Post-Patch Tuesday Roundup: August 2025

While the instinct may be to patch in order of vendor severity scores alone, organisations should instead combine these updates with cyber threat intelligence to identify and remediate vulnerabilities most likely to be exploited by the threat actors targeting their sector.

For example, Microsoft’s actively exploited Kerberos zero-day, Cisco ISE’s CVSS 10.0 remote code execution flaw, and Fortinet’s FortiSIEM command injection should be treated as high-priority due to known TTP overlap with ransomware affiliates and state-linked intrusion sets. Leveraging CTI ensures patching efforts align with real-world attacker behaviour, helping reduce exposure where the risk and potential impact is greatest.

Microsoft

Microsoft’s advisory ADV253991 outlines a broad set of security updates released as part of August 2025 Patch Tuesday. This month’s update addresses 119 vulnerabilities across multiple Microsoft products and services, including Windows, Office, Azure, SQL Server, and more.

Vulnerability Breakdown by Category

• Spoofing: 4 (1 Critical, 3 Important)
• Denial of Service: 4 (All Important)
• Elevation of Privilege: 42 (1 Critical, 41 Important)
• Information Disclosure: 16 (2 Critical, 14 Important)
• Remote Code Execution (RCE): 34 (9 Critical, 25 Important)

What This Means for Security Teams

• Prioritise patching for systems affected by critical vulnerabilities, especially those exposed to external networks.
• Address the Kerberos zero-day as a matter of urgency to prevent potential exploitation.
• Ensure updates are applied across all impacted products and services to minimise attack surface.
• Maintain defence-in-depth measures, including network segmentation, strict access controls, and continuous monitoring, to protect against potential exploitation during patch deployment.

Zero Day Vulnerability

1. CVE-2025-53779 – In the Windows security landscape, attackers often share a common ambition: achieving Domain Administrator privileges as quickly as possible. The August 2025 Patch Tuesday zero-day, CVE-2025-53779, represents exactly the sort of flaw that could help them reach that goal. This vulnerability is an Elevation of Privilege (EoP) issue in the Windows implementation of Kerberos, specifically linked to abuse of Delegated Managed Service Account (dMSA) configuration.

While Microsoft’s advisory hints at the mechanics of the flaw, it omits a direct definition of “dMSA”. In this context, dMSA refers to Delegated Managed Service Accounts a feature intended to automate service account credential rotation and reduce exposure to credential-theft techniques such as Kerberoasting. Kerberoasting has been flagged by CISA as one of the most efficient ways for attackers to escalate privileges and move laterally across a network.

Successful exploitation of CVE-2025-53779 requires prior control of two key attributes within the targeted dMSA:

1. msds-groupMSAMembership – Determines which users can use the credentials of the managed service account.

2. msds-ManagedAccountPrecededByLink – Specifies the accounts on whose behalf the dMSA can operate.

While these attributes should be well-protected in a secure environment, their compromise could feasibly serve as the final step in a multi-stage attack chain, enabling an adversary to escalate from limited access to full domain compromise.

Critical

1. CVE-2025-50165 – This is a Remote Code Execution vulnerability in the Microsoft Graphics Component, caused by an untrusted pointer dereference. It allows an attacker to execute arbitrary code over the network without requiring any privileges or user interaction. The vulnerability carries a CVSS score of 9.8. While it is not considered wormable, its potential for remote exploitation makes it a significant concern, particularly for systems that process untrusted graphical content. Applying the security update should be treated as a priority.

2. CVE-2025-53766 – This is a Remote Code Execution vulnerability in Windows GDI+, resulting from a heap-based buffer overflow triggered when processing malicious metafiles. An attacker could achieve remote code execution without privileges or user interaction, typically by delivering crafted image files through vulnerable services or applications. With a CVSS score of 9.8, this is one of the most severe vulnerabilities addressed this month. Systems that handle image processing should be patched immediately.

3. CVE-2025-50176 – This is a Remote Code Execution vulnerability in the DirectX graphics kernel, caused by a type of confusion issue that can enable code execution in the kernel context. While exploitation may require a specific attack scenario, it is considered more likely to be exploited. Due to the potential impact of a successful attack, particularly with kernel-level privileges, applying this update should be treated with high urgency.

4. CVE-2025-53789 – A high-severity vulnerability has been identified in Microsoft Exchange hybrid deployments – environments where on-premises Exchange servers are integrated with Exchange Online. Designated CVE-2025-53786, the flaw arises from a shared service principal used between the on-premises and cloud environments.

If an attacker gains administrative access to the on-premises Exchange server, they could exploit this trust relationship to impersonate the hybrid identity and gain unrestricted access to Exchange Online – often without leaving clear traces in audit logs. This creates an opportunity for covert compromise of mailboxes, data and associated Microsoft 365 services.

Although there are currently no confirmed cases of exploitation, both Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned that exploitation is more likely. While CISA’s alert is aimed at US federal agencies, the risk is equally applicable to UK organisations, particularly those with public-facing Exchange servers or outdated hybrid configurations.

https://helpx.adobe.com/security.html

Adobe

Adobe has released 13 security updates this month, addressing 64 vulnerabilities, 38 critical and 26 Important. The applications in question are:

1. Adobe Commerce (Magento)

2. Adobe Substance 3D Viewer

3. Adobe Animate

4. Adobe Illustrator

5. Adobe Photoshop

6. Adobe Substance 3D Modeler

7. Adobe Substance 3D Painter

8. Adobe Substance 3D Sampler

9. Adobe InDesign

10. Adobe InCopy

11. Adobe Substance 3D Stager

12.  Adobe FrameMaker

13.  Adobe Dimension

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

Cisco

Cisco has issued urgent patches for multiple vulnerabilities, including CVE-2025-20337, a newly disclosed CVSS 10.0 remote code execution flaw affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).

• Risk: Unauthenticated attackers can gain full root access via crafted API requests  no credentials required.
• Affected: ISE/ISE-PIC versions 3.3 and 3.4.
• Fixed in: 3.3 Patch 7, 3.4 Patch 2.

Also patched:

- CVE-2025-20274 (CVSS 6.3) – Unified Intelligence Center file upload flaw allowing authenticated RCE and privilege escalation (patched in 12.5(1) SU ES05, 12.6(2) ES05; CCX users on 12.5(1) SU3 or earlier must upgrade to v15).

- Medium-severity fixes for ISE, ISE-PIC, EPNM, Prime Infrastructure, and Unified Intelligence Center.

Cisco confirms active exploitation of previously patched ISE RCE flaws organisations should apply updates immediately to prevent compromise.

https://www.fortiguard.com

Fortinet

Fortinet has released 14 security advisories in August affecting a wide range of products, including FortiOS, FortiWeb, FortiManager, FortiProxy, FortiPAM, FortiSOAR, FortiMail, FortiVoice, FortiRecorder, FortiCamera, FortiNDR, FortiADC, FortiSIEM, and FortiSwitchManager. The advisories address 1 Critical, 2 High, and 11 Medium severity vulnerabilities.

- Critical – CVE-2025-25256: An OS command injection vulnerability (CWE-78) in FortiSIEM may allow a remote unauthenticated attacker to execute arbitrary commands. Affects versions 7.3.1 and earlier in the 7.3.x branch, and multiple 7.2.x releases.

- High – CVE-2024-26009: An authentication bypass using an alternate path or channel (CWE-288) in the FGFM protocol of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager may allow a remote attacker to bypass authentication.

- High – CVE-2025-52970: An improper handling of parameters (CWE-233) in FortiWeb may allow an unauthenticated remote attacker to bypass authentication controls.

Medium: Includes multiple vulnerabilities such as arbitrary file overwrite (CVE-2024-52964), path traversal (CVE-2024-40588, CVE-2024-48892), OS command injection (CVE-2025-27759, CVE-2025-47857, CVE-2025-49813), double free (CVE-2023-45584), incorrect privilege assignment (CVE-2025-53744), integer overflow (CVE-2025-25248), stack buffer overflow (CVE-2025-32766), and cross-site scripting (CVE-2025-32932).

Recommendation: Fortinet urges all customers to upgrade to the fixed versions provided in each advisory to mitigate the risk of exploitation.

August Security Update | Ivanti

Ivanti

 Ivanti is disclosing vulnerabilities in Ivanti Avalanche, Ivanti Virtual Application Delivery Control (vADC) (previously known as vTM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access.

It is important for customers to know:

• We have no evidence of any of these vulnerabilities being exploited in the wild.
• These vulnerabilities do not impact any other Ivanti solutions.

More information on these vulnerabilities and detailed instructions on how to remediate the issues can be found in these Security Advisories:

• Ivanti Avalanche
• Ivanti vADC
• Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access

SAP Security Patch Day - August 2025

SAP

SAP – August 2025 Security Updates

• 3 Critical – Code injection vulnerabilities in SAP S/4HANA and SAP Landscape Transformation.
• 2 High – Authorisation issues in SAP Business One and SAP NetWeaver AS ABAP.
• 13 Medium – Multiple flaws including directory traversal, XSS, HTML injection, information disclosure, and missing authorisation checks.
• 2 Low – Weak authorisation and reverse tabnabbing issues in SAP Cloud Connector and SAP Fiori.

Action: Apply patches immediately, prioritising Critical and High–severity vulnerabilities to reduce risk of exploitation

· CVE-2025-42957 – Code Injection in SAP S/4HANA (Private Cloud/On-Premise) – Critical – CVSS 9.9

· CVE-2025-42950 – Code Injection in SAP Landscape Transformation (Analysis Platform) – Critical – CVSS 9.9

· CVE-2025-27429 – Code Injection in SAP S/4HANA (Private Cloud/On-Premise) – Critical – CVSS 9.9

· CVE-2025-42951 – Broken Authorisation in SAP Business One (SLD) – High – CVSS 8.8

· CVE-2025-42976, CVE-2025-42975 – Multiple issues in SAP NetWeaver AS ABAP (BIC Document) – High – CVSS 8.1

· CVE-2025-42946 – Directory Traversal in SAP S/4HANA (Bank Communication Management) – Medium – CVSS 6.9

· CVE-2025-42945 – HTML Injection in SAP NetWeaver AS ABAP – Medium – CVSS 6.1

· CVE-2025-42942 – Cross-Site Scripting in SAP NetWeaver AS for ABAP – Medium – CVSS 6.1

· CVE-2025-42948 – Cross-Site Scripting in SAP NetWeaver ABAP Platform – Medium – CVSS 6.1

· CVE-2025-0059 – Information Disclosure in SAP NetWeaver AS ABAP (SAP GUI for HTML) – Medium – CVSS 6.0

· CVE-2025-42936 – Missing Authorisation Check in SAP NetWeaver AS for ABAP – Medium – CVSS 5.4

· CVE-2025-23194 – Missing Authentication Check in SAP NetWeaver Enterprise Portal – Medium – CVSS 5.3

· CVE-2025-42949 – Missing Authorisation Check in ABAP Platform – Medium – CVSS 4.9

· CVE-2025-42943 – Information Disclosure in SAP GUI for Windows – Medium – CVSS 4.5

· CVE-2025-42934 – CRLF Injection in SAP S/4HANA (Supplier Invoice) – Medium – CVSS 4.3

· CVE-2025-31331 – Authorisation Bypass in SAP NetWeaver – Medium – CVSS 4.3

· CVE-2025-42935 – Information Disclosure in SAP NetWeaver AS for ABAP and ABAP Platform – Medium – CVSS 4.1

· CVE-2025-42955 – Missing Authorisation Check in SAP Cloud Connector – Low – CVSS 3.5

· CVE-2025-42941 – Reverse Tabnabbing in SAP Fiori (Launchpad) – Low – CVSS 3.5

Industrial Control Systems

ISA released seven Industrial Control Systems (ICS) advisories on August 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-224-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
• ICSA-25-224-02 Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2
• ICSA-25-224-03 Schneider Electric EcoStruxure Power Monitoring Expert
• ICSA-25-224-04 AVEVAPIIntegrator
• ICSA-24-263-04 MegaSys Telenium Online Web Application (Update A)
• ICSA-25-191-10 End-of-Train and Head-of-Train Remote Linking Protocol (Update A)
• ICSMA-25-224-01 Santesoft Sante PACS Server

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.