Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

August’s patch batch from Redmond includes an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server Subscription Edition.

Ben McCarthy, lead cyber security engineer at Immersive, said a rough search reveals approximately 29,000 Exchange servers publicly facing on the internet that are vulnerable to this issue, with many of them likely to have even older vulnerabilities.

McCarthy said the fix for CVE-2025-53786 requires more than just installing a patch, such as following Microsoft’s manual instructions for creating a dedicated service to oversee and lock down the hybrid connection.

“In effect, this vulnerability turns a significant on-premise Exchange breach into a full-blown, difficult-to-detect cloud compromise with effectively living off the land techniques which are always harder to detect for defensive teams,” McCarthy said.

CVE-2025-53779 is a weakness in the Windows Kerberos authentication system that allows an unauthenticated attacker to gain domain administrator privileges. Microsoft credits the discovery of the flaw to Akamai researcher Yuval Gordon, who dubbed it “BadSuccessor” in a May 2025 blog post. The attack exploits a weakness in “delegated Managed Service Account” or dMSA — a feature that was introduced in Windows Server 2025.

Some of the critical flaws addressed this month with the highest severity (between 9.0 and 9.9 CVSS scores) include a remote code execution bug in the Windows GDI+ component that handles graphics rendering (CVE-2025-53766) and CVE-2025-50165, another graphics rendering weakness. Another critical patch involves CVE-2025-53733, a vulnerability in Microsoft Word that can be exploited without user interaction and triggered through the Preview Pane.

One final critical bug tackled this month deserves attention: CVE-2025-53778, a bug in Windows NTLM, a core function of how Windows systems handle network authentication. According to Microsoft, the flaw could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Microsoft rates the exploitation of this bug as “more likely,” although there is no evidence the vulnerability is being exploited at the moment.

Feel free to holler in the comments if you experience problems installing any of these updates. As ever, the SANS Internet Storm Center has its useful breakdown of the Microsoft patches indexed by severity and CVSS score, and AskWoody.com is keeping an eye out for Windows patches that may cause problems for enterprises and end users.

GOOD MIGRATIONS

Windows 10 users out there likely have noticed by now that Microsoft really wants you to upgrade to Windows 11. The reason is that after the Patch Tuesday on October 14, 2025, Microsoft will stop shipping free security updates for Windows 10 computers. The trouble is, many PCs running Windows 10 do not meet the hardware specifications required to install Windows 11 (or they do, but just barely).

If the experience with Windows XP is any indicator, many of these older computers will wind up in landfills or else will be left running in an unpatched state. But if your Windows 10 PC doesn’t have the hardware chops to run Windows 11 and you’d still like to get some use out of it safely, consider installing a newbie-friendly version of Linux, like Linux Mint.

Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.

There are many versions of Linux available, but Linux Mint is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.

If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. Here’s a fairly thorough tutorial that walks through exactly how to do all this.

And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.

Microsoft’s monthly batch of patches includes a vulnerability affecting on-premises Microsoft Exchange servers that the company and federal authorities warned about in a series of alerts last week. In its latest security update Tuesday, Microsoft maintained the flaw hasn’t been exploited in the wild and designated the exploitability of the defect — CVE-2025-53786 — as “more likely.”

Organizations have not applied the previously issued patch for the high-severity vulnerability en masse, despite the serious alarm raised by officials. More than 28,000 accessible Microsoft Exchange servers remained unpatched as of Monday, according to Shadowserver scans. 

The Cybersecurity and Infrastructure Security Agency’s deadline for all federal agencies to update eligible servers with a previously issued hotfix and disconnect outdated Exchange servers passed on Monday. 

Microsoft addressed 111 vulnerabilities affecting its various enterprise products, cloud services and foundational Windows systems in this month’s security update. The set of disclosures includes four additional defects affecting Microsoft Exchange Server.

The security update also comes on the heels of an attack spree targeting zero-day vulnerabilities in on-premises Microsoft SharePoint servers. More than 400 organizations were actively compromised by those attacks, including the Departments of Energy, Homeland Security and Health and Human Services. 

Those zero-days —  CVE-2025-53770 and CVE-2025-53771 — are variants of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — that Microsoft addressed in its security update last month.

Microsoft said none of the vulnerabilities in this month’s update are actively exploited. Yet, researchers described CVE-2025-53779, an elevation of privilege vulnerability affecting Windows Kerberos, as a zero-day because functional exploit code exists.

“While Microsoft rates this flaw as ‘exploitation less likely’ with ‘moderate’ severity, the combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” Mike Walters, president and co-founder of Action1, said in an email. “The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralized IT environments. Once compromised, they can quickly lead to full domain takeover.”

The most critical vulnerability — CVE-2025-53767 — is a maximum-severity defect affecting Azure OpenAI, a cloud-based platform that provides access to OpenAI’s large language models. Additionally, a pair of critical, remote-code execution vulnerabilities with CVSS scores of 9.8 — CVE-2025-53766 and CVE-2025-50165 — affect Windows GDI+ and the Microsoft Graphics Component, respectively. 

The vulnerability in Microsoft Graphics Component could attract threat groups due to its high rating and ubiquitous use across environments. “The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, said in an email. 

“This means any application that renders images — from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures — can become an in for the attack,” McCarthy added.

The remaining critical vulnerabilities in this month’s security update include CVE-2025-53792, which affects Azure Portal, and CVE-2025-50171, which affects Remote Desktop Server.

Nearly 2 in 5 CVEs Microsoft patched this month are elevation of privilege vulnerabilities, reflecting an “upward trend in post-compromise vulnerabilities over code execution bugs,” Satnam Narang, senior staff research engineer at Tenable, said in an email. 

Microsoft’s monthly security fix includes 17 vulnerabilities that affect Microsoft Office and standalone Office products. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday follows SharePoint attacks, Exchange server warnings appeared first on CyberScoop.

LAS VEGAS — Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat. 

Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild. 

While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.

Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment. 

Attackers could escalate privileges in an organization’s connected cloud environment because on-premises and cloud-based versions of Exchange share the same permissions in hybrid configurations, Microsoft said in its advisory. The vulnerability affects Entra ID, Microsoft’s identity and access management service, potentially exposing a path for attackers to move from a compromised on-premises Exchange server to a connected cloud-based counterpart.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive Thursday requiring all federal agencies to run Microsoft’s Exchange Server Health Checker script, update all servers eligible for the hot fix updates and disconnect all end-of-life Exchange servers by 9 a.m. EDT Monday.

“This vulnerability poses grave risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance and immediate mitigation is critical,” CISA said in the emergency directive.

“Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s Microsoft 365 Exchange Online environment.”

Microsoft said it already addressed the vulnerability in April when it introduced changes to improve the security of Exchange Server hybrid deployments. The company and CISA urged organizations to apply Microsoft’s April 2025 Exchange Server hot fix updates to on-premises Exchange servers, implement configuration changes and clear certificates from the shared service principals.

Starting later this month, Microsoft said it will temporarily block Exchange Web Services traffic using the shared service principal. That block will be permanent by the end of October, the company said.

The move is part of Microsoft’s strategy to accelerate and eventually force customers to adopt its dedicated Exchange hybrid app. “Even though adoption of server versions that support dedicated hybrid app has been good, the number of customers who have created the dedicated app remains very low,” Microsoft said in a blog post. 

CISA also advised organizations to disconnect any internet-exposed and end-of-life versions of Exchange Server and SharePoint Server.

The coordinated disclosure of the vulnerability comes less than three weeks after security researchers across the industry sounded the alarm about a mass attack spree linked to a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers. More than 400 organizations were impacted by those attacks, including multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services.

This story was updated Aug. 7 with details on CISA’s emergency directive.

The post CISA, Microsoft warn organizations of high-severity Microsoft Exchange vulnerability appeared first on CyberScoop.

TAME YOUR TECH By Susan Bradley It’s almost August, three months before many devices will no longer receive updates. Will you extend your Windows 10? Microsoft acknowledged that both consumers and businesses need more time to deal with the end of life for Windows 10, offering both consumers and businesses extended security update services (ESUs). […]