India's Computer Emergency Response Team (CERT-In) has issued a high-severity advisory warning organizations and individuals to urgently patch a range of Microsoft products, including the Edge browser, Windows Server storage components, certificate handling, and Azure Databricks, after discovering multiple vulnerabilities that could enable ransomware attacks, data theft, and full system compromise. The alert, released on August 28, 2025, underscores a cross-product risk profile where unpatched systems could allow remote code execution, elevation of privileges, certificate spoofing, and other bypasses that are routinely weaponized in enterprise-targeted intrusions.

Broad Alert Targets Microsoft's Ecosystem

The advisory follows Microsoft’s August 2025 Patch Tuesday cycle, which addressed dozens of issues across Windows and Azure. CERT-In’s analysis singled out six product areas for immediate attention:

  • Microsoft Edge (Chromium-based)
  • Windows Server (storage components)
  • Windows Certificates component
  • MBT Transport driver (netbt.sys)
  • Microsoft PC Manager
  • Azure Databricks

“Multiple vulnerabilities exist in multiple Microsoft product components,” the agency stated, warning that exploitation could lead to arbitrary code execution, privilege escalation, bypass of security controls, and cryptographic signature spoofing. The advisory mirrors similar urgent warnings from other national incident response teams and security researchers, who note that the flaws span common attack classes that underpin modern ransomware and data exfiltration campaigns.

Vulnerabilities at a Glance

The flagged vulnerabilities fall into three high-impact categories: remote code execution (RCE), privilege escalation, and security feature bypass. RCE in a browser or kernel component can provide an initial foothold, while privilege escalation turns a limited compromise into full system control. Certificate spoofing undermines trust chains used for code signing, Secure Boot, and TLS, potentially enabling supply-chain attacks.

Attackers often chain these weaknesses. A browser RCE combined with a kernel escalation allows a threat actor to move from a single click to domain-wide ransomware deployment. The advisory stresses that public-facing and high-value assets face the greatest risk, especially where patches are delayed.

Deep Dive: What Each Flaw Means for Enterprises

Microsoft Edge (Chromium-based)

Memory-safety and input-validation bugs in the V8 JavaScript engine, Mojo IPC, and layout components can be triggered by a crafted webpage. Because modern browsers are the primary vector for both commodity and targeted attacks, an unpatched Edge browser on a corporate endpoint can serve as an entry point for attackers to run code in the context of the browser process. Microsoft has released updated Edge builds that incorporate the fixes; users and IT admins must ensure they are applied.

Windows Server Storage Components

Vulnerabilities in the storage stack and kernel-adjacent drivers could allow privilege escalation or information disclosure. Storage components touch files and metadata at a low level, making them attractive for attackers seeking persistent access or the ability to corrupt integrity controls. OS-level cumulative updates address these issues, but clusters and hyperconverged systems require careful sequencing to avoid downtime.

Windows Certificates Component

Certificate handling and signature verification flaws could allow attackers to craft artifacts that bypass cryptographic checks. This threatens the integrity of code signing, Secure Boot trust chains, and TLS validation. A successful exploit could let an attacker run malicious code as if it were signed by a trusted publisher, opening paths for kernel-level tampering or man-in-the-middle attacks.

MBT Transport Driver (netbt.sys)

The NetBIOS over TCP/IP driver contains an integer underflow or overflow vulnerability that can be exploited to corrupt kernel memory and escalate privileges to SYSTEM. Kernel-mode driver vulnerabilities are especially dangerous because they allow an attacker to pivot from a user-level compromise to full host takeover. While NetBIOS is a legacy protocol, it remains present in many enterprise environments, providing a broad attack surface.

Microsoft PC Manager

This desktop utility, often pre-installed on OEM and consumer devices, has several local privilege escalation flaws. Insecure file handling and link-following issues let a low-privileged attacker place crafted files that are consumed by a higher-privilege service, leading to code execution under elevated context. Patching or, where possible, removing the utility eliminates this risk.

Azure Databricks

Improper access control and authorization weaknesses in Azure Databricks and related governance services could allow privilege escalation across workspace boundaries. An attacker could move from a lower-privilege service identity to admin-level access, enabling lateral movement to storage accounts, Key Vaults, or data exfiltration. Mitigation requires control plane patches, runtime upgrades, token rotation, and strict Role-Based Access Control (RBAC).

Real-World Attack Scenarios

The combination of these vulnerabilities creates several high-impact attack paths:

  • Ransomware Chain: A browser RCE plus a kernel privilege escalation allows an attacker to deploy ransomware across an entire domain, bypassing endpoint protections.
  • Cloud Data Theft: Azure Databricks privilege escalation could let an attacker export sensitive datasets from a data lake or manipulate job definitions to siphon data to external endpoints.
  • Supply-Chain Trust Erosion: Certificate spoofing threatens system boot integrity and code provenance, making long-term remediation costly and slow.
  • Compliance and Operational Damage: Data breaches involving regulated datasets carry immediate regulatory fines, reputational harm, and recovery costs.

Immediate Actions for IT and Security Teams

Organizations must move beyond routine patch cycles and treat this advisory as an operational emergency.

Inventory and Prioritize

First, inventory all systems running the affected components: Edge versions, Windows Server SKUs with storage roles, PC Manager installations, and every Azure Databricks workspace. Prioritize internet-facing systems, privileged endpoints, and assets housing sensitive data.

Apply Patches Immediately

Microsoft Edge: Open Edge, click the three-dot menu, go to Help and feedback > About Microsoft Edge. The browser will check for and install updates; restart when prompted. In managed environments, deploy the latest stable channel packages via your patching tool.

Windows Server and Kernel Fixes: Deploy the August 2025 cumulative updates using WSUS, SCCM, or another patch orchestration tool. Sequence reboots and cluster updates to avoid service disruption.

Microsoft PC Manager: Push vendor updates or uninstall the utility where unnecessary. Treat any non-essential OEM tools as optional attack surface.

Azure Databricks: Apply control plane updates where offered, upgrade cluster runtime versions and JDBC/driver components, and restart long-running clusters. Rotate service tokens and enforce least-privilege RBAC.

Compensating Controls if Patching Must Wait

If immediate patching is not possible, implement these measures to raise the bar:
- Apply network segmentation and micro-segmentation for critical services.
- Block or restrict NetBIOS/SMB over untrusted networks to limit netbt exposure.
- Enforce strict RBAC in the cloud, with MFA for all admin actions.
- Temporarily disable or restrict PC Manager features.
- Increase endpoint detection and response (EDR) sensitivity, with focused rules for abnormal browser child processes or unexpected driver loads.

Hunt for Compromise

Look for signs of exploitation: suspicious process creation from browser binaries, unexpected SYSTEM token usage, lateral SMB/NetBIOS traffic spikes, or Databricks job creations from unknown principals. Centralize Windows Event Logs, Sysmon, AD logs, and Azure audit logs, and prepare containment playbooks.

Proactive Defense: Beyond the Patch

This incident highlights broader security hygiene gaps:
- Eliminate Legacy Attack Surface: Disable NetBIOS/NetBT where not needed and remove unnecessary OEM utilities.
- Integrate Endpoint and Cloud Security: Attackers already pivot between on-premise and cloud; monitoring and response must span both.
- Maintain Emergency Patch Processes: Create a fast-track change management path that balances testing with speed for critical CVEs.
- Invest in Rich Telemetry: Ensure logs from endpoints, servers, and cloud services feed into a SIEM for correlation.

Conclusion

The CERT-In alert is not another routine patch notice—it is a clear signal that chained exploitation of browser, kernel, and cloud flaws poses an immediate enterprise-wide risk. Microsoft has done its part by releasing fixes; the real test lies in how quickly organizations deploy those updates and harden their environments. Delaying action invites ransomware, data theft, and prolonged incident response. Inventory affected assets now, apply patches or compensating controls immediately, and hunt for active compromise. The cost of inaction far outweighs the effort of a swift, decisive response.