Microsoft’s August Patch Tuesday Fixes 111 Bugs — Including a Kerberos Zero-Day Tied to “BadSuccessor”

Microsoft’s August Patch Tuesday delivered fixes for 111 security flaws across Windows, Office, Azure services, Edge, and other components, including a publicly disclosed zero-day in Windows Kerberos that researchers say can help attackers seize control of Active Directory when certain conditions are met. Sixteen bugs are rated Critical, with the biggest clusters in elevation-of-privilege and remote-code-execution categories. 

The headline issues

• Kerberos zero-day (CVE-2025-53779, “BadSuccessor”). Microsoft patched a relative path traversal weakness in Windows Kerberos linked to the BadSuccessor technique disclosed in May by Akamai’s Yuval Gordon. In environments using delegated Managed Service Accounts (dMSAs), a sufficiently positioned attacker could abuse delegation relationships and climb to domain admin. Microsoft says the bug was publicly known at release time.
  
  “Successful exploitation…requires an attacker to have pre-existing control of two [dMSA] attributes,” Rapid7’s Adam Barnett told The Hacker News. Those attributes govern who can use dMSA credentials and on whose behalf the dMSA may act.
  
  
• High-impact graphics RCEs. Among the Critical fixes, CVE-2025-50165 in the Windows Graphics Component (CVSS 9.8) can be triggered by a malicious JPEG—potentially embedded in Office files—without user interaction. Microsoft also addressed CVE-2025-53766 in GDI+ (CVSS 9.8), a metafile-parsing flaw. Both offer attractive initial footholds for attackers.
  
  
• Edge/Chromium updates. Microsoft notes 16 Edge vulnerabilities addressed since July’s Patch Tuesday, including two spoofing bugs affecting Edge for Android. If your organization allows Android devices, ensure mobile browsers are current. 

Overall, this month’s slate skews toward 44 elevation-of-privilege, 35 remote-code-execution, 18 information-disclosure, 8 spoofing, and 4 denial-of-service flaws, per Microsoft’s counts. 

 

Why it matters

Organizations running Windows Server 2025 and Windows 11 24H2 are directly in scope for several of the most severe graphics bugs; hybrid Exchange and Azure services also receive meaningful updates. For the Kerberos issue, Microsoft and independent researchers emphasize that attackers need specific dMSA attribute control—but in real intrusions, those privileges are often gained mid-kill-chain (e.g., via phishing, lateral movement, or other EoPs). In other words, BadSuccessor can be the final link to full domain compromise if earlier defenses fail. \

Microsoft said it had no evidence of in-the-wild exploitation for the August set at release time. Even so, the mix of pre-auth RCEs and identity-infrastructure risk puts this month firmly in the “patch quickly” bucket. 

What to patch first (practical triage)

1. Kerberos / AD hardening
   
   
   • Apply the CVE-2025-53779 update across supported domain controllers.
     
     
   • Audit dMSA objects: review msds-groupMSAMembership and msds-ManagedAccountPrecededByLink for unexpected principals; restrict who can modify them. Consider detections around abnormal dMSA delegation changes.
     
     
2. Windows graphics stack
   
   
   • Prioritize CVE-2025-50165 and CVE-2025-53766 across Windows 11 24H2/Server 2025 fleets, especially VDI, RDS, file-processing servers, and high-risk user populations.
     
     
3. Microsoft Office / SharePoint
   
   
   • Patch Office RCEs such as CVE-2025-53733 (Word) and SharePoint CVE-2025-49712, which can be abused via malicious files or deserialization paths. Tighten preview/Protected View policies.
     
     
4. Edge (desktop and Android)
   
   
   • Roll out the latest Edge builds everywhere, including Android devices subject to MDM.

What’s next/related risk to watch

• OAuth scopes & OneDrive File Picker. In late May, Oasis Security highlighted that Microsoft’s OneDrive File Picker can grant third-party web apps (e.g., ChatGPT, Slack, Trello, Zoom) broad read access to a user’s entire OneDrive during uploads, raising privacy and data-exposure concerns. Review and prune OAuth consents, avoid long-lived refresh tokens, and apply least-privilege scopes where possible.
  
  
• Post-patch regressions. Some admins report issues tied to August cumulative updates (e.g., OBS/NDI streaming performance and SSD behavior under certain conditions). If you manage sensitive production systems, validate in a staging ring before wide deployment. 

Reader intent: quick answers

• What happened? Microsoft released 111 fixes on August 12, 2025, including a Kerberos zero-day rooted in the BadSuccessor technique and multiple critical graphics RCEs.
  
  
• Who’s affected? Windows clients/servers (especially Windows 11 24H2/Server 2025), Office/SharePoint users, and Edge (desktop and Android) deployments.
  
  
• Is it being exploited? Not at release, according to Microsoft reporting summarized by Rapid7.
  
  
• What should I do now? Patch domain controllers and graphics-stack systems first; audit dMSA delegation; update Office/SharePoint and Edge; and review OAuth consents tied to OneDrive integrations.