Patch Tuesday August 2025

Patch Tuesday August 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This Patch Tuesday includes 107 vulnerabilities fixed by Microsoft, surpassing last month’s total, with 13 marked as critical. However, only one zero-day with a proof of concept is included. Below are the details of the most notable critical updates.

CVE-2025-53779 – Windows Kerberos Elevation of Privilege Vulnerability

CVE-2025-53779, the only zero-day in this Patch Tuesday, is a critical flaw in the Windows Kerberos authentication system. It involves a relative path traversal vulnerability (CWE-23) due to improper validation of path inputs related to domain Managed Service Accounts (dMSAs). This issue arises in how Windows Kerberos handles certain attributes of dMSAs, particularly the msds-ManagedAccountPrecededByLink attribute. By manipulating these paths, an attacker with high privileges can traverse directory structures, impersonating users with higher privileges than intended. This vulnerability undermines the trusted delegation model Kerberos uses for service account management in Active Directory environments.

Affected Systems:

• Windows Server with Active Directory Domain Services
• Domain controllers managing Kerberos authentication
• Environments using dMSAs
• All supported versions of Windows Server with Kerberos enabled

Attack Characteristics:

• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: High (PR:H)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 7.2 (High)
• Temporal Score: 6.7 (Medium)
• Impact: Full compromise of system confidentiality, integrity, and availability
• Publicly Disclosed: Yes
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: Yes, functional exploit code exists
• Exploitability Assessment: “Exploitation Less Likely” (according to Microsoft)

Exploitation Requirements:

1. High-level privileges within the domain environment
2. Access to modify specific dMSA attributes:

• • msds-groupMSAMembership (to use the dMSA)
  • msds-ManagedAccountPrecededByLink (to specify the user the dMSA can impersonate)

By exploiting the path traversal vulnerability, the attacker can manipulate these attributes, creating improper delegation relationships that allow them to:

• Impersonate privileged accounts
• Escalate privileges to domain administrator level
• Potentially gain full control over the Active Directory domain

Exploitation Scenarios:

• Initial Access: An attacker who has compromised a privileged account (e.g., through phishing or credential theft) can use this flaw to escalate from a limited administrative account to full domain control.
• Lateral Movement: Techniques like Kerberoasting or Silver Ticket attacks, combined with this vulnerability, allow attackers to maintain persistent access while escalating privileges.
• Security Control Bypass: Gaining domain administrator privileges allows attackers to disable security monitoring, modify Group Policy Objects, and tamper with audit logs.
• Supply Chain Attacks: In multi-forest environments or organizations with partner connections, attackers could use this flaw to pivot from one compromised domain to others.

At-Risk Environments:

• Large enterprise environments with complex Active Directory setups
• Organizations heavily using dMSAs for service account management
• High-value targets like government agencies, financial institutions, and healthcare organizations
• Environments with extensive delegation models for administrative tasks

While Microsoft has assessed the vulnerability as “Exploitation Less Likely,” the presence of functional exploit code and its impact on core authentication mechanisms makes it a significant risk. The requirement for high privileges might seem like a safeguard, but many organizations have accounts with these privileges. Once such an account is compromised, the path to full domain compromise becomes much shorter.

Organizations should treat this vulnerability with urgency, as it can be used in sophisticated attack chains targeting high-value environments.

CVE-2025-53740 and CVE-2025-53731 Microsoft Office Remote Code Execution Vulnerabilities

CVE-2025-53740 is a critical Use-After-Free (UAF) vulnerability (CWE-416) in Microsoft Office. It occurs when the Office application attempts to access memory after it has been freed, leading to potential code execution. The issue appears to be improper memory management in the handling of certain document objects.

Attack Characteristics:

• Attack Vector: Local (AV:L)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 8.4 (High)
• Temporal Score: 7.3 (High)
• Publicly Disclosed: No
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: No publicly available exploit code at the time of disclosure
• Exploitability Assessment: “Exploitation Less Likely” (according to Microsoft)

Despite the “Remote Code Execution” designation, the attack vector is local, meaning the execution occurs on the victim’s machine, not remotely. Microsoft clarifies that “Remote” refers to the attacker’s location, while the code execution happens locally, often referred to as Arbitrary Code Execution (ACE).

The Preview Pane is specifically mentioned as an attack vector, which is concerning because:

• It allows code execution without fully opening the document.
• It can trigger automatically in email clients like Outlook.
• It significantly reduces user interaction needed for exploitation.

A successful exploit would allow an attacker to:

• Execute arbitrary code in the context of the current user.
• Access, modify, or delete data based on user permissions.
• Install programs or create new accounts with user rights.
• Potentially achieve lateral movement in a network environment.

This vulnerability is more dangerous when combined with:

• Social Engineering: Malicious Office documents sent via email could trigger exploitation through the Preview Pane, requiring no full document opening.
• Privilege Escalation Chains: Attackers could chain this with local privilege escalation vulnerabilities to gain system-level access.
• Sandbox Escape: In environments with Office application sandboxing, this could be part of a multi-stage attack to escape the sandbox.
• Macro-less Attacks: This vulnerability could be triggered by document parsing, bypassing macro security controls.
• Supply Chain Risks: Embedding malicious documents in legitimate business workflows could lead to widespread organizational compromise.

At-Risk Environments:

• Enterprises with large Office deployments.
• Organizations heavily using email with attachments.
• Businesses targeted by spear-phishing (e.g., finance, government, critical infrastructure).
• Companies with limited endpoint protection.

While Microsoft’s “Exploitation Less Likely” assessment may seem reassuring, UAF vulnerabilities in widely deployed applications like Microsoft Office are often exploited once techniques are developed. The Preview Pane attack vector is particularly concerning as it significantly lowers the user interaction barrier.

The “Local” attack vector is misleading in real-world scenarios. Though technically accurate, the practical attack involves remote attackers sending malicious files, making it effectively a remote attack in most threat models.

CVE-2025-53731 is another critical UAF vulnerability (CWE-416) in Microsoft Office. Like CVE-2025-53740, it stems from improper memory management when the application accesses freed memory.

Although the root cause likely involves a different component or parsing routine than CVE-2025-53740, both share the same memory corruption issue, indicating systemic problems in Office’s memory handling architecture.

Attack Characteristics:

• Attack Vector: Local (AV:L)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 8.4 (High)
• Temporal Score: 7.3 (High)
• Publicly Disclosed: No
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: No publicly available exploit code at the time of disclosure
• Exploitability Assessment: “Exploitation Unlikely” (according to Microsoft)

Like CVE-2025-53740, this vulnerability is classified as “Remote Code Execution” despite having a local attack vector. Microsoft clarifies that “Remote” refers to the attacker’s location, while execution happens locally.

The similarity between CVE-2025-53731 and CVE-2025-53740 suggests potential issues with Microsoft’s secure development processes. Multiple UAF vulnerabilities discovered simultaneously often indicate deeper architectural problems, not isolated bugs.

Microsoft’s “Exploitation Unlikely” assessment may indicate this vulnerability is slightly harder to weaponize, but it still carries the same potential impact, as indicated by the identical CVSS scores.

Despite this, organizations should treat this vulnerability with high priority due to its critical severity, lack of required privileges or user interaction, and potential for complete system compromise. Many vulnerabilities initially deemed “unlikely” to be exploited have later become weaponized once techniques are developed.

The simultaneous disclosure of these two similar vulnerabilities increases the likelihood that researchers and attackers will focus on Office memory corruption issues, speeding up the development of exploitation techniques for both.

CVE-2025-53784 and CVE-2025-53733 Microsoft Word Remote Code Execution Vulnerabilities

CVE-2025-53784 is a critical Use-After-Free (UAF) vulnerability (CWE-416) in Microsoft Word, posing a significant security risk. It occurs when Word attempts to access memory after it has been freed, creating an opportunity for attackers to exploit this behavior.

The root cause seems to lie in Word’s document parsing or rendering functionality, where:

1. The application allocates memory for specific document elements.
2. It prematurely frees the memory due to improper management.
3. Later attempts to reference the freed memory location.
4. This creates an exploitable condition when attacker-controlled data occupies the freed location.

This is likely triggered by complex document structures in DOCX/DOC formats, involving features such as embedded objects or complex formatting.

Attack Characteristics:

• Attack Vector: Local (AV:L)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 8.4 (High)
• Temporal Score: 7.3 (High)
• Publicly Disclosed: No
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: No publicly available exploit code at the time of disclosure
• Exploitability Assessment: “Exploitation Unlikely” (according to Microsoft)

Despite being labeled “Remote Code Execution” in the title, the attack vector is local. Microsoft clarifies that “Remote” refers to the attacker’s location, while execution occurs locally on the victim’s machine, often considered an Arbitrary Code Execution (ACE) scenario.

The Preview Pane is explicitly mentioned as an attack vector, which is concerning because:

• It allows code execution without fully opening the document.
• It can trigger automatically in email clients like Outlook.
• It reduces user interaction required for exploitation.
• Many organizations leave the Preview Pane enabled by default.

A successful exploit could allow an attacker to:

• Execute arbitrary code in the context of the current user.
• Access, modify, or delete data accessible to the user.
• Install malicious software or backdoors.
• Potentially use the compromised system for lateral movement.

This vulnerability is particularly dangerous in the following scenarios:

• Spear-Phishing Campaigns: Malicious Word documents delivered via email could exploit this vulnerability through the Preview Pane, requiring only the receipt of the email.
• Watering Hole Attacks: Malicious Word documents hosted on compromised websites could trigger this vulnerability when previewed.
• Supply Chain Compromise: Weaponized document templates or forms distributed via legitimate channels.
• Multi-Stage Attack Chains: This vulnerability could serve as an entry point, followed by privilege escalation to gain system or domain-level access.

Microsoft’s “Exploitation Unlikely” assessment may be overly optimistic. Developing a reliable exploit for memory corruption vulnerabilities requires expertise, but the high value of Word as a target means attackers are likely to invest resources in weaponizing this vulnerability. The Preview Pane attack vector significantly elevates the real-world risk, as many organizations configure Outlook to automatically preview messages, creating a nearly zero-click attack.

Although technically a “Local” attack vector, the practical attack scenario involves malicious documents sent remotely, effectively making it a remote attack in most cases. This disconnect between CVSS scoring and real-world exploitation scenarios may lead to underestimating the risk.

The similarity to other recently patched Office vulnerabilities, such as CVE-2025-53740 and CVE-2025-53731, suggests that Microsoft may have discovered a class of memory management issues during a security review, indicating deeper architectural problems rather than isolated bugs.

CVE-2025-53733 is a critical vulnerability in Microsoft Word related to incorrect numeric type conversions (CWE-681). Unlike the other recently disclosed Use-After-Free vulnerabilities, this one arises from a different class of programming error.

The root cause involves improper handling of numeric type conversions, such as:

1. Processing document elements containing numeric values.
2. Converting between different numeric representations (e.g., 32-bit to 64-bit integers, signed to unsigned values, or floating-point to integer).
3. Using the incorrectly converted values in memory operations or calculations.
4. Leading to memory corruption that allows arbitrary code execution.

This vulnerability likely occurs in Word’s parsing of document structures containing numeric parameters, such as table dimensions or embedded object specifications. The incorrect conversion likely leads to buffer overflows or out-of-bounds memory accesses, which are exploitable.

Attack Characteristics:

• Attack Vector: Local (AV:L)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 8.4 (High)
• Temporal Score: 7.3 (High)
• Publicly Disclosed: No
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: No publicly available exploit code at the time of disclosure
• Exploitability Assessment: “Exploitation Less Likely” (according to Microsoft)

Like CVE-2025-53784, this vulnerability is classified as “Remote Code Execution” despite having a local attack vector. Microsoft clarifies that “Remote” refers to the attacker’s location, while execution happens locally.

The “Exploitation Less Likely” assessment from Microsoft (compared to “Exploitation Unlikely” for CVE-2025-53784) suggests that this vulnerability might be slightly easier to weaponize. Numeric conversion errors often offer more deterministic exploitation paths than memory corruption issues that depend on heap layout manipulation.

Type conversion vulnerabilities have historically been reliable targets for exploitation once techniques are developed. These vulnerabilities often allow precise control over memory operations, making them attractive for weaponization. The low attack complexity rating reinforces this concern.

The Preview Pane attack vector remains critical in the risk assessment, as it could potentially allow exploitation simply by viewing a malicious attachment in the email preview, requiring no user interaction beyond receiving the email.

CVE-2025-50165 – Windows Graphics Component Remote Code Execution Vulnerability

CVE-2025-50165 is a critical vulnerability in Microsoft’s Windows Graphics Component, involving untrusted pointer dereference (CWE-822) and use of uninitialized resources (CWE-908). This vulnerability affects the JPEG image decoding functionality, a core component of the Windows operating system.

The issue stems from:

1. Failure to properly initialize function pointers during JPEG image processing.
2. Dereferencing uninitialized pointers during the decoding process.
3. Attackers can craft malicious JPEG images that control the value of these uninitialized pointers.
4. When dereferenced, these pointers can redirect execution to attacker-controlled code.

This vulnerability is particularly dangerous as it occurs deep in the operating system’s image processing pipeline, used across multiple applications and services.

Attack Characteristics:

• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 9.8 (Critical) – the highest possible severity in the CVSS scoring system.
• Temporal Score: 8.5 (High)
• Publicly Disclosed: No
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: No publicly available exploit code at the time of disclosure
• Exploitability Assessment: “Exploitation Less Likely” (according to Microsoft)

This vulnerability is especially concerning due to its network attack vector and lack of required user interaction. According to Microsoft:

1. Exploitation can occur “without user intervention.”
2. Attackers can exploit “an uninitialized function pointer being called when decoding a JPEG image.”
3. It affects JPEG images “embedded in Office and third-party documents/files.”
4. Exploitation could allow “remote code execution without user interaction.”

Potential Attack Vectors:

• Sending malicious JPEG images via email, web, or network shares.
• Embedding weaponized JPEGs in documents processed by affected systems.
• Hosting malicious JPEGs on websites viewed by affected systems.
• Distributing malicious images through social media or messaging platforms.

A successful exploit could allow an attacker to:

• Execute arbitrary code at the privilege level of the affected process.
• Gain SYSTEM-level access if exploited against privileged processes.
• Access, modify, or delete data on the compromised system.
• Install malware, ransomware, or other malicious software.
• Establish persistence and potentially move laterally through networked systems.

Risk Amplifiers:

1. Wormable Potential: The network attack vector and no user interaction requirement suggest this vulnerability could be leveraged in self-propagating malware.
2. Supply Chain Amplification: Compromising image processing pipelines in content delivery networks or media storage systems could lead to widespread distribution of malicious JPEGs.
3. Web-Based Drive-By Attacks: Malicious websites could serve crafted JPEG images that exploit this vulnerability without requiring user action.
4. Email-Based Attacks: Many email clients automatically process images for preview, making this a risk in email-based attacks without opening attachments or clicking links.
5. Steganography Enhancement: The vulnerability could be combined with steganographic techniques to hide the exploit payload in seemingly innocent images, making detection more difficult.

At-Risk Organizations:

• Any enterprise running Windows operating systems.
• Organizations processing images from external sources.
• Media companies and content platforms handling large volumes of images.
• Email-dependent organizations where images are frequently exchanged.
• Government and critical infrastructure entities, which are high-value targets.

The CVSS score of 9.8 (Critical) reflects the extreme severity of this vulnerability. Several factors contribute to its high risk:

1. Ideal Attack Characteristics: Network vector, low complexity, no privileges required, and no user interaction make it ideal for exploitation.
2. Core OS Component Affected: This affects a fundamental Windows component used throughout the operating system and its applications.
3. Multiple Weakness Types: The combination of untrusted pointer dereference and uninitialized resource issues suggests a deep architectural flaw.
4. Format Ubiquity: JPEG is one of the most commonly used image formats, creating an exceptionally broad attack surface.

Microsoft’s “Exploitation Less Likely” assessment may be overly optimistic given these factors. While exploiting this vulnerability may require expertise, its high value to attackers means significant resources could be devoted to weaponizing it.

The possibility of triggering this vulnerability via JPEGs embedded in Office and third-party documents increases the attack surface, as organizations may focus on screening standalone images but overlook images embedded within documents.

Despite the lack of known exploitation in the wild, this type of high-impact, low-barrier vulnerability is a priority for sophisticated threat actors. The window between patch release and exploitation attempts for vulnerabilities like this has been shrinking.

Organizations should treat this as an urgent patching priority, regardless of Microsoft’s “Exploitation Less Likely” assessment. The combination of a CVSS score of 9.8 and the lack of mitigating factors, such as user interaction requirements, makes this an extreme risk to any Windows environment.

CVE-2025-53766 – GDI+ Remote Code Execution Vulnerability

CVE-2025-53766 is a critical heap-based buffer overflow vulnerability (CWE-122) affecting the Windows GDI+ (Graphics Device Interface Plus), a core component responsible for rendering graphics and formatted text. This vulnerability specifically impacts GDI+’s handling of metafiles.

The root cause appears to be improper buffer management during the processing of specially crafted metafiles (likely EMF or WMF formats), where:

1. The GDI+ component fails to properly validate input size or boundaries when processing metafile data.
2. This leads to a heap-based buffer overflow, allowing data to be written beyond the allocated buffer.
3. Attackers can craft malicious metafiles to exploit this overflow condition.
4. The overflow enables attackers to overwrite adjacent heap memory with attacker-controlled data, allowing for arbitrary code execution.

Heap-based overflows are typically more challenging to exploit than stack-based ones, but once weaponized, they can provide greater flexibility for attackers.

Attack Characteristics:

• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)

CVSS Overview:

• Base Score: 9.8 (Critical) – the highest possible severity in the CVSS scoring system.
• Temporal Score: 8.5 (High)
• Publicly Disclosed: No
• Exploited in the Wild: No (at time of disclosure)
• Proof of Concept: No publicly available exploit code at the time of disclosure
• Exploitability Assessment: “Exploitation Less Likely” (according to Microsoft)

According to Microsoft, this vulnerability presents several attack scenarios:

1. An attacker could “trigger this vulnerability by convincing a victim to download and open a document containing a specially crafted metafile.”
2. In the worst-case scenario, an attacker could “trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction.”
3. The vulnerability could cause “Remote Code Execution or Information Disclosure on web services parsing documents with specially crafted metafiles, without victim interaction.”
4. The Preview Pane is not an attack vector for this issue.

Potential Attack Vectors:

• Exploiting document processing web services that handle user-uploaded content, potentially compromising entire application servers.
• Embedding malicious metafiles in legitimate business documents distributed through trusted channels.
• Initial compromise via this vulnerability, followed by lateral movement through an organization’s network.
• Targeted attacks by nation-state actors or advanced threat groups.
• Distributing malicious metafiles through online advertising networks (malvertising).

At-Risk Organizations:

• Web services processing user-uploaded documents.
• Document management systems and digital asset platforms.
• Enterprises with significant document processing workflows.
• Organizations in high-value sectors such as finance, government, and critical infrastructure.
• Businesses regularly exchanging document files with external parties.

The CVSS score of 9.8 reflects the critical nature of this vulnerability. It shares several traits with CVE-2025-50165, another critical vulnerability, though there are notable differences:

Similarities:

1. Both vulnerabilities share a CVSS score of 9.8 and identical vector string elements.
2. Both are rated “Exploitation Less Likely” by Microsoft, with no known exploitation in the wild.
3. Both lead to remote code execution and complete system compromise.
4. Both affect fundamental Windows components related to graphics processing.

Key Differences:

1. Vulnerability Type:
   CVE-2025-50165: Untrusted pointer dereference and uninitialized resource issues in JPEG processing.
   CVE-2025-53766: Heap-based buffer overflow in metafile processing.
2. Affected File Formats:
   CVE-2025-50165: JPEG images.
   CVE-2025-53766: Metafiles (likely EMF/WMF formats).
3. Attack Vectors:
   CVE-2025-50165: Exploited via JPEG images embedded in Office and third-party documents.
   CVE-2025-53766: Specifically targets metafiles in documents, with a focus on web service exploitation.
4. Real-World Attack Scenarios:
   CVE-2025-50165: Broader attack surface due to the ubiquity of JPEG images.
   CVE-2025-53766: More focused on document processing workflows and web services.

Despite identical CVSS scores, CVE-2025-50165 may pose a slightly higher real-world risk due to the prevalence of JPEG images compared to metafiles. JPEGs are more common in everyday computing, and users are less likely to be suspicious of them. Additionally, the broader attack surface for JPEG processing makes it more frequently encountered.

However, CVE-2025-53766 presents unique risks in specific scenarios:

1. The explicit mention of web service exploitation without user interaction.
2. The focus on document-based attack vectors.
3. The potential for targeting specialized document processing systems.

Both vulnerabilities are critical and demand immediate attention. Organizations should prioritize patching both issues without delay. Those with significant web service document processing capabilities should particularly focus on CVE-2025-53766, while organizations with extensive image processing workflows should prioritize CVE-2025-50165.

The combination of these vulnerabilities in the Windows graphics stack suggests that Microsoft may have conducted a comprehensive security review of these components, revealing multiple critical issues. This pattern often points to deeper architectural security concerns in the affected subsystems.

Google Chrome

Google has released Chrome updates addressing six vulnerabilities, including one that was actively exploited to bypass the browser’s sandbox.

CVE-2025-6558, rated 8.8 on the CVSS scale, was discovered by Google Threat Analysis Group (TAG) on June 23. The flaw stems from insufficient input validation in ANGLE and the GPU component, affecting all Chrome versions before 138.0.7204.157. By luring a user to a specially crafted HTML page, an attacker could escape the sandbox and execute code in the browser’s graphics processor.

ANGLE (Almost Native Graphics Layer Engine) is an abstraction layer that processes GPU commands from untrusted sources, such as WebGL-enabled websites. Bugs in this component can have serious security consequences. Google has not shared further technical details.

Due to the high risk and confirmed exploitation, users should update to Chrome 138.0.7204.157/.158 immediately. The update also fixes five other vulnerabilities, including a high-severity flaw in the V8 engine (CVE-2025-7656) and a use-after-free bug in WebRTC (CVE-2025-7657), neither of which is currently known to be exploited.

Axis

Researchers at Claroty have identified vulnerabilities in Axis Communications’ video surveillance solutions that could allow takeover attacks.

If exploited, these flaws could enable remote code execution before authentication on Axis Device Manager, the server used for camera configuration, and on Axis Camera Station, the client software for viewing camera feeds. Attackers could also scan the internet to find vulnerable systems and target them directly.

The issues include:

•  CVE-2025-30023 (CVSS 9.0) – Flaw in the client-server communication protocol that could allow an authenticated user to execute code remotely. Fixed in Camera Station Pro 6.9, Station 5.58, and Device Manager 5.32.
• CVE-2025-30024 (CVSS 6.8) – Similar protocol issue enabling Adversary-in-the-Middle (AitM) attacks. Fixed in Device Manager 5.32.
• CVE-2025-30025 (CVSS 4.8) – Vulnerability in the protocol between the server process and service control component that could lead to local privilege escalation. Fixed in Camera Station Pro 6.8 and Device Manager 5.32.
• CVE-2025-30026 (CVSS 5.3) – Flaw in Axis Camera Station Server that could result in authentication bypass. Fixed in Camera Station Pro 6.9 and Station 5.58.
  Successful exploitation could let an attacker act as an AitM between Camera Station and its clients, intercepting and altering communications, performing unauthorized actions, and potentially controlling all connected cameras.

While there is no evidence of real-world exploitation, Claroty found over 6,500 servers on the internet exposing the proprietary Axis.Remoting protocol. A successful attack could give system-level access to the internal network, enable interception of live streams, and allow remote code execution without prior authentication.

Dell

Vulnerabilities in Dell’s ControlVault3 firmware affect more than 100 laptop models and could let attackers bypass Windows login to install malware that survives even after the system is reinstalled.

Dell ControlVault is a hardware security feature that stores passwords, biometric data, and security codes in firmware on a dedicated daughter board called the Unified Security Hub (USH). Researchers at Cisco Talos discovered five vulnerabilities, collectively named ReVault, that impact both the ControlVault3 firmware and its Windows API interfaces on Dell Latitude and Precision series laptops.

ReVault vulnerabilities:

• CVE-2025-24311 and CVE-2025-25050 – Out-of-bounds read/write flaws.
• CVE-2025-25215 – Arbitrary release flaw.
• CVE-2025-24922 – Stack overflow flaw.
• CVE-2025-24919 – Unsafe deserialization issue in Windows ControlVault API interfaces.

By chaining these flaws, attackers can execute code in the firmware, create implants that persist through OS reinstalls, and bypass Windows login. A local attacker with physical access could connect to the USH via USB using a special connector to escalate privileges or take control of the system. Exploitation could also override fingerprint authentication, allowing any fingerprint to be accepted.

Talos advises updating systems via Windows Update or Dell’s website, disabling unused security peripherals (fingerprint, smart card, and NFC readers), and turning off fingerprint login in high-risk environments. They also recommend enabling chassis intrusion detection in the BIOS and Enhanced Sign-in Security (ESS) in Windows to detect malicious firmware.

Nvidia

Following a report from Wiz researchers, Nvidia has patched more than a dozen vulnerabilities in its Triton Inference Server, some of which posed serious risks to AI systems using the platform.

In its advisory, Nvidia confirmed that multiple flaws in the open-source Triton Inference Server, used to deploy AI models from various deep learning and machine learning frameworks, have been fixed. Wiz highlighted three in particular: CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334. A remote, unauthenticated attacker could chain these vulnerabilities to execute arbitrary code and take full control of the server.

CVE-2025-23319 and CVE-2025-23320 are high-severity issues in the Python backend on both Windows and Linux. The first can be used for remote code execution, denial-of-service attacks, data tampering, and information disclosure; the second may also lead to information disclosure. CVE-2025-23334, rated medium severity, also affects the Python backend and can expose sensitive data.

According to Wiz, the attack chain starts with a small data leak and escalates to full system compromise. All flaws have been addressed in version 25.07. While there is no evidence of exploitation, Nvidia urges users to update promptly to prevent risks such as AI model theft, data exposure, manipulation of outputs, and potential deeper network intrusion.

Android

Google has issued August 2025 Android security updates addressing six vulnerabilities, including two Qualcomm flaws that have been exploited in targeted attacks.

Tracked as CVE-2025-21479 and CVE-2025-27038, the issues were discovered by Google researchers in late January 2025. At the time, Google’s Threat Analysis Group reported limited targeted exploitation.

CVE-2025-21479 stems from improper authorization in a graphics framework, which can cause memory corruption by executing unauthorized commands in the GPU micro-node when a specific command sequence is run. CVE-2025-27038 is a use-after-free vulnerability in Adreno GPU drivers for Chrome that can also lead to memory corruption during graphics rendering. Patches for the Adreno GPU driver were provided to OEMs in May, with strong recommendations for immediate deployment. These fixes are now included in Google’s Android updates.

The update also addresses a critical vulnerability in the System component that could allow an attacker with no privileges to achieve remote code execution when chained with other vulnerabilities, requiring no user interaction.

Google released two patch levels dated 01.08.2025 and 05.08.2025. The second includes all fixes from the first, plus additional patches for kernel and closed-source third-party components, which may not apply to all devices.

Apple

Apple has released security updates for its operating systems, addressing dozens of vulnerabilities, including one that has been exploited in real-world attacks.

The flaw, CVE-2025-6558, was disclosed in mid-July when Google patched it in Chrome. Discovered by Google’s Threat Analysis Group (TAG), it was reported as a zero-day and stems from insufficient validation of untrusted data in Chrome’s ANGLE and GPU graphics components. It can be exploited through specially crafted HTML pages to escape the browser sandbox. One week after Google released Chrome version 138, CISA added the flaw to its Known Exploited Vulnerabilities catalog. There have been no public reports of attacks using CVE-2025-6558 so far.

Apple’s iOS and macOS updates also address CVE-2025-6558, which in Safari could cause crashes when visiting malicious websites. There is no evidence of exploitation in Safari.

In total, Apple fixed 13 WebKit vulnerabilities that could enable XSS attacks, expose sensitive data, cause memory corruption, crash Safari, or trigger denial-of-service conditions. Additional patches cover other components, including AppleMobileFileIntegrity, Model I/O, and PackageKit.

Another notable issue, CVE-2025-43223, affects the CFNetwork component in macOS and iOS, allowing unprivileged users to modify restricted network settings.

The updates address 87 CVEs in macOS Sequoia 15.6, 29 in iOS 18.6 and iPadOS 18.6, 50 in macOS Sonoma 14.7.7, 41 in macOS Ventura 13.7.7, 19 in iPadOS 17.7.9, 21 in watchOS 11.6, and 24 each in tvOS 18.6 and visionOS 2.6.

Users are advised to update their devices without delay.

WordPress

More than 200,000 WordPress sites are still running a vulnerable version of the Post SMTP plugin, leaving them exposed to attacks that could give an attacker control of an administrator account.

Post SMTP, an email handling plugin with over 400,000 active installations, was found to have a flaw reported to PatchStack on May 23 and assigned CVE-2025-24000 (CVSS 8.8). The issue affects all versions prior to 3.2.0 and is caused by improper access control in the plugin’s REST API endpoints. These endpoints verified only whether a user was logged in, without checking their permission level.

This allowed low-privilege users, such as subscribers, to access email logs in full. By initiating an administrator password reset and intercepting the email via these logs, a subscriber could take over the administrator account.

The developers fixed the flaw by adding stricter privilege checks in get_logs_permission before granting access to sensitive API calls. The patch was included in Post SMTP version 3.3.0, released on June 11. However, WordPress statistics show fewer than half (48.5%) of users have updated, leaving more than 200,000 sites vulnerable.

Around half of these sites are still on the 2.x branch, which contains additional security issues, creating favorable conditions for large-scale exploitation.

Sophos

The first vulnerability, CVE-2025-6704 (CVSS 9.8), is a critical arbitrary file-write flaw in the Secure PDF eXchange (SPX) function. It allows remote, unauthenticated attackers to achieve remote code execution (RCE) but only affects certain firewall deployments where a specific SPX setting is enabled and the firewall is running in High Availability (HA) mode.

The second, CVE-2025-7624 (CVSS 9.8), is an SQL injection vulnerability in the firewall’s legacy SMTP proxy server. It can also lead to RCE, but only if a quarantine policy for email is active and SFOS was upgraded from a version earlier than 21.0 GA. Sophos reports that fewer than 1% of devices are affected.

A third flaw, CVE-2025-7382 (CVSS 8.8), is a command-injection vulnerability in the firewall’s WebAdmin component. It allows remote, unauthenticated code execution on secondary HA devices but requires OTP authentication to be enabled for the admin user.

Sophos has released patches for these issues in firewall versions 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272), 21.0 MR1-2 (21.0.1.277), 21.5 GA (21.5.0.171), and 21.0 MR2.

Two additional vulnerabilities, CVE-2024-13974 and CVE-2024-13973, affect the Up2Date and WebAdmin components. Exploiting them requires either control of the firewall’s DNS environment or administrator access. Fixes for these were first included in Sophos Firewall 21.0 MR1.

Sophos advises all users on older versions to update to receive these security fixes and says there is no evidence of exploitation in the wild.

Cisco

Cisco has issued updates addressing multiple vulnerabilities, including a critical remote code execution flaw in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The June 25 advisory, originally detailing CVE-2025-20281 and CVE-2025-20282, has been updated to include CVE-2025-20337, also rated at the maximum CVSS score of 10.0.

Like CVE-2025-20281, the new vulnerability affects the same API and allows an unauthenticated remote attacker to execute arbitrary code on the underlying operating system with root privileges. Exploitation requires no valid credentials. Cisco explains that insufficient input validation lets an attacker send a crafted API request to gain full control of the device.

The flaws affect Cisco ISE and ISE-PIC versions 3.3 and 3.4, with patches available in versions 3.3 Patch 7 and 3.4 Patch 2.

Cisco also addressed CVE-2025-20274 (CVSS 6.3), a high-severity vulnerability in the Unified Intelligence Center’s web management interface. Due to improper file upload checks, authenticated remote attackers could store malicious files, enabling arbitrary command execution and potentially escalating privileges to root. This issue is patched in Unified Intelligence Center versions 12.5(1) SU ES05 and 12.6(2) ES05. Cisco advises Unified CCX users on versions 12.5(1) SU3 and earlier to upgrade to version 15, which is not affected.

Additional medium-severity fixes were released for ISE, ISE-PIC, Evolved Programmable Network Manager (EPNM), Prime Infrastructure, and Unified Intelligence Center.

Cisco warns that previously patched critical RCE vulnerabilities in ISE are now being actively exploited in real-world attacks, and urges immediate migration to patched versions to reduce risk.

Wing FTP

Huntress researchers report widespread exploitation of a newly discovered critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812 and rated with the maximum CVSS score of 10.0.

The flaw is caused by improper handling of null bytes (\0) in the server’s web interface, allowing remote code execution (RCE). Both user and administrator interfaces mishandle these bytes, enabling arbitrary Lua code injection into user session files. This can lead to system command execution with the FTP service’s privileges, typically root or SYSTEM, and can be exploited even through anonymous FTP accounts. The issue is fixed in version 7.4.4.

In late June 2025, researcher Julien Ahrens published a technical analysis of the vulnerability. Huntress has since observed attackers exploiting it to upload and run malicious Lua files, perform reconnaissance, and install remote monitoring and management tools. The injection occurs via a null byte in the username parameter on loginok.html, which handles authentication. This disrupts normal processing and allows modification of the Lua file storing session credentials.

Active exploitation was first detected on July 1, 2025, just a day after public disclosure. Attackers issued scanning commands, created new accounts for persistence, and uploaded Lua files to install ScreenConnect. The activity was contained before it could escalate further, and attribution remains unknown.

Censys data shows about 8,103 publicly accessible Wing FTP Server instances, with 5,004 exposing a web interface. Most are located in the U.S., China, Germany, the U.K., and India. Given the active exploitation, all users should upgrade to version 7.4.4 or later immediately.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: August 2025 Vulnerability Digest from Action1