August Patch Tuesday contains blasts from the (latest) previous – Sophos Information

Microsoft on Tuesday introduced 109 patches affecting 16 product households. Eighteen of the addressed points are thought-about by Microsoft to be of Vital severity, and 31 have a CVSS base rating of 8.0 or greater, together with a “good” 10.0 affecting Azure. None are identified to be beneath lively exploit within the wild, although two Home windows points (CVE-2025-53786 and CVE-2025-53779) are already publicly disclosed.

At patch time, 9 CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. Numerous of this month’s points are amenable to direct detection by Sophos protections, and we embody info on these in a desk beneath. As well as, eight CVEs included on this month’s set, largely involving cloud-centric product households resembling Azure and 365, are already patched – together with the CVSS-10 merchandise talked about above. We’ve got included info on all eight in Appendix D. Apparently, two of these have been truly patched a full month in the past, within the July cycle, however a clerical mix-up left that info out of Microsoft’s July launch supplies. We embody these two in our August rely. Advisory info on ten Edge fixes was additionally included on this month’s launch, and may be seen in Appendix D.

We’re as all the time together with on the finish of this publish extra appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household. One other appendix covers advisory-style updates and the checklist of points mentioned on this month’s launch supplies however mitigated previous to the discharge, and one other offers breakout of the patches affecting the varied Home windows Server platforms nonetheless in assist.

By the numbers

• Whole CVEs: 109
• Publicly disclosed: 2*
• Exploit detected: 0
• Severity
  • Vital: 18
  • Essential: 90
  • Reasonable: 1
• Affect
  • Elevation of Privilege: 44
  • Distant Code Execution: 35
  • Data Disclosure: 18
  • Spoofing: 7
  • Denial of Service: 4
  • Tampering: 1
• CVSS Base rating 10.0: 1
• CVSS Base rating 9.0 or better: 5
• CVSS Base rating 8.0 or better: 31

* Microsoft’s official launch materials states that only one vulnerability, CVE-2025-53779, is publicly disclosed by their requirements. Nonetheless, CVE-2025-53786 was publicly demonstrated at Black Hat final week and has been very extensively mentioned since then, with a CISA Emergency Directive issued. We embody it in our tally for completeness.

Determine 1: Elevation of Privilege vulnerabilities outpace Distant Code Execution flaws for the second month in a row, however RCE points account for extra Vital-severity patches

Merchandise

• Home windows: 65*
• 365: 16**
• Workplace: 16
• Azure: 7***
• SQL: 6
• Trade: 5
• Excel: 4
• SharePoint: 4
• Phrase: 3
• Dynamics 365: 2
• PowerPoint: 1
• Groups: 1
• Visible Studio: 1
• Internet Deploy: 1
• Home windows Safety App: 1
• Home windows Subsystem for Linux (WSL2): 1

* As talked about, the discharge info states that two of those have been patched with the July launch; we embody these two within the August counts right here and all through this publish.

** Consists of two Vital-severity patches for Microsoft 365 Copilot’s Enterprise Chat.

*** The discharge info notes that 4 of the Azure vulnerabilities have already been mitigated.

As is our customized for this checklist, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on. We word, by the best way, that CVE names don’t all the time replicate affected product households carefully. Particularly, some CVEs names within the Workplace household might point out merchandise that don’t seem within the checklist of merchandise affected by the CVE, and vice versa.

Determine 2: Home windows patches 5 Vital-severity patches in August, however so do Azure and Workplace – and 365 has all of them beat with six

Notable August updates

Along with the problems mentioned above, a wide range of particular objects advantage consideration.

CVE-2025-50165 — Home windows Graphics Element Distant Code Execution Vulnerability
CVE-2025-53766 — GDI+ Distant Code Execution Vulnerability

It’s a tricky month for Home windows graphics-related componentry, as these two vulnerabilities weigh in with 9.8 CVSS Base scores. CVE-2025-50165 requires no consumer interplay, and may be exploited by an uninitialized perform pointer being known as when decoding a malicious JPEG, which might be embedded in a doc, a Internet web page, or what you’ll. It impacts strictly the most recent variations of Home windows (Win 11 2H24, Server 2025). Equally, CVE-2025-53766 might be triggered with out consumer interplay, ought to an attacker handle to add paperwork containing a specifically crafted metafile to an online service. (Alternately, they might craft a doc containing the metafile, ship it to an unwary consumer, and get them to open it.) Unusually, this CVE impacts each Home windows and Workplace.

CVE-2025-49712 — Microsoft SharePoint Distant Code Execution Vulnerability

As most Microsoft observers know nicely, there was lots to say between the July and August Patch Tuesday releases about SharePoint. This situation, nevertheless, appears unrelated to ToolShell, although it’s pretty disagreeable all by itself, permitting any authenticated attacker to execute code over the community with little prior data of the community required.

CVE-2025-53731, CVE-2025-53733, CVE-2025-53740, CVE-2025-53784 – 4 365/Workplace points

Preview Pane is a vector for all 4 of those vulnerabilities.

CVE-2025-53774, CVE-2025-53787 — Microsoft 365 Copilot BizChat Data Disclosure Vulnerability

These identically titled information-disclosure vulnerabilities, each Vital-severity, are talked about in Microsoft’s abstract info for August, however the firm notes that each have already been mitigated. Nonetheless, CVE-2025-53787 particularly didn’t go quietly, and web commenters had issues to say concerning the future implications of bugs of this nature. (It’s attention-grabbing to notice that earlier info from Microsoft, as per the WindowsForum publish, thought-about the problem to be Essential in severity; the discharge on Tuesday categorised it as Vital.)

CVE-2025-53786 — Microsoft Trade Server Hybrid Deployment Elevation of Privilege Vulnerability

As famous above, this Essential-severity EoP situation bought loads of consideration at Black Hat and from CISA earlier this month. It’s a bug to be taken critically, and Microsoft states that they consider it’s one of many vulnerabilities extra prone to be exploited inside the first 30 days post-release. However the story of how this patch arrived at launch is an attention-grabbing one from a disclosure standpoint. The finder, Dirk-jan Mollema with Outsider Safety, labored with Microsoft to kind out the problem previous to his Black Hat presentation. In flip, Microsoft credit his discover of their launch supplies, an indication that the disclosure was well-coordinated. The difficulty itself pertains to an April hotfix for hybrid Trade deployments.

CVE-2024-53772 — Internet Deploy Distant Code Execution Vulnerability

Internet Deploy, for these not acquainted with the instrument, is used to deploy Internet purposes and Websites to IIS servers. It would doubtless be acquainted to customers of Visible Studio.

Determine 3: Distant Code Execution points proceed to guide all different varieties in 2025’s Patch Tuesday releases, however Elevation of Privilege points are shut behind – 266 to 257, by our rely. In the meantime, Spoofing picks up its first Vital-severity case in August, and the primary non-advisory Reasonable-severity patch of the yr is famous

Sophos protections

As you possibly can each month, in case you don’t wish to wait on your system to drag down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Affect and Severity

This can be a checklist of August patches sorted by affect, then sub-sorted by severity. Every checklist is additional organized by CVE.

Elevation of Privilege (44 CVEs)

Distant Code Execution (35 CVEs)

Data Disclosure (18 CVEs)

Spoofing (7 CVEs)

Denial of Service (4 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

This can be a checklist of the August CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. (No CVE amongst this month’s patches is understood to be already exploited within the wild, in order that checklist doesn’t seem this month.) The checklist is additional organized by CVE.

This can be a checklist of August’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or greater. They’re organized by rating and additional sorted by CVE. For extra info on how CVSS works, please see our sequence on patch prioritization schema.

Appendix C: Merchandise Affected

This can be a checklist of August’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Sure vital points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made obtainable by Microsoft; for additional info on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (65 CVEs)

365 (16 CVEs)

Workplace (16 CVEs)

Azure (7 CVEs)

SQL (6 CVEs)

Trade (5 CVEs)

Excel (4 CVEs)

SharePoint (4 CVEs)

Phrase (3 CVEs)

Dynamics 365 (2 CVEs)

PowerPoint (1 CVE)

Groups (1 CVE)

Visible Studio (1 CVE)

Internet Deploy (1 CVE)

Home windows Safety App (1 CVE)

Home windows Subsystem for Linux (WSL2) (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 10 Edge-related advisories in August’s launch, all however two of which originated exterior Microsoft.

As well as, eight of CVEs seem on this month’s Patch Tuesday info solely to guarantee the general public that they’ve already been mitigated, whether or not as a part of the traditional course of cloud enterprise or (within the case of two Home windows patches) as a part of final month’s patch assortment, although they have been unnamed in that launch. Since this month’s CVSS 10.0 CVE is amongst these eight, we’re itemizing these right here with their CVE, title, affect, severity, and CVSS base rating.

There have been no Adobe advisories included within the August launch.

Appendix E: Affected Home windows Server variations

This can be a desk of the 66 CVEs within the August launch affecting Home windows Server variations 2008 by way of 2025. CVE-2025-48807 and CVE-2025-53789, the 2 CVEs that shipped in July however have been neglected of the official info final month as talked about above, are included right here.  The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Vital-severity points are marked in purple; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity, as every reader’s scenario, particularly because it issues merchandise out of mainstream assist, will fluctuate. For particular Data Base numbers, please seek the advice of Microsoft.