Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities

Tuesday, August 12, 2025 15:39

Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.

In this month’s release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 “critical” entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.

CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type (‘type confusion’) in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted that this vulnerability affects different versions of Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is "more likely".

CVE-2025-50177 is an RCE vulnerability in Microsoft Message Queuing (MSMQ) service, given a CVSS score of 8.1, where use after free vulnerability allows an unauthorized attacker to execute code over a network. To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in a rapid sequence over HTTP to a MSMQ server. Microsoft assessed that the attack complexity is “high”, and that exploitation is “more likely”.

CVE-2025-53778 is a Windows NTLM elevation of privilege vulnerability given a CVSS 3.1 base score of 8.8, where improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network, with an attacker successfully exploiting this vulnerability gaining SYSTEM privileges. Microsoft has noted that this vulnerability affects different versions of Windows 10, Windows 11, Windows server 2008, Windows Server 2012, Windows Server 2026, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.

CVE-2025-53781 is an information disclosure vulnerability in Windows Hyper-V given a CVSS 3.1 base score of 7.7, where an authorized attacker may be able to disclose sensitive information over a network. Microsoft has noted that this vulnerability affects Windows Server 2025 with the attack complexity assessed as “low” and that exploitation as “less likely”.

CVE-2025-53733 is a remote code execution vulnerability in Microsoft Word given a CVSS 3.1 base score of 8.4 where an incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. Microsoft has noted that this vulnerability affects Word 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-53740 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4 where a use after free condition allows an unauthorized attacker to execute code locally using a Preview Pane as the attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019, Microsoft Office LTSC 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-53766 is a remote code execution vulnerability in GDI+, a graphics Windows subsystem providing a set of features for rendering 2D graphics, images, and text, given a CVSS 3.1 base score of 9.8 where a heap-based buffer overflow allows an unauthorized attacker to execute code over a network. An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server 2008. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-50165 is another remote code execution vulnerability in the Windows graphics component. It was also given a CVSS 3.1 base score of 9.8 where an untrusted pointer dereference allows an unauthorized attacker to execute code over a network without any user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files. This vulnerability affects Windows 11 24H2 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-49707 is a spoofing vulnerability in Windows Hyper-V hypervisor affecting Azure, given a CVSS 3.1 base score of 7.9, where improper access control may allow an attacker to perform spoofing locally. To exploit this vulnerability, an attacker could obtain a valid certificate after a system reboot, which could then be used to access sensitive information, bypassing security measures and allow an attacker with access to a confidential VM to impersonate its identity in communications with external systems. Microsoft has noted that this vulnerability affects NCCadsH100v5-series, ECesv5-series, ECedsv5-series, ECasv5-series, ECadsv5-series, DCesv5-series, DCedsv5-series, DCasv5-series and DCadsv5-series of Azure VM. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.

CVE-2025-48807 is a remote code execution vulnerability in Windows Hyper-V hypervisor, given a CVSS 3.1 base score of 7.5, where improper restriction of communication channels to intended endpoints may result in an attacker executing code locally in a nested guest VM to escape their VM and gain admin privileges on the guest VM that is serving as the host. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server VM. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.

CVE-2025-53731 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office 2019, Microsoft Office 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.

CVE-2025-53784 is a remote code execution vulnerability affecting Microsoft Word, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.

CVE-2025-53793 is an information disclosure vulnerability in Microsoft Azure Stack Hub, which may allow an attacker to disclose system internal configuration information over the network. It was given a CVSS 3.1 base score of 7.5 and affects Azure Stack Hub 2501, Azure Stack Hub 2406 and Azure Stack Hub 2408. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services, CVE-2025-53767, CVE-2025-53774, CVE-2025-53787 and CVE-2025-53792. While the CVSS base score for some of them is high, Microsoft has noted that no customer actions are required to resolve the issues.

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely:”

CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability

CVE-2025-49743: Windows Graphics Component Elevation of Privilege Vulnerability,

CVE-2025-50167: Windows Hyper-V Elevation of Privilege Vulnerability

CVE-2025-50168: Win32k Elevation of Privilege Vulnerability

CVE-2025-53132: Win32k Elevation of Privilege Vulnerability

CVE-2025-53147: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-53156: Windows Storage Port Driver Information Disclosure Vulnerability

CVE-2025-49712: Microsoft SharePoint Remote Code Execution Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65234- 65237, 65240-65247.

The following Snort 3 rules are also available: 301300, 301301, 30304-30306, 65240, 65241.