We’ve made it through hacker summer camp and made our way to the second Tuesday of the month. Adobe and Microsoft seemed to have survived as well, as they released their latest security patches. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for August 2025
For August, Adobe released 13 bulletins addressing 68 unique CVEs in Commerce, Substance 3D Viewer, Animate, Illustrator, Photoshop, Substance 3D Modeler, Substance 3D Painter, Substance 3D Sampler, InDesign, InCopy, Substance 3D Stager, FrameMaker, and Dimension. If you’re looking to prioritize, start with the update for Commerce, which fixes six bugs and is listed as Priority 2. There are eight bugs in the patch for InCopy and all are rated Critical and lead to code execution. The patch for InDesign is quite large with 14 different CVEs being addressed – 12 of which are Critical. The fix for Substance 3D Modeler is also quite large with 13 CVEs. However, most of these are rated Important. That’s a similar story for the fix in Substance 3D Painter. Of the nine CVEs fixed, only one is Critical. There’s also one Critical fix in the patch for Substance 3D Stager, which fixes two bugs in total. The patch for Substance 3D Sampler fixes a single, Important CVE. The Substance 3D family is rounded out with two Critical CVEs for Substance 3D Viewer.
The fix for Animate addresses two bugs, one of which is Critical. The patch for Illustrator contains four fixes. Two of those bugs lead to arbitrary code execution. The single fix for Photoshop also addresses a bug that could lead to code execution. Both of these are typical open-and-own exploits. The patch for FrameMaker contains fixes for five CVEs. The final patch from Adobe this month fixes a single Important-rated bug in Dimension.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the patch for Commerce, all updates are listed as deployment priority 3.
Microsoft Patches for August 2025
This month, Microsoft released a whopping 107 new CVEs in Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, GitHub Copilot, Dynamics 365, SQL Server, and Hyper-V Server. Seven of these bugs were submitted through the Trend ZDI program.
Of the patches released today, 12 are rated Critical, one is rated Moderate, one is rated Low, and the rest are rated Important in severity. This puts Microsoft slightly ahead of where they were last year in terms of volume. In fact, this year is the largest volume of fixes from Redmond since 2020, although it’s unlikely they will eclipse that total.
Microsoft lists one bug as being publicly known at the time of release, but nothing is noted as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug rated as a CVSS 9.8:
- CVE-2025-53766 - GDI+ Remote Code Execution Vulnerability
As mentioned, this bug is a CVSS 9.8 as it allows for code execution just by browsing to a malicious webpage. An attacker could also embed a specially crafted metafile into a document and have the target open the file. A worst-case scenario would be an attacker uploading something through an ad network that is served up to users. Ad blockers aren’t just to remove annoyances; they also protect for malicious ads. They’re rare, but they have occurred in the past. Since GDI+ touches so many different components (and users tend to click on anything), test and deploy this one quickly.
- CVE-2025-50165 - Windows Graphics Component Remote Code Execution Vulnerability
Speaking of browse-and-own, that's exactly what this bug allows as well. Rating a CVSS 9.8, this could lead to code execution by viewing a specially crafted image. Browse-and-own bugs always gain attention from researchers, so even though this is listed as “exploitation less likely”, I would treat this as a critical patch for deployment.
- CVE-2025-53731/ CVE-2025-53740 - Microsoft Office Remote Code Execution Vulnerability
This is the seventh month in a row where at least one Office component allowed code execution through the Preview Pane. With so many different components impacted, I doubt these are all patch bypasses. Instead, it appears attackers are mining code that hasn’t been looked at much and finding some gems. Perhaps it’s time to consider disabling the Preview Pane for a bit while the security gnomes in Redmond sort this out.
- CVE-2025-49712 - Microsoft SharePoint Remote Code Execution Vulnerability
SharePoint has definitely been a hot topic over the last month, with exploits hitting several U.S. government targets. While this bug is not listed as under active attack, it is the same type of bug used in the second stage of existing exploits. The first stage is an authentication bypass, as this vulnerability does require authentication. However, several auth bypasses are publicly known (and patched). Be sure you are up-to-date with ALL of your SharePoint patches and reconsider having them be internet accessible.
Here’s the full list of CVEs released by Microsoft for August 2025:
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2025-53779 | Windows Kerberos Elevation of Privilege Vulnerability | Moderate | 7.2 | Yes | No | EoP |
| CVE-2025-50176 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-53766 | GDI+ Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2025-50177 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2025-53731 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-53740 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-53733 | Microsoft Word Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-53784 | Microsoft Word Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-53781 | Windows Hyper-V Information Disclosure Vulnerability | Critical | 7.7 | No | No | Info |
| CVE-2025-49707 | Windows Hyper-V Spoofing Vulnerability | Critical | 7.9 | No | No | Spoofing |
| CVE-2025-48807 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | 7.5 | No | No | RCE |
| CVE-2025-53778 | Windows NTLM Elevation of Privilege Vulnerability | Critical | 8.8 | No | No | EoP |
| CVE-2025-53793 | Azure Stack Hub Information Disclosure Vulnerability | Critical | 7.5 | No | No | Info |
| CVE-2025-53765 | Azure Stack Hub Information Disclosure Vulnerability | Important | 4.4 | No | No | Info |
| CVE-2025-50153 | Desktop Windows Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53152 | Desktop Windows Manager Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-50172 | DirectX Graphics Kernel Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2025-53135 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-53773 | GitHub Copilot and Visual Studio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53149 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53716 | Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2025-53729 | Microsoft Azure File Sync Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53142 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-49745 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No | No | XSS |
| CVE-2025-53728 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-53735 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53737 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53739 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53741 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53759 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53786 † | Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability | Important | 8 | No | No | EoP |
| CVE-2025-33051 | Microsoft Exchange Server Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
| CVE-2025-25006 | Microsoft Exchange Server Spoofing Vulnerability | Important | 5.3 | No | No | Spoofing |
| CVE-2025-25007 | Microsoft Exchange Server Spoofing Vulnerability | Important | 5.3 | No | No | Spoofing |
| CVE-2025-25005 | Microsoft Exchange Server Tampering Vulnerability | Important | 6.5 | No | No | Tampering |
| CVE-2025-53143 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-53144 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-53145 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-53732 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53730 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53734 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53761 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53760 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | 8.2 | No | No | EoP |
| CVE-2025-49712 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-24999 † | Microsoft SQL Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-47954 † | Microsoft SQL Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-49758 † | Microsoft SQL Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-49759 † | Microsoft SQL Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-53727 † | Microsoft SQL Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-53783 | Microsoft Teams Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2025-50154 | Microsoft Windows File Explorer Spoofing Vulnerability | Important | 7.5 | No | No | Spoofing |
| CVE-2025-53736 | Microsoft Word Information Disclosure Vulnerability | Important | 6.8 | No | No | Info |
| CVE-2025-53738 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-53136 | NT OS Kernel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-50159 | Remote Access Point-to-Point Protocol (PPP) EAP-TLS Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2025-50171 | Remote Desktop Spoofing Vulnerability | Important | 9.1 | No | No | Spoofing |
| CVE-2025-53772 | Web Deploy Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-50161 | Win32k Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2025-50168 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53132 | Win32k Elevation of Privilege Vulnerability | Important | 8 | No | No | EoP |
| CVE-2025-49762 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-53134 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-53137 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-53141 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53147 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-53154 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53718 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-50170 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53721 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-50166 | Windows Distributed Transaction Coordinator (MSDTC) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-49743 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 6.7 | No | No | EoP |
| CVE-2025-50165 | Windows Graphics Component Remote Code Execution Vulnerability | Important | 9.8 | No | No | RCE |
| CVE-2025-49751 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.8 | No | No | DoS |
| CVE-2025-50167 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 7.5 | No | No | EoP |
| CVE-2025-53155 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53723 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-50173 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49761 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53151 | Windows Kernel Elevation of Privilege Vulnerability | Important | 8.4 | No | No | EoP |
| CVE-2025-53140 | Windows Kernel Transaction Manager Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-53131 | Windows Media Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-50158 | Windows NTFS Information Disclosure Vulnerability | Important | 7 | No | No | Info |
| CVE-2025-53133 | Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-50155 | Windows Push Notifications Apps Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53724 | Windows Push Notifications Apps Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53725 | Windows Push Notifications Apps Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53726 | Windows Push Notifications Apps Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53722 | Windows Remote Desktop Services Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2025-50156 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-50157 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-53138 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-53148 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-53153 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-53719 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-49757 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-50160 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2025-50162 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2025-50163 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-50164 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2025-53720 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2025-53769 | Windows Security App Spoofing Vulnerability | Important | 5.5 | No | No | Spoofing |
| CVE-2025-50169 | Windows SMB Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2025-53789 | Windows StateRepository API Server file Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-53156 | Windows Storage Port Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-53788 | Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-49736 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | Moderate | 4.3 | No | No | Spoofing |
| CVE-2025-49755 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | Low | 4.3 | No | No | Spoofing |
† Indicates further administrative actions are required to fully address the vulnerability.
Looking at the remaining Critical patches, there are two for Word that also include the Preview Pane as an attack vector. There are three Critical bugs in Hyper-V. One could disclose the ever mysterious “sensitive information” while the other allows VM to spoof their identity in communications with external systems. The other allows code execution on the hypervisor from a guest. The bug in Azure Stack also allows an attacker to disclose information over a network. There’s a juicy code execution bug in the DirectX Graphics Kernel, but it does require authentication. The bug in NLTM is an interesting case. It allows an authenticated attacker to elevate privileges over the network. We’re used to seeing these as local exploits only. Lastly, there’s a Use-After-Free bug in the Windows Message Queuing (MSMQ) component. In this case, the attacker would need to series of specially crafted MSMQ packets in a rapid sequence over HTTP to an affected server. The attacker still needs to win a race condition, but we’ve seen plenty of race condition bugs win Pwn2Own, so don’t rely on that alone.
Including those already discussed, there are over 30 code execution bugs receiving fixes this month. The Important-rated Office components do not have Preview Pane as an attack vector and are the open-and-own variety. There’s also this month’s crop of RRAS fixes. I’m still waiting for any of these to be exploited in the wild, but I’m not holding my breath. There are three additional bugs in MSMQ. Their description seems identical to the Critical-rated bug already discuss, so it’s not clear why these are only listed as Important. If you’re running Web Deploy (msdeploy), you definitely want to test and deploy the patch quickly. An unauthenticated attacker could get code execution simply by sending specially crafted requests to an affected server. The SMB bug requires a user to initiate a connection to an SMB server – usually by clicking a link in email. The bug in Teams came through ZDI. The bug exists within the real time media manager. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. The bug in Desktop Windows Manager requires authentication and reads more like an LPE. The final code execution bug is an AI bug in GitHub Copilot and Visual Studio. It does require a user to trigger the payload, so some form of social engineering will be involved. Still – AI bug – woo hoo!
There are more than 40 elevation of privilege (EoP) bugs in the July release. Thankfully, most of these bugs lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bugs in SQL Server allow an attacker to gain sysadmin privileges. These bugs also require special attention when patching, so pay close attention to version numbers to ensure you are fully protected. There’s a bug in Hyper-V that could allow attackers to overwrite arbitrary file content in the security context of the local system. The SharePoint vulnerability would let attackers gain the privileges of the compromised user. The four bugs in Push Notifications allow for sandbox escapes. The vulnerability in the Connected Devices Platform Service allows someone to go from Medium Integrity Level to Local Service. The bug in Desktop Windows Manager just states that an attacker could gain access to “system resources” leading to further compromise. The EoP in StateRepository API Server file could lead to accessing the rights of the user that is running the affected application. Lastly, if you are an Exchange admin, you have some work ahead of you. Microsoft released a hot fix back in April and is making that change more official. You’ll need to apply the hot fix and implement changes in your Exchange Server and hybrid environment. Dominus tecum.
The August release contains more than a dozen information disclosure patches. As expected, most of these only result in info leaks consisting of unspecified memory contents or memory addresses. This is useful info to have when exploiting components on a system, but otherwise not quite riveting. There are a few exceptions. The info disclosure bug in Exchange allows attackers to determine if an email address is valid. The bugs in MSDTC and Dynamics 365 could leak the ephemeral “sensitive information”. One of the bugs in Azure is listed as public and could leak deployment API and system internal configurations. The bug in Azure Stack Hub is more serious as it could leak administrator account passwords in the logs.
There are only four patches for Denial-of-Service (DoS) bugs in this release. However, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network to that component. The only exception is the bug in Hyper-V. In this case, a low-privileged guest VM could deny service on the Hyper-V host environment.
Moving on to the spoofing bugs in this month’s release, the bug in Remote Desktop manifests as an authorization bypass. Not much is clear around the File Explorer bug other than that user interaction is required. There’s no clear info of the bug in the Security App either, but one could assume an attacker could bypass Security App protections. The spoofing bugs in Exchange are a bit clearer. These vulns allow an attacker to spoof the “5322.From” email address that is displayed to a user – a handy trick for social engineering. Finally, the spoofing bug in Edge would allow for a traffic redirect.
There’s a single tampering bug in Microsoft Exchange, but the only information Microsoft provides in that, “an authorized attacker to perform tampering over a network.” I would guess that means they could mess with people’s inboxes and/or calendars, but who knows. The August release is rounded out by a single cross-site scripting (XSS) bug in Dynamics 365.
No new advisories are being released this month.
Looking Ahead
The next Patch Tuesday of 2025 will be on September 9, and I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
