By Alfaiz Nova, Cybersecurity Expert

Home
cybersecurity

Microsoft Patch Tuesday Aftermath: 107 CVEs Fixed, Windows Reset Features Still Broken

August Patch Tuesday fixes 107 CVEs incl. a publicly disclosed Kerberos zero‑day—but KB5063709/related updates broke Windows reset.

 

A SOC dashboard with patch rollout charts and bold text displaying "107 CVEs - Zero-Day," rendered in a teal and amber color scheme

Breaking Brief

  • Microsoft’s August 2025 Patch Tuesday addressed 107 CVEs, including one publicly disclosed zero‑day in Windows Kerberos and 13 Critical flaws; vulnerability mix skews enterprise with heavy elevation‑of‑privilege and RCE exposure.crowdstrike+1

  • Post‑patch fallout continues: the August client updates (e.g., KB5063709/KB5063875 lines) broke Windows “Reset this PC” and recovery operations across Windows 10 and older Windows 11 builds; Microsoft acknowledged the issue and shipped out‑of‑band updates, but organizations still report incomplete remediation in some estates.bleepingcomputer+1

CVE Landscape at a Glance

  • Totals and severity: 107 CVEs fixed; 13 Critical; 91 Important; 1 Moderate; 1 Low.tenable

  • Category split (CrowdStrike): 42 elevation of privilege (~39%), 35 remote code execution (~33%), 16 information disclosure (~15%).crowdstrike

  • Zero‑day: CVE‑2025‑53779, a Windows Kerberos elevation‑of‑privilege issue publicly disclosed pre‑patch; risk centers on domain privilege escalation via constrained attribute abuse.qualys+1

What’s Still Broken

  • Known issue: Installing August security updates causes reset/recovery failures: Reset my PC (keep files), Fix problems using Windows Update, and RemoteWipe CSP operations may fail on affected client platforms.bleepingcomputer

  • Scope: Windows 11 22H2/23H2 (KB5063875) and Windows 10 22H2, LTSC 2021/2019 lines (KB5063709/KB5063877) were impacted; Microsoft has released emergency OOB fixes but estates may need coordination to fully recover functionality.bleepingcomputer+1

Enterprise Patch Priorities

  • Tier‑0 first: Patch domain controllers and identity infrastructure (Kerberos/NTLM/LSASS surfaces) to contain privilege escalation blast radius tied to the publicly disclosed zero‑day.bleepingcomputer+1

  • Internet‑exposed roles: RDP/MSMQ/share services and Office/SharePoint paths with RCE potential should be next in line; reduce attack surface while rolling out.tenable+1

  • Hosts and clusters: Hyper‑V and core server roles in staggered waves with health checks (cluster‑aware patching where applicable).tenable

Rollout Timeline (ring‑based)

  • Day 0: Canary DCs, RDP/MSMQ/SharePoint edge roles, 5–10% pilot clients; enable enhanced monitoring for auth anomalies and service stability.bleepingcomputer+1

  • Day 1–2: Remaining DCs per site, exposed servers, 25–30% client cohort; validate line‑of‑business apps.tenable

  • Day 3–5: Broad server/client rollout; handle stubborn KB installs via standalone packages.tenable

Testing Checklist

  • Identity flows: Kerberos/NTLM auth, SSO, and line‑of‑business logons; watch for spikes in 4769/4771 and 4672 adjacencies.crowdstrike+1

  • Service paths: RDP broker health, MSMQ queue depth, Office/SharePoint upload/render; graphics pipeline smoke tests where applicable.tenable

  • Client UX: VPN, printing, and Teams calls; capture early regressions before scaling.rapid7

Recovery/Reset Workarounds and Fix Path

  • Apply OOB fixes: Deploy Microsoft’s emergency updates that remediate Reset/Recovery breakage corresponding to affected KB lines (KB5063875/KB5063709/KB5063877).bleepingcomputer

  • If still failing: Use WinRE/media‑based repair, DISM image health restore, or in‑place upgrade repair; postpone fleet‑wide resets until OOB patches are confirmed on endpoints.bleepingcomputer

  • RemoteWipe impact: For MDM‑driven wipes, validate on a pilot ring post‑OOB before executing at scale; maintain alternate wipe workflows (PXE or vendor imaging) as contingency.bleepingcomputer+1

Rollback Procedures (when an update breaks ops)

  • Client rollback: Use Settings > Update history > Uninstall updates to remove the offending KB on impacted pilots; pause updates temporarily only for affected rings while testing OOB fixes.bleepingcomputer

  • Server rollback: Evict/pause cluster node, uninstall the KB, reboot, validate services, then rotate to the next node; keep last month’s cumulative ready as fallback.tenable

  • KIR and feature holds: Where Known Issue Rollback applies, deploy relevant policies; defer feature updates during security rollout to reduce variable interactions.rapid7

Detection During Rollout

  • EoP monitoring: Alert on 4624 Type 2/10 followed by 4672 within 5 minutes on the same host; unusual admin group membership changes post‑patch.crowdstrike

  • Kerberos anomalies: Bursts in 4769/4771 or requests to rare SPNs; investigate systems lagging on Kerberos fixes.bleepingcomputer

  • Service health: Spike in RDP broker errors/MSMQ retries after patching; early warning for regression or configuration drift.tenable

more blog alfaiznova.com
Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...