By Tyler Reguly, Associate Director, Security R&D
The hot topic that everyone will be discussing this month is the appearance of AI in the Patch Tuesday drop – specifically CVE-2025-53767 and CVE-2025-53773. Up first, we have an elevation of privilege in Azure OpenAI. This vulnerability was already resolved by Microsoft and there’s no action for users to take, but this type of issue may make you think twice about the usage of AI in your organization. The other is more interesting, a vulnerability in GitHub Copilot and Visual Studio that involves a patch only for Visual Studio 2022. It’ll be interesting to see what details are released on this, but it is command injection which should be taken seriously.
Typically, there’s a lot of talk around any vulnerabilities seeing active exploitation, but we don’t have any of those this month. We do have one publicly disclosed Kerberos vulnerability (CVE-2025-53779) that Microsoft lists as exploitation less likely. The interesting thing here is that only Server 2025 is impacted as the vulnerability exists in a new feature that didn’t exist in previous versions of Windows Server. Sometimes there is value is not being on the latest and greatest but instead staying on a fully supported previous release that has been (somewhat) battle tested. New features are always going to be of interest to researchers and attackers.
This month, we need to talk about the pair of CVSS 9.8 vulnerabilities that are, thankfully, according to Microsoft, less likely to see exploitation. CVE-2025-50165 is a vulnerability in the Windows Graphic Component that requires no user interaction, all that is needed is for Windows to decode a JPEG image. Interestingly, only the latest version of Windows 11 as well as Windows Server 2025 are impacted by this vulnerability, again showing us that the latest and greatest isn’t always the greatest option.
The other vulnerability is in GDI+ and impacts all versions of Windows. Once again, however, CVE-2025-53766, like CVE-2025-50165, can be exploited without user interaction. Specifically, Microsoft points to web services that allow user uploads and parse the documents.
Both of these should be considered high priority items this month. While they are rated as exploitation less likely, they are critical issues should vulnerabilities be developed. These are the types of items where you want to stay ahead of the curve and be prepared in case attackers are successful in crafting an exploit.
There are two things that I think should be on every CSOs mind this month when they look at the Patch Tuesday drop. The first is AI. With multiple AI-related vulnerabilities – GitHub Copilot and Azure OpenAI – this month is a great reminder that AI technologies are still new and we’re still figuring them out. It is important that organizations understand where and how they are utilizing AI. Beyond that, they need to know what services they are using and how those services react to vulnerabilities and security issues. A lot of the time, when looking at AI-base services, we’re interested in data residency, retention, and ownership… do we stop to ask what they are doing to secure their systems and what their security policy is? This is a good reminder that if you aren’t doing that, it is time to start.
The other thing for CSOs to think about is how they are measuring their risk and responding to it. There are vulnerabilities that, based on severity, are called Critical based on CVSS scores but Important by Microsoft. There are vulnerabilities that are not seeing active exploitation but, if they did, would be severely detrimental to organizations at a large scale. Are you considering future risk or current risk? Whose severity do you trust? If you don’t have an internal methodology for determining and measuring risk, today is a great day to start developing one.
Like this:
Like Loading...
Related
This entry was posted on August 12, 2025 at 3:48 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
August 2025 Patch Tuesday Commentary From Fortra
By Tyler Reguly, Associate Director, Security R&D
The hot topic that everyone will be discussing this month is the appearance of AI in the Patch Tuesday drop – specifically CVE-2025-53767 and CVE-2025-53773. Up first, we have an elevation of privilege in Azure OpenAI. This vulnerability was already resolved by Microsoft and there’s no action for users to take, but this type of issue may make you think twice about the usage of AI in your organization. The other is more interesting, a vulnerability in GitHub Copilot and Visual Studio that involves a patch only for Visual Studio 2022. It’ll be interesting to see what details are released on this, but it is command injection which should be taken seriously.
Typically, there’s a lot of talk around any vulnerabilities seeing active exploitation, but we don’t have any of those this month. We do have one publicly disclosed Kerberos vulnerability (CVE-2025-53779) that Microsoft lists as exploitation less likely. The interesting thing here is that only Server 2025 is impacted as the vulnerability exists in a new feature that didn’t exist in previous versions of Windows Server. Sometimes there is value is not being on the latest and greatest but instead staying on a fully supported previous release that has been (somewhat) battle tested. New features are always going to be of interest to researchers and attackers.
This month, we need to talk about the pair of CVSS 9.8 vulnerabilities that are, thankfully, according to Microsoft, less likely to see exploitation. CVE-2025-50165 is a vulnerability in the Windows Graphic Component that requires no user interaction, all that is needed is for Windows to decode a JPEG image. Interestingly, only the latest version of Windows 11 as well as Windows Server 2025 are impacted by this vulnerability, again showing us that the latest and greatest isn’t always the greatest option.
The other vulnerability is in GDI+ and impacts all versions of Windows. Once again, however, CVE-2025-53766, like CVE-2025-50165, can be exploited without user interaction. Specifically, Microsoft points to web services that allow user uploads and parse the documents.
Both of these should be considered high priority items this month. While they are rated as exploitation less likely, they are critical issues should vulnerabilities be developed. These are the types of items where you want to stay ahead of the curve and be prepared in case attackers are successful in crafting an exploit.
There are two things that I think should be on every CSOs mind this month when they look at the Patch Tuesday drop. The first is AI. With multiple AI-related vulnerabilities – GitHub Copilot and Azure OpenAI – this month is a great reminder that AI technologies are still new and we’re still figuring them out. It is important that organizations understand where and how they are utilizing AI. Beyond that, they need to know what services they are using and how those services react to vulnerabilities and security issues. A lot of the time, when looking at AI-base services, we’re interested in data residency, retention, and ownership… do we stop to ask what they are doing to secure their systems and what their security policy is? This is a good reminder that if you aren’t doing that, it is time to start.
The other thing for CSOs to think about is how they are measuring their risk and responding to it. There are vulnerabilities that, based on severity, are called Critical based on CVSS scores but Important by Microsoft. There are vulnerabilities that are not seeing active exploitation but, if they did, would be severely detrimental to organizations at a large scale. Are you considering future risk or current risk? Whose severity do you trust? If you don’t have an internal methodology for determining and measuring risk, today is a great day to start developing one.
Share this:
Like this:
Related
This entry was posted on August 12, 2025 at 3:48 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.