August Patch Tuesday includes blasts from the (recent) past

Microsoft on Tuesday announced 109 patches affecting 16 product families. Eighteen of the addressed issues are considered by Microsoft to be of Critical severity, and 31 have a CVSS base score of 8.0 or higher, including a “perfect” 10.0 affecting Azure. None are known to be under active exploit in the wild, though two Windows issues (CVE-2025-53786 and CVE-2025-53779) are already publicly disclosed.

At patch time, nine CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below. In addition, eight CVEs included in this month’s set, mostly involving cloud-centric product families such as Azure and 365, are already patched – including the CVSS-10 item mentioned above. We have included information on all eight in Appendix D. Interestingly, two of those were actually patched a full month ago, in the July cycle, but a clerical mix-up left that information out of Microsoft’s July release materials. We include those two in our August count. Advisory information on ten Edge fixes was also included in this month’s release, and can be seen in Appendix D.

We are as always including at the end of this post additional appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family. Another appendix covers advisory-style updates and the list of issues discussed in this month’s release materials but mitigated prior to the release, and another provides breakout of the patches affecting the various Windows Server platforms still in support.

By the numbers

• Total CVEs: 109
• Publicly disclosed: 2*
• Exploit detected: 0
• Severity
  • Critical: 18
  • Important: 90
  • Moderate: 1
• Impact
  • Elevation of Privilege: 44
  • Remote Code Execution: 35
  • Information Disclosure: 18
  • Spoofing: 7
  • Denial of Service: 4
  • Tampering: 1
• CVSS Base score 10.0: 1
• CVSS Base score 9.0 or greater: 5
• CVSS Base score 8.0 or greater: 31

* Microsoft’s official release material states that just one vulnerability, CVE-2025-53779, is publicly disclosed by their standards. However, CVE-2025-53786 was publicly demonstrated at Black Hat last week and has been very widely discussed since then, with a CISA Emergency Directive issued. We include it in our tally for completeness.

Figure 1: Elevation of Privilege vulnerabilities outpace Remote Code Execution flaws for the second month in a row, but RCE issues account for more Critical-severity patches

Products

• Windows: 65*
• 365: 16**
• Office: 16
• Azure: 7***
• SQL: 6
• Exchange: 5
• Excel: 4
• SharePoint: 4
• Word: 3
• Dynamics 365: 2
• PowerPoint: 1
• Teams: 1
• Visual Studio: 1
• Web Deploy: 1
• Windows Security App: 1
• Windows Subsystem for Linux (WSL2): 1

* As mentioned, the release information states that two of these were patched with the July release; we include those two in the August counts here and throughout this post.

** Includes two Critical-severity patches for Microsoft 365 Copilot’s Business Chat.

*** The release information notes that four of the Azure vulnerabilities have already been mitigated.

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: Windows patches five Critical-severity patches in August, but so do Azure and Office – and 365 has them all beat with six

Notable August updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-50165 — Windows Graphics Component Remote Code Execution Vulnerability
CVE-2025-53766 — GDI+ Remote Code Execution Vulnerability

It’s a tough month for Windows graphics-related componentry, as these two vulnerabilities weigh in with 9.8 CVSS Base scores. CVE-2025-50165 requires no user interaction, and can be exploited by an uninitialized function pointer being called when decoding a malicious JPEG, which could be embedded in a document, a Web page, or what you will. It affects strictly the newest versions of Windows (Win 11 2H24, Server 2025). Similarly, CVE-2025-53766 could be triggered without user interaction, should an attacker manage to upload documents containing a specially crafted metafile to a web service. (Alternately, they could craft a document containing the metafile, send it to an unwary user, and get them to open it.) Unusually, this CVE affects both Windows and Office.

CVE-2025-49712 — Microsoft SharePoint Remote Code Execution Vulnerability

As most Microsoft observers know well, there was plenty to say between the July and August Patch Tuesday releases about SharePoint. This issue, however, seems unrelated to ToolShell, though it’s fairly unpleasant all by itself, allowing any authenticated attacker to execute code over the network with little prior knowledge of the network required.

CVE-2025-53731, CVE-2025-53733, CVE-2025-53740, CVE-2025-53784 – four 365/Office issues

Preview Pane is a vector for all four of these vulnerabilities.

CVE-2025-53774, CVE-2025-53787 — Microsoft 365 Copilot BizChat Information Disclosure Vulnerability

These identically titled information-disclosure vulnerabilities, both Critical-severity, are mentioned in Microsoft’s summary information for August, but the company notes that both have already been mitigated. However, CVE-2025-53787 in particular did not go quietly, and internet commenters had things to say about the future implications of bugs of this nature. (It’s interesting to note that earlier information from Microsoft, as per the WindowsForum post, considered the issue to be Important in severity; the release on Tuesday classified it as Critical.)

CVE-2025-53786 — Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability

As noted above, this Important-severity EoP issue got plenty of attention at Black Hat and from CISA earlier this month. It’s a bug to be taken seriously, and Microsoft states that they believe it’s one of the vulnerabilities more likely to be exploited within the first 30 days post-release. But the story of how this patch arrived at release is an interesting one from a disclosure standpoint. The finder, Dirk-jan Mollema with Outsider Security, worked with Microsoft to sort out the issue prior to his Black Hat presentation. In turn, Microsoft credits his find in their release materials, a sign that the disclosure was well-coordinated. The issue itself relates to an April hotfix for hybrid Exchange deployments.

CVE-2024-53772 — Web Deploy Remote Code Execution Vulnerability

Web Deploy, for those not familiar with the tool, is used to deploy Web applications and Web sites to IIS servers. It will likely be familiar to users of Visual Studio.

Figure 3: Remote Code Execution issues continue to lead all other types in 2025’s Patch Tuesday releases, but Elevation of Privilege issues are close behind – 266 to 257, by our count. Meanwhile, Spoofing picks up its first Critical-severity case in August, and the first non-advisory Moderate-severity patch of the year is noted

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of August patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (44 CVEs)

Remote Code Execution (35 CVEs)

Information Disclosure (18 CVEs)

Spoofing (7 CVEs)

Denial of Service (4 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

This is a list of the August CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. (No CVE among this month’s patches is known to be already exploited in the wild, so that list doesn’t appear this month.) The list is further arranged by CVE.

This is a list of August’s CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of August’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain significant issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (65 CVEs)

365 (16 CVEs)

Office (16 CVEs)

Azure (7 CVEs)

SQL (6 CVEs)

Exchange (5 CVEs)

Excel (4 CVEs)

SharePoint (4 CVEs)

Word (3 CVEs)

Dynamics 365 (2 CVEs)

PowerPoint (1 CVE)

Teams (1 CVE)

Visual Studio (1 CVE)

Web Deploy (1 CVE)

Windows Security App (1 CVE)

Windows Subsystem for Linux (WSL2) (1 CVE)

Appendix D: Advisories and Other Products

There are 10 Edge-related advisories in August’s release, all but two of which originated outside Microsoft.

In addition, eight of CVEs appear in this month’s Patch Tuesday information only to assure the public that they have already been mitigated, whether as part of the normal course of cloud business or (in the case of two Windows patches) as part of last month’s patch collection, though they were unnamed in that release. Since this month’s CVSS 10.0 CVE is among those eight, we are listing those here with their CVE, title, impact, severity, and CVSS base score.

There were no Adobe advisories included in the August release.

Appendix E: Affected Windows Server versions

This is a table of the 66 CVEs in the August release affecting Windows Server versions 2008 through 2025. CVE-2025-48807 and CVE-2025-53789, the two CVEs that shipped in July but were left out of the official information last month as mentioned above, are included here.  The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.