Microsoft addresses 111 new vulnerabilities including Kerberos zero-day flaw

On Tuesday, Microsoft announced the rollout of fixes for a significant set of 111 security vulnerabilities across its software portfolio. Among these vulnerabilities, 16 are classified as Critical, 92 as Important, two as Moderate, and one as Low in severity. The vulnerabilities primarily involve privilege escalation, with 44 cases, followed by remote code execution (35), information disclosure (18), spoofing (8), and denial-of-service (4). Additionally, Microsoft addressed 16 vulnerabilities in its Chromium-based Edge browser since last month’s Patch Tuesday update, including two spoofing bugs affecting Edge for Android. Notably, a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786, CVSS score: 8.0) was disclosed last week.

Among the vulnerabilities is a publicly disclosed zero-day, CVE-2025-53779 (CVSS score: 7.2), which is another privilege escalation flaw in Windows Kerberos resulting from a case of relative path traversal. Akamai researcher Yuval Gordon discovered and reported this bug, which was previously detailed in May 2025 under the codename BadSuccessor. This vulnerability allows a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing delegated Managed Service Account (dMSA) objects. Adam Barnett, lead software engineer at Rapid7, noted that successful exploitation of CVE-2025-53779 requires an attacker to control two specific attributes of the dMSA. Action1’s Mike Walters highlighted that this flaw could enable attackers to impersonate privileged accounts and escalate to domain administrator status, potentially gaining full control of the Active Directory domain.