Over 100 vulnerabilities addressed by Microsoft in August's Patch Tuesday updates
In a significant move, Microsoft has released updates to address over 100 CVEs during its September Patch Tuesday, making it one of the largest updates of the year. The updates include two zero-day bugs, one of which is in SQL Server, and several critical vulnerabilities that pose a serious threat to security.
One of the zero-day bugs, CVE-2025-53779, is an elevation of privileges (EoP) vulnerability in Windows Kerberos. Successful exploitation of this bug requires an attacker to have pre-existing control of two attributes: msds-groupMSAMembership and msds-ManagedAccountPrecededByLink. This vulnerability is related to delegated Managed Service Accounts (dMSAs), which are designed to allow for migration from traditional service accounts to machine accounts.
Another critical-rated vulnerability, CVE-2025-50177, is a use-after-free bug in Windows Message Queuing. This bug allows an unauthorized attacker to execute code over a network, potentially leading to the attacker gaining domain admin privileges.
There are 13 vulnerabilities marked "critical" this Patch Tuesday, with nine of them falling under the "exploitation more likely" category of Microsoft's Exploitability Index. Among these critical vulnerabilities, CVE-2025-53778 is an improper authentication bug in Windows NTLM that allows an authorized attacker to elevate privileges over a network.
Kerberoasting, a method known for being one of the most time-efficient ways to elevate privileges and move laterally throughout an organization's network, is a concern addressed by the updates. The dMSA, a feature supported by Microsoft that automates the rotation of credentials for service accounts, is designed to prevent credential harvesting using Kerberoasting.
Microsoft's efforts to address these vulnerabilities have been emphasized by security experts. Brian Donohue, principal researcher at Red Canary, urged sysadmins to focus on patching the listed vulnerabilities. Adam Barnett, lead software engineer at Rapid7, explained that Microsoft's motivation for addressing the SQL Server zero-day bug was to prevent credential harvesting using Kerberoasting.
This year has been notable for the number of zero-days addressed by Microsoft, with July's Patch Tuesday being the only month to address over 100 CVEs. The September update addresses 81 vulnerabilities, including two zero-days actively being exploited, covering products such as Windows, Office, Azure, SQL Server, and Windows Defender. It is crucial for users to apply these updates promptly to ensure their systems remain secure.
