Microsoft Patch Tuesday follows SharePoint attacks, Exchange server warnings
Microsoft’s monthly batch of patches includes a vulnerability affecting on-premises Microsoft Exchange servers that the company and federal authorities warned about in a series of alerts last week. In its latest security update Tuesday, Microsoft maintained the flaw hasn’t been exploited in the wild and designated the exploitability of the defect — CVE-2025-53786 — as “more likely.”
Organizations have not applied the previously issued patch for the high-severity vulnerability en masse, despite the serious alarm raised by officials. More than 28,000 accessible Microsoft Exchange servers remained unpatched as of Monday, according to Shadowserver scans.
The Cybersecurity and Infrastructure Security Agency’s deadline for all federal agencies to update eligible servers with a previously issued hotfix and disconnect outdated Exchange servers passed on Monday.
Microsoft addressed 111 vulnerabilities affecting its various enterprise products, cloud services and foundational Windows systems in this month’s security update. The set of disclosures includes four additional defects affecting Microsoft Exchange Server.
The security update also comes on the heels of an attack spree targeting zero-day vulnerabilities in on-premises Microsoft SharePoint servers. More than 400 organizations were actively compromised by those attacks, including the Departments of Energy, Homeland Security and Health and Human Services.
Those zero-days — CVE-2025-53770 and CVE-2025-53771 — are variants of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — that Microsoft addressed in its security update last month.
Microsoft said none of the vulnerabilities in this month’s update are actively exploited. Yet, researchers described CVE-2025-53779, an elevation of privilege vulnerability affecting Windows Kerberos, as a zero-day because functional exploit code exists.
“While Microsoft rates this flaw as ‘exploitation less likely’ with ‘moderate’ severity, the combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” Mike Walters, president and co-founder of Action1, said in an email. “The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralized IT environments. Once compromised, they can quickly lead to full domain takeover.”
The most critical vulnerability — CVE-2025-53767 — is a maximum-severity defect affecting Azure OpenAI, a cloud-based platform that provides access to OpenAI’s large language models. Additionally, a pair of critical, remote-code execution vulnerabilities with CVSS scores of 9.8 — CVE-2025-53766 and CVE-2025-50165 — affect Windows GDI+ and the Microsoft Graphics Component, respectively.
The vulnerability in Microsoft Graphics Component could attract threat groups due to its high rating and ubiquitous use across environments. “The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, said in an email.
“This means any application that renders images — from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures — can become an in for the attack,” McCarthy added.
The remaining critical vulnerabilities in this month’s security update include CVE-2025-53792, which affects Azure Portal, and CVE-2025-50171, which affects Remote Desktop Server.
Nearly 2 in 5 CVEs Microsoft patched this month are elevation of privilege vulnerabilities, reflecting an “upward trend in post-compromise vulnerabilities over code execution bugs,” Satnam Narang, senior staff research engineer at Tenable, said in an email.
Microsoft’s monthly security fix includes 17 vulnerabilities that affect Microsoft Office and standalone Office products. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
