Microsoft on Aug. 12 released security updates addressing more than 100 vulnerabilities across its products, including 13 rated critical. The patches include fixes for a graphics component flaw described as “extremely high-risk” and a maximum-severity vulnerability in Azure’s OpenAI service.
“This month’s release highlights an upward trend in post-compromise vulnerabilities over code execution bugs,” wrote Satnam Narang, senior staff research engineer, Tenable, in an email to TechRepublic. “For the second consecutive month, elevation of privilege vulnerabilities represented the bulk of CVEs patched this month at 39.3% (41.4% in July).”
Memory corruption flaw deemed ‘extremely high-risk’
Major vulnerabilities that Microsoft patched for this month include CVE-2025-50165. Action1 CEO and co-founder Alex Vovk called it “extremely high-risk.”
In an email to TechRepublic, Vovk said, “This is a particularly dangerous memory corruption vulnerability because it occurs at a core level of the operating system’s image processing pipeline, impacting many applications and services.”
CVE-2025-50165 affects the Microsoft Graphics Component, with an untrusted pointer dereference potentially allowing an attacker to execute code over the network. While Microsoft says exploitation of this vulnerability is “less likely,” Vovk said the CVSS score of 9.8 and “a perfect storm of attack conditions (network vector, low complexity, no privileges, and no user interaction required)” make this a high-priority vulnerability.
“This is a particularly dangerous memory corruption vulnerability because it occurs at a core level of the operating system’s image processing pipeline, impacting many applications and services,” said Vovk.
Ben McCarthy, lead cybersecurity engineer at Immersive, also highlighted this vulnerability.
“The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image,” McCarthy said in an email to TechRepublic. “This means any application that renders images — from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures — can become an in for the attack.”
Microsoft closes Azure OpenAI elevation of privilege risk
Another vulnerability patched this month, CVE-2025-53767, is an elevation of privilege vulnerability in Azure’s OpenAI service with a maximum CVSS score of 10.
“Since its Azure OpenAI, end customers don’t have to take any action as Microsoft will have tackled the vulnerability on the Azure platform, but it’s an interesting note that highlights how AI technologies still require close monitoring, careful patching, and strong guardrails just like any other technology in an organization’s stack,” wrote Nick Carroll, cyber incident response manager at intelligence solutions house Nightwing, in an email to TechRepublic.
Additional vulnerabilities Microsoft addressed this Patch Tuesday
Other notable vulnerabilities patched this month include:
- CVE-2025-53766: A Heap-based buffer overflow in Windows GDI+, with a CVSS score of 9.8 and no user interaction required to use it.
- CVE-2025-53740 and CVE-2025-53731: Two use-after-free vulnerabilities in Microsoft Office.
- CVE-2025-53784: A use-after-free vulnerability in Microsoft Word that could let an attacker run code as the current user.
- CVE-2025-53733: A critical vulnerability in Microsoft Word that could lead to arbitrary code execution.
- CVE-2025-53786: A vulnerability in Microsoft Exchange Server that requires installing a hotfix manually.
- CVE-2025-53778: An elevation of privilege flaw in Windows NTLM.
Patch Tuesday reminder and upcoming Windows 10 changes
Patch Tuesday is a critical opportunity for organizations to verify they have applied all relevant updates to Microsoft products. Other vendors, including SAP and CISA, also released security advisories or patches on the second Tuesday of August.
Windows 10 will no longer receive free security updates after the upcoming Patch Tuesday on October 14. Users can either migrate to newer versions or enroll in Microsoft’s Extended Security Updates program to maintain protection.
In other security news, an exploit based on a flaw in WinRAR has been attributed to two Russia-linked threat groups.
