Microsoft on Tuesday rolled out fixes for a massive set of 111 security flaws across its software portfolio, including one flaw that has been disclosed as publicly known at the time of the release.
Of the 111 vulnerabilities, 16 are rated Critical, 92 are rated Important, two are rated Moderate, and one is rated Low in severity. Forty-four of the vulnerabilities relate to privilege escalation, followed by remote code execution (35), information disclosure (18), spoofing (8), and denial-of-service (4) defects.
This is in addition to 16 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of last month’s Patch Tuesday update, including two spoofing bugs affecting Edge for Android.
Included among the vulnerabilities is a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786, CVSS score: 8.0) that Microsoft disclosed last week.
The publicly disclosed zero-day is CVE-2025-53779 (CVSS score: 7.2), another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.
It’s worth mentioning here that the issue was publicly detailed back in May 2025 by the web infrastructure and security company, giving it the codename BadSuccessor. The novel technique essentially allows a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing delegated Managed Service Account (dMSA) objects.
“The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.
“However, abuse of CVE-2025-53779 is certainly plausible as the final link of a multi-exploit chain which stretches from no access to total pwnage.”
Action1’s Mike Walters noted that the path traversal flaw can be abused by an attacker to create improper delegation relationships, enabling them to impersonate privileged accounts, escalate to a domain administrator, and potentially gain full control of the Active Directory domain.
“An attacker who already has a compromised privileged account can use it to move from limited administrative rights to full domain control,” Walters added. “It can also be paired with methods such as Kerberoasting or Silver Ticket attacks to maintain persistence.”
“With domain administrator privileges, attackers can disable security monitoring, modify Group Policy, and tamper with audit logs to hide their activity. In multi-forest environments or organizations with partner connections, this flaw could even be leveraged to move from one compromised domain to others in a supply chain attack.”
Satnam Narang, senior staff research engineer at Tenable, said the immediate impact of BadSuccessor is limited, as only 0.7% of Active Directory domains had met the prerequisite at the time of disclosure. “To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise,” Narang pointed out.
Some of notable Critical-rated vulnerabilities patched by Redmond this month are below –
- CVE-2025-53767 (CVSS score: 10.0) – Azure OpenAI Elevation of Privilege Vulnerability
- CVE-2025-53766 (CVSS score: 9.8) – GDI+ Remote Code Execution Vulnerability
- CVE-2025-50165 (CVSS score: 9.8) – Windows Graphics Component Remote Code Execution Vulnerability
- CVE-2025-53792 (CVSS score: 9.1) – Azure Portal Elevation of Privilege Vulnerability
- CVE-2025-53787 (CVSS score: 8.2) – Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
- CVE-2025-50177 (CVSS score: 8.1) – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
- CVE-2025-50176 (CVSS score: 7.8) – DirectX Graphics Kernel Remote Code Execution Vulnerability
Microsoft noted that the three cloud service CVEs impacting Azure OpenAI, Azure Portal, and Microsoft 365 Copilot BizChat have already been remediated, and that they require no customer action.
Check Point, which disclosed CVE-2025-53766 alongside CVE-2025-30388, said the vulnerabilities allow attackers to execute arbitrary code on the affected system, leading to a full system compromise.
“The attack vector involves interacting with a specially crafted file. When a user opens or processes this file, the vulnerability is triggered, allowing the attacker to take control,” the cybersecurity company said.
The Israeli firm revealed that it also uncovered a vulnerability in a Rust-based component of the Windows kernel that can result in a system crash that, in turn, triggers a hard reboot.
“For organizations with large or remote workforces, the risk is significant: attackers could exploit this flaw to simultaneously crash numerous computers across an enterprise, resulting in widespread disruption and costly downtime,” Check Point said. “This discovery highlights that even with advanced security technologies like Rust, continuous vigilance and proactive patching are essential to maintaining system integrity in a complex software environment.”
Another vulnerability of importance is CVE-2025-50154 (CVSS score: 6.5), an NTLM hash disclosure spoofing vulnerability that’s actually a bypass for a similar bug (CVE-2025-24054, CVSS score: 6.5) that was plugged by Microsoft in March 2025.
“The original vulnerability demonstrated how specially crafted requests could trigger NTLM authentication and expose sensitive credentials,” Cymulate researcher Ruben Enkaoua said. “This new vulnerability […] allows an attacker to extract NTLM hashes without any user interaction, even on fully patched systems. By exploiting a subtle gap left in the mitigation, an attacker can trigger NTLM authentication requests automatically, enabling offline cracking or relay attacks to gain unauthorized access.”
Source: thehackernews.com
