On Tuesday, Microsoft rolled out a large set of fixes of 111 security flaws across its software portfolio, including one flaw that was revealed to be public at the time of release.
Of the 111 vulnerabilities, 16 are rated as important, 92 are rated as important, 2 are rated as moderate and 1 is rated as low severity. The vulnerability 44 is related to privilege escalation, followed by defects in remote code execution (35), disclosure (18), spoofing (8), and denial of service (4).
This includes 16 vulnerabilities addressed in Microsoft’s Chromium-based Edge Browser since the release of the patch Tuesday update last month, as well as two spoofing bugs affecting Android’s Edge.
The vulnerabilities include a privilege escalation vulnerability that affects Microsoft Exchange Server hybrid deployment (CVE-2025-53786, CVSS score: 8.0) that Microsoft disclosed last week.
The published Zero Day is CVE-2025-53779 (CVSS score: 7.2). This is another privilege escalation flaw in Windows Kerberos, which comes from the case of relative path crossing. Akamai researcher Yuval Gordon is believed to have discovered and reported the bug.
It is worth mentioning here that this issue was published in May 2025 by a web infrastructure and security company and provided the codename Badsuccessor. A novel technique essentially allows threat actors with sufficient privileges to compromise an Active Directory (AD) domain by misusing delegated managed service accounts (DMSA) objects.
“The good news here is that successful exploitation of CVE-2025-53779 requires existing control of two attributes of the DMSA:MSDS-GroupMsamembership, if well-protected, ACT,” Adam Barnett, lead software engineer at Rapid7, told Hacker News.
“However, the abuse of CVE-2025-53779 is certainly plausible as the final link in a multi-exploit chain that grows from no access to total PWNAGE.”
Mike Walters in Action1 pointed out that attackers can abuse past traversal flaws to create inappropriate delegation relationships, impersonate privileged accounts, escalate to domain administrators, and give them full control over the Active Directory domain.
“Attackers who already have a compromised privileged account can use it to move from limited control to full domain control,” Walters added. “It can also be combined with methods such as KerberoAsting and Silver ticket attacks to maintain its durability.”
“Domain administrator privileges allow attackers to disable security surveillance, modify group policies, and tamper with audit logs to hide activity. Organizations with multi-forest environments or partner connections can even exploit this flaw to move from the compromised domain of a supply chain attack to another domain.”
Satnam Narang, senior staff research engineer at Tenable, said the immediate impact of BADSUCCERSER is limited. This is because only 0.7% of the Active Directory domains met the prerequisite at the time of disclosure. “To leverage BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 to achieve domain compromise,” Narang pointed out.
Some of the notable critical assessment vulnerabilities that Redmond patched this month are:
CVE-2025-53767 (CVSS score: 10.0) – Azure Openai Privilege Vulnerability CVE-2025-53766 (CVSS score: 9.8) – GDI+ Remote Code Execution Vulnerability CVE-2025-50165 (CVSS score: 9.8) CVE-2025-53792 (CVSS score: 9.1) – Azure Portal Privilege Vulnerability CVE-2025-53787 (CVSS score: 8.2) – Microsoft 365 Copilot BizChat Information Vulnerability Vulnerability CVE-2025-50177 Vulnerability CVE-2025-50176 (CVSS score: 7.8) – DirectX Graphics Kernel Remote Code Execution Vulnerability
Microsoft said three cloud services CVEs affecting Azure Openai, Azure Portal and Microsoft 365 Copilot Bizchat have already been repaired and no customer action is required.
A checkpoint, which disclosed CVE-2025-53766 along with CVE-2025-30388, stated that the vulnerability would allow an attacker to execute arbitrary code on the affected system, leading to a complete system compromise.
“Attack vectors involve interaction with specially created files. When users open or process this file, a vulnerability is triggered and the attacker has control over it,” the cybersecurity company said.
The Israeli company also revealed that it has revealed vulnerabilities in rust-based components in the Windows kernel.
“For organizations with large or remote labor forces, risk is important. Attackers can exploit this flaw and crash a large number of computers across the enterprise, resulting in widespread disruption and costly downtime,” Checkpoint said. “The findings highlight that even advanced security technologies such as rust, continuous vigilance and aggressive patching are essential to maintaining system integrity in complex software environments.”
Another vulnerability of importance is CVE-2025-50154 (CVSS score: 6.5). This is a vulnerability in ntlm hash disclosure spoofing, which is a bypass for a similar bug (CVE-2025-24054, CVSS score: 6.5) plugged by Microsoft in March 2025.
“The original vulnerability showed that specially created requests could cause NTLM authentication and publish sensitive qualifications,” said researcher Reuben Enkauer. “This new vulnerability […] The attacker allows the NTLM hash to be extracted without user interaction, even on a fully patched system. By taking advantage of the subtle gaps left in the mitigation, attackers can automatically trigger NTLM authentication requests, allowing offline cracking or relay attacks to gain unauthorized access. ”
Source link
