Microsoft fixes “BadSuccessor” Kerberos vulnerability (CVE-2025-53779)

For August 2025 Patch Tuesday, Microsoft has released security updates resolving 100+ security vulnerabilities in its various solutions, including a relative path traversal flaw in Windows Kerberos (CVE-2025-53779) that allows an authorized attacker to elevate privileges over a network as part of a BadSuccessor attack.

The vulnerability, discovered by Akamai researcher Yuval Gordon, exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025 and can be used to compromise any user in Active Directory (AD).

“An attacker who successfully exploited this vulnerability could gain domain administrator privileges,” Microsoft confirmed.

While the vulnerability has been known for months, there is currently no indication that it has been exploited in the wild. Microsoft rates the likelihood of exploitation as “less likely” and, consequently, does not consider this security update critical to deploy urgently.

“To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.

He also noted that the flaw’s immediate impact is limited, as only 0.7% of AD domains had met the prerequisite at the time of disclosure.

Vulnerabilities that you should resolve quickly

“In the wake of last month’s ‘ToolShell’ zero-days (CVE-2025-53770 and CVE-2025-53771), which ravaged organizations through unauthenticated RCE exploits, Microsoft [has patched] another important deserialization bug: CVE-2025-49712,” says Saeed Abbasi, senior manager of security research with Qualys’ Threat Research Unit.

“This RCE demands authentication but pairs dangerously with known auth bypasses. Attackers chaining this with prior flaws could achieve full server compromise, and data exfiltration. It’s not yet exploited in the wild, but history shows these evolve fast, and exposed SharePoint instances are prime footholds for lateral movement. Prioritize and patch all SharePoint updates, rotate keys, and eliminate internet exposure. Delaying invites regulatory scrutiny and breaches since SharePoint’s exploit streak isn’t over.”

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, flagged CVE-2025-53731 and CVE-2025-53740, two Microsoft Office RCE vulnerabilities, as important to address sooner rather than later.

“This is the seventh month in a row where at least one Office component allowed code execution through the Preview Pane. With so many different components impacted, I doubt these are all patch bypasses. Instead, it appears attackers are mining code that hasn’t been looked at much and finding some gems. Perhaps it’s time to consider disabling the Preview Pane for a bit while the security gnomes in Redmond sort this out,” he advised.

CVE-2025-53766, a heap-based buffer overflow in Windows GDI+ (a graphics API used in Windows for rendering 2D graphics, images, and text) allows an unauthorized attacker to execute code over a network.

“An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction,” Microsoft explained (though still considers the flaw less likely to be exploited).

Childs gave an example of such a worst-case scenario: an attacker uploading something through an ad network that is served up to users.

“Ad blockers are just to remove annoyances; they also protect for malicious ads. They’re rare, but they have occurred in the past. Since GDI+ touches so many different components (and users tend to click on anything), test and deploy this one quickly,” he recommended.

On the other hand, CVE-2025-53778, an authenticated Windows NTLM elevation of privilege vulnerability with a low attack complexity, is considered by Microsoft more likely to be exploited, and should be addressed sooner rather than later.

Finally, if you’re running a hybrid deployment of Microsoft Exchange, be sure to check that you’re not among the (still to many) organizations that haven’t taken action to resolve CVE-2025-53786, a severe elevation of privilege flaw that pushed CISA to issue an emergency directive and guidance on how to address it.

“A successful exploit of CVE-2025-53786 would be highly disruptive. It exploits a bridge for an attacker to pivot from a compromised on-premises server directly into an organization’s cloud environment, potentially gaining administrative control over Exchange Online and other connected Microsoft 365 services,” says Ben McCarthy, lead cyber security engineer at Immersive.

An attack taking advantage of it would be difficult to detect in standard audit logs, he pointed out, and made sure to note that plugging this security hole requires more than just installing a patch.

“Administrators must also follow Microsoft’s manual configuration steps to create a dedicated service principal for the hybrid connection. This breaks the overly permissive shared trust, ensuring the on-prem server has only the limited permissions it truly needs,” he explained.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!