Publicly Disclosed Zero-Day Vulnerability in Windows Kerberos
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
The vulnerability can be triggered by convincing victims to download and open documents containing specially crafted metafiles. In worst-case scenarios, attackers can exploit web services by uploading documents with malicious metafiles without any user interaction or privileges required. When successfully exploited, this could allow attackers to achieve remote code execution or information disclosure on web services parsing documents with high impact to confidentiality, integrity, and availability of affected systems. This vulnerability has not been publicly disclosed, there is no evidence of exploitation, and exploitation is assessed as less likely. Microsoft has released an official fix for this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Moderate | 7.2 | CVE-2025-53779 | Windows Kerberos Elevation of Privilege Vulnerability |
Critical Vulnerability in Windows Graphics Component
CVE-2025-53733 is a Critical remote code execution vulnerability affecting Microsoft Word and has a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code locally by exploiting incorrect conversion between numeric types without user interaction. The Preview Pane serves as an attack vector. Exploitation is assessed as less likely. Customers should apply all available updates, which can be installed in any order.
When successfully exploited, attackers can achieve scope change, allowing an attacker on a nested guest VM to escape their virtual machine and gain administrative privileges on the guest serving as the host, with high impact to confidentiality, integrity, and availability. The vulnerability had not been publicly disclosed, there is no evidence of active exploitation in the wild, and exploitation is assessed as less likely due to the complex conditions required for successful exploitation. Microsoft has released an official fix for this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-50165 | Windows Graphics Component Remote Code Execution Vulnerability |
Critical Vulnerability in GDI+
Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.
CVE-2025-53779 is a Moderate elevation of privilege vulnerability affecting Windows Kerberos and has a CVSS score of 7.2. This vulnerability allows authorized attackers with high privileges to further elevate privileges by exploiting relative path traversal in Windows Kerberos over a network connection without user interaction. While the vulnerability has been publicly disclosed with functional exploit code available, there is no evidence of active exploitation, and exploitation is assessed as less likely.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-53766 | GDI+ Remote Code Execution Vulnerability |
Critical Vulnerability in Windows NTLM
CVE-2025-53784 is a Critical remote code execution vulnerability affecting Microsoft Word and has a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code locally by exploiting a use-after-free vulnerability without user interaction. The Preview Pane serves as an attack vector. Exploitation is assessed as unlikely. Microsoft has released an official fix for this vulnerability.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2025-53778 | Windows NTLM Elevation of Privilege Vulnerability |
Critical Vulnerabilities in Microsoft Office products
With CrowdStrike Falcon® Exposure Management, security teams can automatically classify and prioritize assets, show attack paths targeting client-side exploitation of devices, and integrate with CrowdStrike Falcon® Next-Gen SIEM. Learn more in this blog post: Falcon Exposure Management’s AI-Powered Risk Prioritization Shows Organizations What to Fix First.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
CVE-2025-48807 is a Critical remote code execution vulnerability affecting Windows Hyper-V and has a CVSS score of 7.5. This vulnerability allows authenticated attackers with low privileges to execute arbitrary code locally by exploiting improper restriction of communication channel to intended endpoints in Windows Hyper-V with user interaction required and high attack complexity. The vulnerability requires a race condition to be triggered when an administrator begins administering from the host system rather than a guest or nested guest, with the attacker needing to send a specially crafted request at the precise moment an administrator takes action on the host. The attack requires local access with “remote” in the title referring to the attacker’s location, as the vulnerable endpoint is only available over the local VM interface with external communication blocked.
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-53731 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-53733 | Microsoft Word Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-53740 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-53784 | Microsoft Word Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft Message Queuing
CVE-2025-50176 is a Critical remote code execution vulnerability affecting DirectX Graphics Kernel and has a CVSS score of 7.8. It allows authenticated attackers with low privileges to execute arbitrary code locally by exploiting type confusion and heap-based buffer overflow in the Graphics Kernel without user interaction. The vulnerability requires local access to the system, with “remote” in the title referring to the attacker’s location rather than the attack vector, and any authenticated user can trigger the vulnerability without requiring administrative privileges.
When successfully exploited, attackers can achieve remote code execution on the server side with high impact to confidentiality, integrity, and availability of affected MSMQ systems. This vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, but exploitation is assessed as more likely due to the nature of the flaw. Microsoft has released an official fix for this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-50177 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Azure
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
CVE-2025-50177 is a Critical remote code execution vulnerability affecting Microsoft Message Queuing (MSMQ) and has a CVSS score of 8.1. It allows unauthenticated remote attackers to execute arbitrary code by exploiting use-after-free and race condition vulnerabilities in Windows Message Queuing over a network connection without user interaction. The attack can occur without any user intervention once the attacker successfully triggers the race condition through concurrent execution using shared resources with improper synchronization. This vulnerability requires high attack complexity as successful exploitation requires an attacker to win a race condition by sending a series of specially crafted MSMQ packets in rapid sequence over HTTP to an MSMQ server.
CVE-2025-49707 is a Critical spoofing vulnerability affecting Azure Virtual Machines and has a CVSS score of 7.9. This vulnerability allows authorized attackers with high privileges to perform spoofing locally by exploiting improper access control with changed scope impact. There has been no public disclosure or evidence of exploitation. Microsoft has fully mitigated this vulnerability at the service level, requiring no customer action.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.9 | CVE-2025-49707 | Azure Virtual Machines Spoofing Vulnerability |
| Critical | 7.7 | CVE-2025-53781 | Azure Virtual Machines Information Disclosure Vulnerability |
| Critical | 7.5 | CVE-2025-53793 | Azure Stack Hub Information Disclosure Vulnerability |
Critical Vulnerability in DirectX Graphics Kernel
CVE-2025-53778 is a Critical elevation of privilege vulnerability affecting Windows NTLM and has a CVSS score of 8.8. It allows authenticated attackers with low privileges to elevate privileges by exploiting improper authentication in Windows NTLM over a network connection without user interaction. The vulnerability requires only low-level privileges to exploit and can be triggered over the network without any user interaction, making it particularly concerning for attackers seeking to escalate their access. The attack represents a significant security risk as it allows privilege escalation from low-privileged authenticated access to complete system control through NTLM authentication bypass.
CVE-2025-53793 is a Critical information disclosure vulnerability affecting Azure Stack Hub and has a CVSS score of 7.5. This vulnerability allows unauthenticated remote attackers to disclose system internal configuration information by exploiting improper authentication and path traversal over a network connection. While exploitation is assessed as unlikely, users should update to Azure Stack Hub version 1.2501.1.47 to remediate this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-50176 | DirectX Graphics Kernel Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Hyper-V
CVE-2025-53740 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code locally by exploiting a use-after-free vulnerability without user interaction. The Preview Pane serves as an attack vector. Exploitation is assessed as less likely. Microsoft has released an official fix for this vulnerability.
CVE-2025-50165 is a Critical remote code execution vulnerability affecting Windows Graphics Component and has a CVSS score of 9.8. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting untrusted pointer dereference and use of uninitialized resources in the Microsoft Graphics Component over a network connection without user interaction.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2025-48807 | Windows Hyper-V Remote Code Execution Vulnerability |
New AI-Powered Capabilities in Falcon Exposure Management
CVE-2025-53766 is a Critical remote code execution vulnerability affecting GDI+ (Graphics Device Interface Plus) and has a CVSS score of 9.8. It allows unauthenticated remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow in Windows GDI+ over a network connection without user interaction. Notably, the Preview Pane is not an attack vector for this particular vulnerability, with exploitation possible through document processing on web services without victim involvement.
Patch Tuesday Dashboard in the Falcon Platform
CVE-2025-53781 is a Critical information disclosure vulnerability affecting Azure Virtual Machines and has a CVSS score of 7.7. This vulnerability allows authorized attackers with low privileges to disclose sensitive information by exploiting exposure of sensitive information to unauthorized actors over a network with changed scope impact. Exploitation is assessed as less likely. Microsoft has fully mitigated this vulnerability at the service level, requiring no customer action.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
This vulnerability requires elevated access to specific dMSA attributes including msds-groupMSAMembership and write access to msds-ManagedAccountPrecededByLink for successful exploitation. When exploited, attackers can gain domain administrator privileges, achieving significant privilege escalation with high impact to confidentiality, integrity, and availability of affected Windows domain environments. This attack represents a serious security risk for environments where attackers already possess high-level privileges on domain-managed service accounts. Microsoft has released an official fix for this vulnerability.
When successfully exploited, attackers can achieve full system compromise with high impact to confidentiality, integrity, and availability of affected systems through arbitrary code execution on the local machine. The vulnerability had not been publicly disclosed, there is no evidence of active exploitation in the wild, and exploitation is assessed as less likely. Microsoft has released an official fix for this vulnerability.
The vulnerability can be triggered when decoding JPEG images embedded in Office documents or third-party files, and could allow an attacker to exploit an uninitialized function pointer during the decoding process. An attack can occur without any user intervention once a malicious JPEG image is processed by the graphics component. When the vulnerability is successfully exploited, attackers can achieve full system compromise with high impact to confidentiality, integrity, and availability of affected Windows systems. The vulnerability had not been publicly disclosed, there is no evidence of active exploitation in the wild, and exploitation is assessed as less likely. Microsoft has released an official fix.
CVE-2025-53731 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 8.4. It allows unauthenticated attackers to execute arbitrary code locally by exploiting a use-after-free vulnerability without user interaction. The Preview Pane serves as an attack vector. Exploitation is assessed as unlikely. Microsoft has released an official fix for this vulnerability.
About CVSS Scores
When successfully exploited, attackers can gain SYSTEM privileges, achieving full system compromise with high impact to confidentiality, integrity, and availability of affected Windows systems. The vulnerability had not been publicly disclosed, there is no evidence of active exploitation in the wild, and exploitation is assessed as more likely due to the nature of the authentication flaw. Microsoft has released an official fix for this vulnerability.
