Patch News Day August 2025 - Critical Microsoft Security Patches Released for Privilege Escalation and Remote Code Vulnerabilities

Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.

CVE-2025-53786 - 8.0 - Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability

A successful exploit of CVE-2025-53786 would be highly disruptive. It exploits a bridge for an attacker to pivot from a compromised on-premises server directly into an organization's cloud environment, potentially gaining administrative control over Exchange Online and other connected Microsoft 365 services. As of a quick non-invasive search, there were over 29,000 Exchange servers publicly facing on the internet that was vulnerable to this issue, with many of them likely to have even older patches, therefore the attack flow could be simple for attackers, use an old exploit to gain administrator privileges on a public facing Exchange server, then pivot into the cloud environments Exchange server.

Because this is an elevation of privilege vulnerability; however, the attacker must first gain administrative privileges on an on-premises Exchange Server. Once an attacker has that initial foothold, exploiting this vulnerability is straightforward and stealthy. In a default hybrid configuration, the on-premises Exchange Server and Exchange Online share the same service principal in Azure Active Directory. This principal acts as a trust token. The on-prem server is implicitly trusted to perform administrative actions in the cloud. By controlling the on-prem server, the attacker can now impersonate it and send commands to the cloud environment. Because of the shared trust relationship, the cloud environment (e.g., Exchange Online) validates these commands as legitimate. This allows the attacker to escalate their privileges from on-prem admin to cloud admin. The potentially most dangerous aspect is that these malicious actions appear to be legitimate system operations originating from the trusted on-prem server. This makes the attack difficult to detect in standard audit logs, allowing an attacker to operate within the cloud environment for an extended period without raising alarms.

The fix requires more than just installing a patch; administrators must also follow Microsoft's manual configuration steps to create a dedicated service principal for the hybrid connection. This breaks the overly permissive shared trust, ensuring the on-prem server has only the limited permissions it truly needs. In effect, this vulnerability turns a significant on-premise Exchange breach into a full-blown, difficult-to-detect cloud compromise with effectively living off the land techniques which are always harder to detect for defensive teams.

CVE-2025-50177 -- Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

CVE-2025-50177 is a critical remote code execution vulnerability that allows an unauthenticated attacker to take complete control of a target server running the Microsoft Message Queuing (MSMQ) service. The attack flow is direct: an attacker simply needs to find a vulnerable server and send malicious packets to it, with no user interaction or credentials required to achieve a full system compromise.

Because this is an unauthenticated remote code execution vulnerability, the attacker needs no prior access. Microsoft has said the attack’s complexity is high which stems from the need to win a race condition, a common challenge in exploiting memory corruption bugs. An attacker sends a rapid sequence of specially crafted packets to the MSMQ service. The goal is to trigger a "use-after-free" condition: one packet causes the service to free a specific block of memory, and a subsequent packet, arriving at just the right moment, causes the service to use that same memory block before it has been safely reallocated. By controlling the data written into this improperly used memory, the attacker can hijack the program's execution flow and run their own arbitrary code with the permissions of the MSMQ service.

The fix for this vulnerability is to apply the security patch released by Microsoft. However, given the critical severity, the fact that it’s unauthenticated, and the potential for a "wormable" exploit that could spread automatically between vulnerable systems, patching is an urgent priority. This vulnerability allows an attacker to establish a strong foothold within a network from which they can launch further attacks. Defensive teams should prioritize this patch and audit their networks to ensure MSMQ is not unnecessarily exposed to the internet especially because it’s been classified as exploitation more likely.

CVE-2025-50165 - 9.8 - Windows Graphics Component Remote Code Execution Vulnerability

The vulnerability CVE-2025-50165 has been given a rating of 9.8. Due to this rating, it might be more attractive to threat actors to investigate and produce exploit code for this attack. The vulnerability is in the ubiquitous Windows Graphics Component. The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image. This means any application that renders images—from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures—can become an in for the attack. Since this requires no user interaction ("zero-click"), an attacker could potentially gain control of a system simply by sending an email or a message containing the malicious image.

While this has been deemed less likely to be exploited, due to its highly rated nature, I wouldn’t put it past threat actors with the means to dig into patches and successfully produce exploit code to spend some time looking at it.

CVE-2025-50167 - 7.0 - Windows Hyper-V Elevation of Privilege Vulnerability

A successful exploit of CVE-2025-50167 is a significant threat because it targets modern Windows security. Today, Hyper-V is no longer just a tool for running virtual machines (VMs); it's a foundational Type 1 hypervisor that underpins the entire operating system. This architecture enables critical security features like Virtualization-Based Security (VBS), Memory Integrity, and Credential Guard by creating isolated, hardware-enforced boundaries. This vulnerability could affect those mechanisms and allow for a "VM escape"—where an attacker with low-level access inside a Windows environment can break out and execute code with full SYSTEM privileges, completely bypassing the hypervisor's security guarantees.

While the high complexity is a barrier, Microsoft's assessment of "Exploitation More Likely" signals that the flaw is practically achievable for skilled adversaries. Patching is therefore an urgent priority for any system using virtualization features, which, on a modern Windows OS, is almost all of them.

CVE-2025-53147 - 7.0 - Windows Ancillary Function Driver for WinSock Elevation of Privilege

A successful exploit of CVE-2025-53147 allows an attacker to gain SYSTEM level privileges and gain complete control of a Windows system. This vulnerability is an elevation of privilege flaw in the Windows Ancillary Function Driver (AFD) for WinSock. This driver, afd.sys, is a core kernel component that manages network connections for almost every application on your computer—from your web browser to your email client. Because it operates at the kernel level, a flaw here is critical. 

The fix is a standard security update from Microsoft. Vulnerabilities like this are a critical part of an attacker's toolkit; they are the essential "second step" after gaining initial access to a machine. An attacker might get in via a phishing email, but they use a local privilege escalation (LPE) bug like this one to take over completely. Microsoft's assessment of "Exploitation More Likely" confirms that security experts believe this flaw is practically exploitable. Patching this is fundamental security hygiene, as it closes a key pathway attackers rely on to deepen their intrusion into a compromised network.

CVE-2025-53778 – Windows NTLM Elevation of Privilege Vulnerability

A critical elevation of privilege vulnerability, tracked as CVE-2025-53778, has been identified in the Windows NTLM authentication protocol and patched in Microsoft’s August 2025 Patch Tuesday release.

The flaw, caused by improper authentication, could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Because the attack vector is network-based, exploitation could be carried out remotely without any user interaction, making it a significant concern in enterprise environments.

If successfully exploited, an attacker could take full control of affected systems, steal or modify sensitive data, install malicious software, or disrupt services. Microsoft has rated exploitation as “more likely”, even though no public exploit code currently exists.

Administrators should apply the official patch immediately to prevent potential compromise, particularly in networks where NTLM authentication is still in use and lateral movement is a concern.

CVE-2025-53733 – Microsoft Word Remote Code Execution Vulnerability

Microsoft's August 2025 Patch Tuesday includes a fix for a critical remote code execution (RCE) vulnerability in Microsoft Word, identified as CVE-2025-53733. This flaw is particularly dangerous as it requires no user interaction and can be triggered through the Preview Pane.

Caused by an incorrect conversion between numeric types, the vulnerability can be exploited using a specially crafted document. While the CVSS vector lists the attack as Local—meaning the malicious code runs on the victim’s machine—its real-world effect mirrors a remote attack, enabling an adversary to execute arbitrary code without any privileges or user action.

If exploited, attackers could deploy malware, exfiltrate sensitive data, or disrupt operations. Microsoft currently rates exploitation as “less likely” and says no public proof-of-concept exists, but the potential impact warrants immediate patching — especially on systems where the Word Preview Pane is enabled.