Microsoft August 2025 Patch Tuesday: 107 CVEs, 1 Public Zero‑Day — Enterprise Patch Priorities

Microsoft’s August 2025 Patch Tuesday lands with 107 CVEs—13 Critical—and one publicly disclosed zero‑day that defenders must triage today. The mix skews enterprise: 42 elevation‑of‑privilege (≈39%), 35 remote code execution (≈33%), and 16 information disclosure (≈15%)—a profile that maps directly to domain compromise, lateral movement, and data exposure when patching lags. Below is a no‑fluff priority list, a ring‑based rollout plan, and copy‑paste SIEM rules to catch exploitation attempts during deployment.

What’s new this month

• Totals: 107 CVEs fixed; 13 Critical; single publicly disclosed zero‑day.

• Distribution (rounded): 42 EoP (~39%), 35 RCE (~33%), 16 Info Disclosure (~15%), remainder spread across spoofing/DoS, etc.

• Enterprise‑relevant surfaces: Windows (kernel, LSASS/Kerberos/NTLM), RDP/MSMQ/Graphics, Office/SharePoint, SQL/Hyper‑V, and cloud/service components.

Publicly disclosed zero‑day (focus)

• Nature: Publicly disclosed at release; no confirmed in‑the‑wild exploitation at publication (still treat as high‑risk).

• Likely blast radius: Domain devices with default baselines; exposure increases where legacy protocols or permissive hardening are present.

• Immediate checks:

  • Confirm monthly cumulative installed on Windows client/server cohorts.

  • Validate AD/DC patch compliance first; follow with RDP/MSMQ/Graphics‑exposed servers.

  • Monitor for privilege‑escalation anomalies post‑reboot (service crashes, token anomalies).

Top enterprise priorities (ranked)

1. Authentication stack and domain control: Kerberos/NTLM/LSASS fixes—patch DCs and tier‑0 servers first; this cuts off instant privilege escalation and ticket abuse.

2. Remote code paths: RDP/MSMQ/Graphics/SharePoint—RCE candidates with network exposure; reduce external attack surface quickly.

3. Office/SharePoint and Teams: Document‑borne and deserialization vectors common in enterprise workflows.

4. Hyper‑V/Kernel/Storage: Host compromise risk; stagger across clusters using live migration windows.

5. SQL/Server roles: Patch with maintenance windows; validate app dependencies and CLR/ext procs.

Ring‑based deployment timeline

• Day 0 (today):

  • Patch DCs in a canary site (1 DC per site), core jump hosts, and 5% of Windows 11/10 pilot devices.

  • Patch exposed servers: RDS gateways, MSMQ brokers, public‑facing SharePoint/Web roles.

  • Enable heightened logging and EDR protection rules for 72 hours.

• Day 1–2:

  • Complete domain controllers per site; patch remaining RDP/MSMQ/Graphics‑exposed servers; 25–30% workstation cohort.

  • Hyper‑V hosts in rolling waves using live migration; verify cluster health after each batch.

• Day 3–5:

  • Remaining server estate (SQL/app servers) and bulk workstations; handle stubborn KB failures via standalone installers.

  • Begin cleanup (superseded updates, known issue rollbacks if triggered).

• Week 2:

  • Stragglers and offline devices; compliance report, exceptions, and lessons learned.

Testing procedures

• Pre‑deploy: Snapshot VMs; export GPOs; back up DC system state and critical app servers.

• Staging: Validate AD auth (Kerberos/NTLM), SMB signing, line‑of‑business apps, printing, VPN, VDI logons, MSMQ queues, RDP broker flows.

• Monitors: Watch for spike in authentication failures, ticket anomalies, MSMQ message retry storms, RDP broker errors, graphics pipeline crashes.

• Client smoke tests: SSO to M365, line‑of‑business launch, VPN reconnect, print, Teams calls.

Rollback plan

• Use Known Issue Rollback (KIR) for supported client issues; maintain last month’s cumulative as a fallback.

• For servers: maintain slipstreamed images; if a DC regresses, remove from rotation, restore system state, rejoin after validation.

• Keep emergency standalone uninstall commands ready (wusa /uninstall /kb:XXXXX /quiet /norestart); for cluster nodes, evict/patch/validate one by one.

SIEM detection (starter rules/queries)

• EoP surge:

  • Alert on sudden spikes in 4624 Type 2/10 successful logons followed by 4672 (special privileges assigned) on the same host within 5 minutes.

• Kerberos abuse:

  • Detect unusual 4769 (TGS) errors, 4771 (pre‑auth failure) bursts, and service ticket requests to rare SPNs.

• NTLM anomalies:

  • Flag 8004/8001 events indicating NTLM fallback where Kerberos is expected; correlate with lateral movement paths.

• RDP/MSMQ probes:

  • New inbound origins to RDP gateways; MSMQ queue depth spikes or message drops after update window.

• Graphics exploitation hints:

  • Crashes in graphics subsystem processes following file open/render events; correlate with user activity to spot malicious inputs.

Operations tips for smooth rollout

• Prefer latest cumulative with servicing stack updates; pause feature updates during security rollout.

• Pre‑approve reboots in maintenance window; stagger site‑by‑site to keep support load manageable.

• Track compliance by ring, not just percentage; report on DCs, exposed servers, and VIP endpoints separately.

• Document exceptions and time‑boxed deferrals with explicit compensating controls (e.g., disable NTLM where possible, restrict RDP to VPN, MSMQ ACL hardening).

FAQ

• How to prioritize if maintenance windows are tight?

  • DCs and any internet‑exposed/RDP/MSMQ/SharePoint roles first; then Hyper‑V hosts and core app servers; finally broad clients.

• What if authentication breaks after patching?

  • Check time sync, SPNs, constrained delegation, and channel signing; roll back affected nodes only; keep rest of ring moving.

• Can we skip client patches and just do servers?

  • No—client EoP and graphics RCE can enable phishing‑to‑domain pivot; keep client rings moving within 72 hours.

• How to handle legacy NTLM environments?

• Patch immediately, audit NTLM usage, enable NTLM auditing, and plan transition toward Kerberos/modern auth.

more blog? visit alfaizova.com