Major update package containing 111 patches, including two RCEs with a CVSS score of 9.8, and how you should prioritize them
In August 2025, Microsoft released a massive update package containing 111 security patches—the largest since 2020. Twelve vulnerabilities were rated “critical,” two of which are remote code execution (RCE) vulnerabilities with a CVSS score of 9.8. The affected components range from Windows and Office to SharePoint and SQL Server, as well as Hyper-V and Azure Stack Hub.
Zero-click RCEs in GDI+ and the Windows Graphics Component
The vulnerabilities CVE-2025-53766 and CVE-2025-50165 allow remote code execution simply by loading specially crafted images—for example, via websites or file previews—without any further action on the user's part.
Office documents as a target
Office remains vulnerable: CVE-2025-53731 and CVE-2025-53740 (CVSS 8.4) allow code execution even in the preview pane. Similar remote code execution (RCE) vulnerabilities (CVSS 7.8) also exist in Word and Excel, which can be triggered without user interaction.
Network-based exploits in SharePoint, Web Deploy, and RRAS
SharePoint (CVE-2025-49712) and Web Deploy (CVE-2025-53772) provide attack vectors for remote code execution (RCE). Routing/services via RRAS are also affected (CVE-2025-49757, 50163, 50164, all CVSS 8.0–8.8).
SharePoint 0-day: already being actively exploited
The particularly dangerous zero-day vulnerability CVE-2025-53770 affects SharePoint and is already being exploited worldwide—posing a particularly serious threat to government agencies and critical infrastructure.
Focus on Hyper-V, NTLM, and SQL Server
Hyper-V (e.g., CVE-2025-48807, spoofing, privilege escalation) and NTLM (CVE-2025-53778, privilege escalation) contain critical vulnerabilities. In SQL Server, five vulnerabilities (CVSS 8.8) allow system administrator access.
MSMQ, Exchange, and Azure Stack Hub are also affected
MSMQ is vulnerable to three RCE attacks (CVSS 8.8). Exchange (CVE-2025-53786) offers opportunities for privilege escalation. Azure Stack Hub is affected by an information disclosure vulnerability (CVE-2025-53793, CVSS 7.5).
Additional relevant CVEs just below the critical threshold
Several vulnerabilities in Windows components have CVSS scores just under 8.0, but are highly significant due to the ways they can be exploited (e.g., DirectX, Desktop Windows Manager, Cloud Files Mini Filter).
Hotpatching for Windows 11 makes updates easier
With hotpatching, Windows 11 can now be restarted only four times a year instead of twelve—a significant improvement in convenience for baseline updates.
Conclusion
The August Patch Day addresses a wide range of critical security vulnerabilities—including zero-click exploits, network-based RCEs, and server-side RCEs. A prioritized, comprehensive patching strategy is essential.