Microsoft’s August 2025 security update patches a publicly disclosed Kerberos privilege escalation flaw and a dangerous Exchange hybrid vulnerability that could let attackers hop from on-premises servers to cloud tenants. The release also addresses an actively exploited NTLM hash leak bypass, multiple remote-code execution bugs, and a rare kernel crash triggered by a Rust-based component. Security teams should waste no time: domain controllers and Exchange hybrid servers must be patched immediately, while complementary network hardening can blunt attacks against still-unpatched NTLM vectors.
The Big Ones: BadSuccessor and Exchange Hybrid
CVE-2025-53779 – BadSuccessor Kerberos Elevation of Privilege
The vulnerability, disclosed publicly before Microsoft shipped a fix, abuses delegated Managed Service Account (dMSA) attributes—specifically msds-groupMSAMembership and msds-ManagedAccountPrecededByLink—to create improper delegation relationships. An attacker with preexisting privileges can manipulate these attributes to impersonate high-privilege identities, potentially escalating to Domain Administrator. The attack requires at least one domain controller running Windows Server 2025, which limited early prevalence to roughly 0.7% of Active Directory domains, per Tenable telemetry. However, any environment with that precondition faces catastrophic compromise if exploited. Because the bug was public, exploit code could surface rapidly, making patch deployment the top priority.
CVE-2025-53786 – Exchange Hybrid Privilege Escalation
Organizations running hybrid Exchange deployments with a shared service principal between on-premises and Exchange Online are at immediate risk. An attacker who first gains administrative control of an on-prem Exchange server—a frequent target in historical campaigns—can abuse the trust relationship to escalate into the Microsoft 365 tenant, potentially gaining access to cloud mailboxes and sensitive data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued emergency guidance, urging rapid patching, deployment of a dedicated Exchange hybrid application, and resetting of service principal keyCredentials. Failure to act could turn a localized server breach into a tenant-wide cloud compromise.
Why These Flaws Are Deceptively Dangerous
Attackers can chain vulnerabilities: a low-level on-prem foothold, combined with the BadSuccessor Kerberos weakness or the Exchange hybrid escalation, yields full domain or tenant control. CVE-2025-53779’s pre-disclosure status raises the odds of opportunistic exploitation, while hybrid identity setups often blur audit boundaries—malicious on-prem activity may fly under cloud detection radar. Security researchers also warn that the Exchange hybrid pathway is a prime target for advanced persistent threats seeking long-term access to corporate communications.
NTLM Hash Leaks Get a Zero-Click Bypass
CVE-2025-50154 is a bypass of an earlier NTLM mitigation (CVE-2025-24054, fixed in March 2025). By exploiting subtle file-handling behaviors—icon retrieval, UNC path processing—attackers can coerce Windows Explorer into sending NTLM hashes to a remote server without any user click. Captured NTLMv2 hashes can be cracked offline or used in relay attacks to authenticate to services like Exchange or SQL. Microsoft’s prior patch reduced exposure, but the bypass proves that defense-in-depth is mandatory. Administrators should immediately block outbound SMB traffic, enforce SMB signing, disable NTLM where feasible, and add critical accounts to Protected Users groups.
Other Notable Vulnerabilities
- Remote Code Execution in Graphics and File Parsing: Multiple RCE flaws in GDI+, DirectX Graphics Kernel, MSMQ, and SQL Server can be triggered via malicious documents or media files, classic phishing vectors that are often weaponized within hours of disclosure.
- Rust-Based Kernel Component Crash: Check Point researchers discovered a vulnerability in a Windows kernel component written in Rust that can cause system-wide crashes and forced reboots. The finding underscores that memory-safe languages reduce but do not eliminate risks; logic bugs and improper input handling still pose denial-of-service threats.
- Cloud-Only Fixes: Microsoft confirmed that several Azure, Microsoft 365 Copilot, and Azure OpenAI vulnerabilities were remediated on the service side, requiring no customer action—but tenants should still verify via official health dashboards.
Mitigation Playbook
- Patch domain controllers immediately. Apply KB5063878 (or the equivalent for your Windows version) to all DCs. Stagger reboots to maintain directory availability. For Windows 11, the update brings OS build 26100.4946; standalone MSU packages are available from the Microsoft Update Catalog and must be installed in a specific order using DISM if deploying offline.
- Secure Exchange hybrid servers. Apply the April 2025 or August 2025 hotfix, deploy a dedicated Exchange hybrid app (creating a new, separate service principal), and reset
keyCredentialsfor any legacy shared service principal. Follow CISA’s and Microsoft’s detailed remediation steps. - Harden NTLM. Block outbound SMB (TCP 445) at the firewall, apply the Group Policy “Restrict NTLM: Outgoing NTLM traffic to remote servers” in audit/block mode, and move sensitive accounts to Protected Users.
- Audit dMSA permissions. Restrict who can create or modify delegated Managed Service Accounts; monitor and alert on any writes to
msds-groupMSAMembershipormsds-ManagedAccountPrecededByLink. - Deploy RCE patches on internet-facing systems and endpoints that handle untrusted documents, especially those running graphics or database services.
- Validate cloud-side remediations. Check Azure and Microsoft 365 service health pages to confirm that vulnerabilities flagged as “service-side fixed” are fully resolved in your tenant.
Detection and Incident Response
Monitor for these indicators of compromise or failed exploitation:
- Unexpected changes to service principal keyCredentials in Entra ID.
- New or unusual writes to dMSA attributes.
- Outbound SMB/NTLM authentication attempts to external IPs.
- Recurring kernel crashes or Explorer.exe crashes that coincide with graphics processing.
- Suspicious mailbox-access patterns, creation of forwarding rules, or sudden admin role assignments in Exchange Online.
If hybrid escalation or Kerberos abuse is suspected, assume potential tenant-wide compromise and engage formal incident response procedures.
The Long Game: Identity Hygiene and Hybrid Reviews
This month’s bulletin reinforces a cardinal rule of modern security: identity stores are the ultimate prize. Organizations must enforce least privilege for dMSAs, block NTLM wherever possible, and routinely audit hybrid OAuth configurations and service principal relationships. The BadSuccessor bug, though currently narrow in scope, signals that even newer Windows Server features can introduce high-impact attack paths. Adopt a defense-in-depth approach that combines rapid patching with network segmentation, robust monitoring, and strict access controls.
Act Now
With a publicly disclosed zero-day, a hybrid-cloud escalation pathway, and a post-patch NTLM bypass all arriving in one month, delay is not an option. Attackers already have the details they need to exploit these flaws. Deploy the August 2025 updates immediately, harden your identity infrastructure, and verify that compensating controls are in place for any systems that cannot be patched right away. Assume that unpatched systems are already being scanned, and treat this cycle as the catalyst to reinforce foundational security practices.