{"id":4349,"date":"2025-08-13T02:48:00","date_gmt":"2025-08-13T02:48:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4349"},"modified":"2025-08-13T02:48:00","modified_gmt":"2025-08-13T02:48:00","slug":"august-patch-tuesday-authentication-hole-in-windows-server-2025-now-has-a-fix","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4349","title":{"rendered":"August Patch Tuesday: Authentication hole in Windows Server 2025 now has a fix"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A critical zero-day vulnerability in Windows servers running the Kerberos authentication system, first disclosed in May, has now been patched by Microsoft, but must be given high priority by admins because there\u2019s also an available exploit threat actors can use. The fix is among 107 vulnerabilities plugged in Microsoft\u2019s August Patch Tuesday releases.<\/p>\n

Microsoft has assessed the vulnerability in Windows Server 2025 (CVE-2025-53779<\/a>)\u00a0 as \u201cExploitation Less Likely,\u201d because an attacker first needs to compromise an admin\u2019s privileged account. However, analysts at Action1 say<\/a>, \u201cthe presence of functional exploit code and its impact on core authentication mechanisms makes it a significant risk. The requirement for high privileges might seem like a safeguard, but many organizations have accounts with these privileges. Once such an account is compromised, the path to full domain compromise becomes much shorter.\u201d<\/p>\n

\u201cOrganizations should treat this vulnerability with urgency,\u201d Action1 added, \u201cas it can be used in sophisticated attack chains targeting high-value environments.\u201d<\/p>\n

The hole involves a relative path traversal vulnerability due to improper validation of path inputs related to domain Managed Service Accounts (dMSAs). The problem is in how Windows Kerberos handles certain attributes of dMSAs, particularly the msds-ManagedAccountPrecededByLink<\/em> attribute. By manipulating these paths, says Action1, an attacker with high privileges can traverse directory structures, impersonating users with higher privileges than intended. This vulnerability undermines the trusted delegation model Kerberos uses for service account management in Active Directory environments.<\/p>\n

Affected systems include Windows Server 2025 running Active Directory Domain Services, domain controllers managing Kerberos authentication, environments using dMSAs, and all supported versions of Windows Server with Kerberos enabled.<\/p>\n

To modify specific dMSA attributes, an attacker needs msds-groupMSAMembership<\/em> (to use the dMSA) and msds-ManagedAccountPrecededByLink<\/em> (to specify the user the dMSA can impersonate). Action1 says at-risk environments include large enterprise environments with complex Active Directory setups and organizations heavily using dMSAs for service account management.<\/p>\n

When revealed in May, the vulnerability was dubbed BadSuccessor.<\/a> Patching it is critical, said Satnam Narang, senior staff research engineer at Tenable. However, he added in an email, \u201cour analysis indicates that the immediate impact is limited, as only 0.7% of AD domains had met the prerequisite at the time of disclosure. To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise.\u201d<\/p>\n

AI vulnerabilities<\/h2>\n

Tyler Reguly<\/a>, associate director of security R&D at Fortra, said, \u201cthe hot topic that everyone will be discussing this month is the appearance of AI in the Patch Tuesday drop.\u201d He\u2019s referring to CVE-2025-53767<\/a>,\u00a0an elevation of privilege in Azure OpenAI, and\u00a0CVE-2025-53773<\/a>, a vulnerability in GitHub Copilot and Visual Studio that involves a patch for Visual Studio 2022.<\/p>\n

The first vulnerability has already been resolved by Microsoft, because it\u2019s in a cloud platform and there\u2019s no action required by users, he said in an email, \u201cbut this type of issue may make you think twice about the usage of AI in your organization.\u201d<\/p>\n

The second hole \u201cis more interesting,\u00a0 It\u2019ll be interesting to see what details are released on this, but it is command injection, which should be taken seriously,\u201d he said.<\/p>\n

\u201cWith multiple AI-related vulnerabilities \u2014 GitHub Copilot and Azure OpenAI \u2014 this month is a great reminder that AI technologies are still new and we\u2019re still figuring them out,\u201d he added. \u201cIt is important that organizations understand where and how they are utilizing AI. Beyond that, they need to know what services they are using and how those services react to vulnerabilities and security issues. A lot of the time, when looking at AI-based services, we\u2019re interested in data residency, retention, and ownership\u2026 do we stop to ask what they are doing to secure their systems and what their security policy is? This is a good reminder that if you aren\u2019t doing that, it is time to start.\u201d<\/p>\n

\u201cCSOs should also think about how they are measuring their risk and responding to it,\u201d Reguly said. Some vulnerabilities, based on severity, are designated Critical based on CVSS scores but rated Important by Microsoft, he pointed out. There are vulnerabilities that are not seeing active exploitation but, if they did, would be severely detrimental to organizations at a large scale. \u201cAre you considering future risk or current risk? Whose severity do you trust?\u201d he asked. \u201cIf you don\u2019t have an internal methodology for determining and measuring risk, today is a great day to start developing one.\u201d<\/p>\n

Five Office vulnerabilities<\/h2>\n

CISOs should also pay close attention to the cluster of Microsoft Office vulnerabilities (CVE-2025-53740<\/a>, CVE-2025-53731<\/a>, CVE-2025-53784<\/a>, and CVE-2025-53733<\/a>), said Mike Walters<\/a>, president of Action1, because these affect centrally managed productivity tools that are standard across most enterprises. The Preview Pane attack vector for these vulnerabilities is especially concerning as it requires minimal user interaction, potentially bypassing security awareness training efforts.<\/p>\n

Walters also said CISOs should prioritize the Windows Graphics vulnerabilities (CVE-2025-50165<\/a> and CVE-2025-53766<\/a>) due to their network attack vector zero privilege requirements, and the fact that no user interaction is needed. These represent potential entry points for initial compromise that could lead to broader organizational impact, he wrote in an email to CSO.<\/p>\n

The document and graphics vulnerabilities affect core business workflows involving document exchange, he pointed out, potentially requiring temporary process changes during the patching window to minimize organizational risk. End users should be informed about potential application behaviors during and after patching, especially if Preview Pane functionality might be modified or temporarily disabled, he said.<\/p>\n

\u201cWhile none of these vulnerabilities are currently reported as being exploited in the wild, the critical nature and high CVSS scores of several issues indicate they should be addressed with appropriate urgency in enterprise environments,\u201d Walters said.<\/p>\n

Hyper-V vulnerability<\/h2>\n

Ben McCarthy<\/a>, lead cyber security engineer at Immersive, said admins running Microsoft Hyper-V should pay attention to patching an elevation of privilege vulnerability (CVE-2025-50167<\/a>) in the hypervisor. \u201cToday, Hyper-V is no longer just a tool for running virtual machines (VMs); it\u2019s a foundational Type 1 hypervisor that underpins the entire operating system,\u201d he said in an mail. \u201cThis architecture enables critical security features like Virtualization-Based Security (VBS), Memory Integrity, and Credential Guard by creating isolated, hardware-enforced boundaries. This vulnerability could affect those mechanisms and allow for a \u2018VM escape\u2019 where an attacker with low-level access inside a Windows environment can break out and execute code with full System privileges, completely bypassing the hypervisor\u2019s security guarantees.\u201d<\/p>\n

While the high complexity of the attack is a barrier, he noted that Microsoft\u2019s assessment of \u2018Exploitation More Likely\u2019 signals that the flaw is practically achievable for skilled adversaries. Patching is therefore an urgent priority for any system using virtualization features, which, on a modern Windows OS, is almost all of them, he said.<\/p>\n

Three critical patches for SAP<\/h2>\n

Finally, SAP released a series of patches, including three for critical vulnerabilities that each ranked 9.9 on the CVSS scoring scale.<\/p>\n

A code injection vulnerability\u00a0<\/a>in SAP S\/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via remote function call (RFC). This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks, SAP said. \u201cThis vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system,\u201d the company said.<\/p>\n

SAP also\u00a0issued an update<\/a>\u00a0for another code injection vulnerability S\/4Hanna (private cloud or on-prem), and the company\u00a0additionally warned of a code injection vulnerability\u00a0<\/a>in SAP Landscape Transformation.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A critical zero-day vulnerability in Windows servers running the Kerberos authentication system, first disclosed in May, has now been patched by Microsoft, but must be given high priority by admins because there\u2019s also an available exploit threat actors can use. The fix is among 107 vulnerabilities plugged in Microsoft\u2019s August Patch Tuesday releases. Microsoft has […]<\/p>\n","protected":false},"author":0,"featured_media":4350,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4349"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4349"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4349\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4350"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}