On August 12, 2025, Microsoft shipped its monthly security bundle, and it's one of those months that makes sysadmins reach for extra coffee. Two critical remote code execution (RCE) vulnerabilities in the Windows graphics stack, a publicly disclosed Kerberos privilege escalation that can hand over the keys to your entire domain, and a low-privilege-to-SYSTEM NTLM flaw all landed in the same package. The cumulative updates—KB5063878 for Windows 11 24H2, KB5063875 for the 22H2/23H2 families—cover over 50 CVEs, but a handful demand attention first.

The headline bugs: what changed

After sifting through the advisory, these are the CVEs most likely to keep security teams awake:

CVE Severity (CVSS) Component What it lets an attacker do
CVE-2025-50165 Critical (9.8) Microsoft Graphics Component Remote code execution via a crafted JPEG embedded in an Office file or image
CVE-2025-53766 Critical (9.8) Windows GDI+ RCE through a malformed metafile; no user interaction needed on server-side parsing
CVE-2025-53779 Moderate (7.2) Windows Kerberos (dMSA) Elevation to domain administrator by abusing delegated Managed Service Accounts
CVE-2025-53778 Critical (8.8) NTLM A low-privileged authenticated user escalates to SYSTEM over the network
CVE-2025-50177 Critical (8.1) MSMQ RCE on MSMQ servers via a race condition and use-after-free

The two graphics bugs—CVE‑2025‑50165 and CVE‑2025‑53766—both earned a near‑perfect 9.8 CVSS. They're classic memory‑safety issues (untrusted pointer dereference, heap overflow) that can be triggered by simply showing an image. On a client PC, that might mean opening a poisoned email attachment. On a server, it's a nightmare: every automated document converter, mail‑gateway thumbnailer, or web service that parses user-uploaded images becomes a potential entry point. Microsoft's advisory explicitly warns that \"document processing on web services\" can be abused to exploit the GDI+ flaw.

The Kerberos vulnerability, CVE‑2025‑53779, is different. It was publicly disclosed back in May 2025 as \"BadSuccessor\" by Yuval Gordon of Akamai, and while Microsoft rates it only Moderate, the consequences are anything but. Exploitation requires that an attacker already has some privileges—write access to specific attributes of a delegated Managed Service Account (dMSA)—but if those preconditions are met, the result is the ability to impersonate any user, including a Domain Admin, and take over the entire forest. The SpecterOps analysis (see reference_links) describes how an attacker who can create or compromise a dMSA can manipulate the msDS‑ManagedAccountPrecededByLink attribute to hijack a privileged security context. Because dMSAs were introduced only in Windows Server 2025, the exposure is limited to new deployments, but for those who have deployed them, this is a drop-everything moment.

What the August patches mean for you

Home users and small businesses

If you allow Windows Update to do its thing automatically, you'll likely receive the fix overnight. After installation, build numbers will bump: Windows 11 24H2 moves to 26100.4946, while other branches have their own increments. The biggest practical step you can take is to be extra cautious with email attachments and images from unknown sources for the next few days—these are prime delivery mechanisms for the graphics RCEs. And if you haven't already, enable automatic updates.

IT administrators and enterprise security teams

This month demands a prioritized rollout, not a \"patch everything at once\" scramble. The three-tier plan:

  • Tier-0 (immediate, within 24 hours): Domain controllers and any server that processes Kerberos (KDC proxies, authentication gateways) must get the patch for CVE‑2025‑53779 first. Next, patch internet‑facing services that parse images or documents: Exchange servers with preview, SharePoint, mail gateways, and any web app that runs Office or image conversion.
  • Tier-1 (within 72 hours): Administrative jump hosts, certificate authorities, and servers with MSMQ. Also, any Hyper‑V host that runs nested virtual machines, since other CVEs addressed isolation weaknesses.
  • Tier-2 (next maintenance window): Standard user endpoints and non-critical servers. For machines with Copilot+ hardware, the August rollup includes optional AI component updates; stage those carefully to avoid driver conflicts.

For the Kerberos flaw, patching the OS is necessary but not sufficient. Immediately audit and restrict who can modify dMSA attributes—particularly msDS‑ManagedAccountPrecededByLink and msDS‑GroupMSAMembership. The SpecterOps blog provides PowerShell scripts to add deny ACEs that block dMSA creation on OUs and prevent unauthorized attribute writes. If you can't patch right away, consider disabling the creation of new dMSAs entirely or, if your forest has no KDS Root Key, confirm that none can be generated (this makes dMSAs non-functional).

Developers and service providers

If you maintain document conversion services, thumbnail generators, or any pipeline that touches Office files or images, triage these updates immediately. Test your parsers against the patched GDI+ and Graphics Components to ensure no accidental breakage, but do not delay deployment. If you host multi‑tenant services, the Hyper‑V and MSMQ fixes also apply to you.

How we got here: a timeline of the BadSuccessor saga

The Kerberos vulnerability didn't appear out of nowhere. In May 2025, Akamai researcher Yuval Gordon published \"BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory,\" revealing how a newly introduced feature—delegated Managed Service Accounts in Windows Server 2025—could be disastrously misused. Microsoft's MSRC rated it Moderate and did not plan an immediate fix. The security community pushed back, and over the following months researchers like Jim Sycurity (SpecterOps) and others developed detailed mitigation playbooks and tools. The August Patch Tuesday finally delivers an official code fix, but the delay underscores how identity‑based attacks often get treated as less urgent than memory‑corruption bugs until a real‑world exploitation scenario emerges.

Graphics stack RCEs are a perennial problem. Every version of Windows inherits decades‑old code in GDI+ and the graphics driver interface, and despite hardening efforts, heap overflows and use‑after‑frees still surface. This month's two 9.8s join a long list: in 2024 alone, Microsoft patched dozens of similar flaws. Their ubiquity on every Windows machine, combined with the ease of delivering malicious images through email, chat, and the web, makes them a favorite initial‑access vector for ransomware gangs.

What to do now: a practical checklist

  1. Acquire the patches. Download KB5063878 (24H2) or KB5063875 (22H2/23H2) from the Microsoft Update Catalog, or use WSUS/SCCM. For Windows 10 21H2 and older, consult the Security Update Guide for the correct rollup.
  2. Patch domain controllers first. Even if you have no Server 2025 DCs, the Kerberos fix touches all supported DC roles. Reboot after installation.
  3. Restrict dMSA creation. Run the provided PowerShell script to add deny ACEs on every OU and container that allows dMSA child objects. If you have dMSAs already deployed, tighten their ACLs so that only Tier‑0 admins can write to msDS‑ManagedAccountPrecededByLink.
  4. Harden graphics‑processing servers. Disable automatic thumbnail generation where feasible. Ensure endpoint detection platforms are updated to recognize the exploitation patterns of these CVEs.
  5. Address MSMQ. If you don't need Message Queuing, disable the service. If you do, patch and consider network segmentation until the race condition fix is confirmed.
  6. Validate your work. After patching, check that the OS build matches the expected number. For domain controllers, verify that Kerberos ticket‑granting anomalies have not appeared in your SIEM.

Outlook

September's Patch Tuesday will likely bring more fixes, and Microsoft may issue additional hardening guidance for dMSAs as environments adopt the August updates. Beyond this month, keep an eye on the broader lifecycle: Windows 10 reaches end of support in October 2025, and Secure Boot certificate expirations (first batch mid‑2026) require firmware planning now. August 2025 is a loud reminder that identity‑based attacks and good old‑fashioned memory corruption still pack the same punch—and that layered defenses, not just patching, are what keep networks safe.