update includes patches for:

• Azure File Sync
• Azure OpenAI
• Azure Portal
• Azure Stack
• Azure Virtual Machines
• Desktop Windows Manager
• GitHub Copilot and Visual Studio
• Graphics Kernel
• Kernel Streaming WOW Thunk Service Driver
• Kernel Transaction Manager
• Microsoft 365 Copilot's Business Chat
• Microsoft Brokering File System
• Microsoft Dynamics 365 (on-premises)
• Microsoft Edge for Android
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Teams
• Remote Access Point-to-Point Protocol (PPP) EAP-TLS
• Remote Desktop Server
• Role: Windows Hyper-V
• SQL Server
• Storage Port Driver
• Web Deploy
• Windows Ancillary Function Driver for WinSock
• Windows Cloud Files Mini Filter Driver
• Windows Connected Devices Platform Service
• Windows DirectX
• Windows Distributed Transaction Coordinator
• Windows File Explorer
• Windows GDI+
• Windows Installer
• Windows Kerberos
• Windows Kernel
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Media
• Windows Message Queuing
• Windows NT OS Kernel
• Windows NTFS
• Windows NTLM
• Windows PrintWorkflowUserSvc
• Windows Push Notifications
• Windows Remote Desktop Services
• Windows Routing and Remote Access Service (RRAS)
• Windows SMB
• Windows Security App
• Windows StateRepository API
• Windows Subsystem for Linux
• Windows Win32K GRFX
• Windows Win32K ICOMP

Elevation of privilege (EoP) vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 32.7%.

CVE-2025-53779 is an EoP vulnerability in Windows Kerberos. It was assigned a CVSSv3 score of 7.2 and is rated moderate. An authenticated attacker with access to a user account with specific permissions in active directory (AD) and at least one domain controller in the domain running Windows Server 2025 could exploit this vulnerability to achieve full domain, and then forest compromise in an AD environment.

This is a patch for a zero-day vulnerability dubbed BadSuccessor by Yuval Gordon, a security researcher at Akamai. It was disclosed on May 21. For more information on BadSuccessor, please review our FAQ blog, Frequently Asked Questions About BadSuccessor.

CVE-2025-49712 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.

This RCE follows on the heels of the ToolShell vulnerabilities that were disclosed in the July 2025 Patch Tuesday release and exploited in the wild as zero-days.

CVE-2025-53778 is an EoP vulnerability affecting Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated as critical. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM. This flaw was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

This marks the second critical EoP affecting Windows NTLM in 2025, following CVE-2025-21311 which was patched in the January 2025 Patch Tuesday release.

CVE-2025-50177, CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). While three of these four CVEs (CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145) were assigned CVSSv3 scores of 8.8 and rated as important, CVE-2025-50177 was assigned a CVSSv3 score of 8.1 and rated as critical. Similarly, CVE-2025-50177 was assessed as “Exploitation More Likely,” while the other three were assessed as “Exploitation Less Likely.”

In order to exploit these CVEs, an attacker would need to send a crafted MSMQ packet to a vulnerable server in order to achieve code execution.

A list of all the plugins released for Microsoft’s August 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's August 2025 Security Updates
• Tenable plugins for Microsoft August 2025 Patch Tuesday Security Updates

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Electronic Arts’ SPEAR Anti-Cheat Team has released a noteworthy update, stating that since the Battlefield 6 Open Beta Early Access launch, the company’s Javelin anti-cheat technology has successfully prevented over 330,000 attempts to cheat or tamper with security controls. This announcement, delivered by team representative AC, underscores the ongoing battle against cheating in multiplayer gaming […]

The post Electronic Arts Blocks 300,000 Cheating Attempts After Battlefield 6 Beta Launch appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.