Microsoft on Aug. 12 launched safety updates addressing greater than 100 vulnerabilities throughout its merchandise, together with 13 rated vital. The patches embody fixes for a graphics part flaw described as “extraordinarily high-risk” and a maximum-severity vulnerability in Azure’s OpenAI service.
“This month’s launch highlights an upward development in post-compromise vulnerabilities over code execution bugs,” wrote Satnam Narang, senior employees analysis engineer, Tenable, in an e mail to TechRepublic. “For the second consecutive month, elevation of privilege vulnerabilities represented the majority of CVEs patched this month at 39.3% (41.4% in July).”
Reminiscence corruption flaw deemed ‘extraordinarily high-risk’
Main vulnerabilities that Microsoft patched for this month embody CVE-2025-50165. Action1 CEO and co-founder Alex Vovk known as it “extraordinarily high-risk.”
In an e mail to TechRepublic, Vovk stated, “It is a notably harmful reminiscence corruption vulnerability as a result of it happens at a core stage of the working system’s picture processing pipeline, impacting many purposes and providers.”
CVE-2025-50165 impacts the Microsoft Graphics Element, with an untrusted pointer dereference doubtlessly permitting an attacker to execute code over the community. Whereas Microsoft says exploitation of this vulnerability is “much less seemingly,” Vovk stated the CVSS rating of 9.8 and “an ideal storm of assault circumstances (community vector, low complexity, no privileges, and no person interplay required)” make this a high-priority vulnerability.
“It is a notably harmful reminiscence corruption vulnerability as a result of it happens at a core stage of the working system’s picture processing pipeline, impacting many purposes and providers,” stated Vovk.
Ben McCarthy, lead cybersecurity engineer at Immersive, additionally highlighted this vulnerability.
“The assault vector is extremely broad, because the vulnerability is triggered when the working system processes a specifically crafted JPEG picture,” McCarthy stated in an e mail to TechRepublic. “This implies any utility that renders pictures — from e mail purchasers producing previews and immediate messaging apps displaying images, to workplace paperwork with embedded photos — can develop into an in for the assault.”
Microsoft closes Azure OpenAI elevation of privilege threat
One other vulnerability patched this month, CVE-2025-53767, is an elevation of privilege vulnerability in Azure’s OpenAI service with a most CVSS rating of 10.
“Since its Azure OpenAI, finish prospects don’t must take any motion as Microsoft can have tackled the vulnerability on the Azure platform, however it’s an attention-grabbing observe that highlights how AI applied sciences nonetheless require shut monitoring, cautious patching, and powerful guardrails identical to another expertise in a corporation’s stack,” wrote Nick Carroll, cyber incident response supervisor at intelligence options home Nightwing, in an e mail to TechRepublic.
Extra vulnerabilities Microsoft addressed this Patch Tuesday
Different notable vulnerabilities patched this month embody:
- CVE-2025-53766: A Heap-based buffer overflow in Home windows GDI+, with a CVSS rating of 9.8 and no person interplay required to make use of it.
- CVE-2025-53740 and CVE-2025-53731: Two use-after-free vulnerabilities in Microsoft Workplace.
- CVE-2025-53784: A use-after-free vulnerability in Microsoft Phrase that might let an attacker run code as the present person.
- CVE-2025-53733: A vital vulnerability in Microsoft Phrase that might result in arbitrary code execution.
- CVE-2025-53786: A vulnerability in Microsoft Change Server that requires putting in a hotfix manually.
- CVE-2025-53778: An elevation of privilege flaw in Home windows NTLM.
Patch Tuesday reminder and upcoming Home windows 10 modifications
Patch Tuesday is a vital alternative for organizations to confirm they’ve utilized all related updates to Microsoft merchandise. Different distributors, together with SAP and CISA, additionally launched safety advisories or patches on the second Tuesday of August.
Home windows 10 will now not obtain free safety updates after the upcoming Patch Tuesday on October 14. Customers can both migrate to newer variations or enroll in Microsoft’s Prolonged Safety Updates program to take care of safety.
In different safety information, an exploit primarily based on a flaw in WinRAR has been attributed to 2 Russia-linked menace teams.
