A critical zero-day vulnerability in Windows servers running the Kerberos authentication system, first disclosed in May, has now been patched by Microsoft, but must be given high priority by admins because there’s also an available exploit threat actors can use. The fix is among 107 vulnerabilities plugged in Microsoft’s August Patch Tuesday releases.
Microsoft has assessed the vulnerability in Windows Server 2025 (CVE-2025-53779) as “Exploitation Less Likely,” because an attacker first needs to compromise an admin’s privileged account. However, analysts at Action1 say, “the presence of functional exploit code and its impact on core authentication mechanisms makes it a significant risk. The requirement for high privileges might seem like a safeguard, but many organizations have accounts with these privileges. Once such an account is compromised, the path to full domain compromise becomes much shorter.”
“Organizations should treat this vulnerability with urgency,” Action1 added, “as it can be used in sophisticated attack chains targeting high-value environments.”
The hole involves a relative path traversal vulnerability due to improper validation of path inputs related to domain Managed Service Accounts (dMSAs). The problem is in how Windows Kerberos handles certain attributes of dMSAs, particularly the msds-ManagedAccountPrecededByLink attribute. By manipulating these paths, says Action1, an attacker with high privileges can traverse directory structures, impersonating users with higher privileges than intended. This vulnerability undermines the trusted delegation model Kerberos uses for service account management in Active Directory environments.
Affected systems include Windows Server 2025 running Active Directory Domain Services, domain controllers managing Kerberos authentication, environments using dMSAs, and all supported versions of Windows Server with Kerberos enabled.
To modify specific dMSA attributes, an attacker needs msds-groupMSAMembership (to use the dMSA) and msds-ManagedAccountPrecededByLink (to specify the user the dMSA can impersonate). Action1 says at-risk environments include large enterprise environments with complex Active Directory setups and organizations heavily using dMSAs for service account management.
When revealed in May, the vulnerability was dubbed BadSuccessor. Patching it is critical, said Satnam Narang, senior staff research engineer at Tenable. However, he added in an email, “our analysis indicates that the immediate impact is limited, as only 0.7% of AD domains had met the prerequisite at the time of disclosure. To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise.”
AI vulnerabilities
Tyler Reguly, associate director of security R&D at Fortra, said, “the hot topic that everyone will be discussing this month is the appearance of AI in the Patch Tuesday drop.” He’s referring to CVE-2025-53767, an elevation of privilege in Azure OpenAI, and CVE-2025-53773, a vulnerability in GitHub Copilot and Visual Studio that involves a patch for Visual Studio 2022.
The first vulnerability has already been resolved by Microsoft, because it’s in a cloud platform and there’s no action required by users, he said in an email, “but this type of issue may make you think twice about the usage of AI in your organization.”
The second hole “is more interesting, It’ll be interesting to see what details are released on this, but it is command injection, which should be taken seriously,” he said.
“With multiple AI-related vulnerabilities — GitHub Copilot and Azure OpenAI — this month is a great reminder that AI technologies are still new and we’re still figuring them out,” he added. “It is important that organizations understand where and how they are utilizing AI. Beyond that, they need to know what services they are using and how those services react to vulnerabilities and security issues. A lot of the time, when looking at AI-based services, we’re interested in data residency, retention, and ownership… do we stop to ask what they are doing to secure their systems and what their security policy is? This is a good reminder that if you aren’t doing that, it is time to start.”
“CSOs should also think about how they are measuring their risk and responding to it,” Reguly said. Some vulnerabilities, based on severity, are designated Critical based on CVSS scores but rated Important by Microsoft, he pointed out. There are vulnerabilities that are not seeing active exploitation but, if they did, would be severely detrimental to organizations at a large scale. “Are you considering future risk or current risk? Whose severity do you trust?” he asked. “If you don’t have an internal methodology for determining and measuring risk, today is a great day to start developing one.”
Five Office vulnerabilities
CISOs should also pay close attention to the cluster of Microsoft Office vulnerabilities (CVE-2025-53740, CVE-2025-53731, CVE-2025-53784, and CVE-2025-53733), said Mike Walters, president of Action1, because these affect centrally managed productivity tools that are standard across most enterprises. The Preview Pane attack vector for these vulnerabilities is especially concerning as it requires minimal user interaction, potentially bypassing security awareness training efforts.
Walters also said CISOs should prioritize the Windows Graphics vulnerabilities (CVE-2025-50165 and CVE-2025-53766) due to their network attack vector zero privilege requirements, and the fact that no user interaction is needed. These represent potential entry points for initial compromise that could lead to broader organizational impact, he wrote in an email to CSO.
The document and graphics vulnerabilities affect core business workflows involving document exchange, he pointed out, potentially requiring temporary process changes during the patching window to minimize organizational risk. End users should be informed about potential application behaviors during and after patching, especially if Preview Pane functionality might be modified or temporarily disabled, he said.
“While none of these vulnerabilities are currently reported as being exploited in the wild, the critical nature and high CVSS scores of several issues indicate they should be addressed with appropriate urgency in enterprise environments,” Walters said.
Hyper-V vulnerability
Ben McCarthy, lead cyber security engineer at Immersive, said admins running Microsoft Hyper-V should pay attention to patching an elevation of privilege vulnerability (CVE-2025-50167) in the hypervisor. “Today, Hyper-V is no longer just a tool for running virtual machines (VMs); it’s a foundational Type 1 hypervisor that underpins the entire operating system,” he said in an mail. “This architecture enables critical security features like Virtualization-Based Security (VBS), Memory Integrity, and Credential Guard by creating isolated, hardware-enforced boundaries. This vulnerability could affect those mechanisms and allow for a ‘VM escape’ where an attacker with low-level access inside a Windows environment can break out and execute code with full System privileges, completely bypassing the hypervisor’s security guarantees.”
While the high complexity of the attack is a barrier, he noted that Microsoft’s assessment of ‘Exploitation More Likely’ signals that the flaw is practically achievable for skilled adversaries. Patching is therefore an urgent priority for any system using virtualization features, which, on a modern Windows OS, is almost all of them, he said.
Three critical patches for SAP
Finally, SAP released a series of patches, including three for critical vulnerabilities that each ranked 9.9 on the CVSS scoring scale.
A code injection vulnerability in SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via remote function call (RFC). This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks, SAP said. “This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system,” the company said.
SAP also issued an update for another code injection vulnerability S/4Hanna (private cloud or on-prem), and the company additionally warned of a code injection vulnerability in SAP Landscape Transformation.
No Responses