Microsoft released August Patch Tuesday updates, addressing 107 new security vulnerabilities across its products, with no active exploits confirmed.
The August Patch Tuesday release from Microsoft introduced a comprehensive set of security updates, patching a total of 107 distinct vulnerabilities across various Microsoft products and services. Microsoft specified that none of these identified vulnerabilities were actively being exploited in the wild at the time of the update release. The next scheduled Patch Tuesday for Microsoft is September 9th, 2025.
A significant portion of the addressed vulnerabilities, specifically 67, were found and subsequently fixed across supported versions of the Windows operating system. These include Windows 10, Windows 11, and Windows Server. It is important to note that Windows 7 and Windows 8.1 users have not received security updates for an extended period, rendering those systems potentially vulnerable. Upgrading to Windows 11 24H2 is recommended for users on these older operating systems, provided their system requirements are met, to ensure continued security update reception.
Among the critical vulnerabilities identified in Windows are CVE-2025-53766 and CVE-2025-50165. CVE-2025-53766 is a remote code execution (RCE) flaw affecting the Graphics Device Interface API, which is utilized by graphical applications. CVE-2025-50165 is another RCE vulnerability, located within the Windows Graphics Component. Exploiting either of these vulnerabilities could allow an attacker to inject and execute arbitrary code on a system without requiring user interaction. For CVE-2025-53766, simply visiting a specially crafted website is sufficient for an attack. For CVE-2025-50165, an attacker could achieve code execution by creating a malicious image embedded within a web page.
Microsoft also categorized three vulnerabilities within Hyper-V as critical. CVE-2025-48807 is an RCE vulnerability, which, if exploited, could enable code execution on the host system from a guest virtual machine. CVE-2025-53781 is a data leak vulnerability, potentially allowing unauthorized access to confidential information. CVE-2025-49707 is a spoofing vulnerability that could permit a virtual machine to impersonate a different identity during communications with external systems.
The Routing and Remote Access Service (RRAS) had 12 vulnerabilities addressed, all classified as high risk. Half of these were RCE vulnerabilities, while the other half were data leak vulnerabilities. One vulnerability, CVE-2025-53779 in Kerberos for Windows Server 2025, had been previously publicized. This vulnerability, classified as medium risk by Microsoft, could allow an attacker to gain administrator rights for domains under specific conditions.
Within the Microsoft Office product family, 18 vulnerabilities were fixed, including 16 RCE vulnerabilities. Four of these RCE vulnerabilities, two of which are specifically in Word, were designated as critical by Microsoft because the preview window serves as an attack vector. This means an exploit could occur simply by displaying a malicious file in the preview pane, without the user needing to click on or open the file. The remaining Office vulnerabilities were categorized as high risk, typically requiring the user to open a specially prepared file for the exploit code to execute.
The Edge browser also received security updates. Version 139.0.3405.86 of Edge was released on August 7th, built upon Chromium 139.0.7258.67, and included fixes for multiple vulnerabilities present in the Chromium base. Edge for Android, version 139.0.3405.86, was released slightly later and incorporated fixes for two vulnerabilities specific to the Edge browser.
