Particle.news
Download on the App Store
23 ARTICLES
·
46m ago

Microsoft’s August Patch Tuesday Fixes 100+ Vulnerabilities, Including Exchange Hybrid and Kerberos Escalations

Tens of thousands of unpatched Exchange servers remain exposed, prompting calls for token rotation, hybrid app configuration, strict identity governance to stop potential cloud pivots

Patch Tuesday
Image: geralt/pixabay
Image
Image

Overview

  • Microsoft released its August 2025 Patch Tuesday updates to address more than 100 security flaws across Windows, Office, Azure and related services, including the Exchange hybrid privilege escalation (CVE-2025-53786) and the Kerberos dMSA vulnerability (CVE-2025-53779)
  • Shadowserver scans found roughly 29,000 internet-facing Exchange servers still vulnerable after CISA’s August 11 mitigation deadline for federal agencies elapsed
  • Microsoft and CISA report no confirmed active exploitation of the Exchange hybrid flaw so far but rate its exploitability as “more likely” if reliable attack code is developed
  • Effective mitigation requires more than installing patches, with organizations urged to rotate any compromised trust tokens, deploy a dedicated Entra ID hybrid app and apply prescribed configuration changes
  • The Kerberos “BadSuccessor” flaw allows attackers with elevated access to abuse delegated Managed Service Accounts to gain domain administrator privileges, highlighting the need for robust identity governance