Microsoft has rolled out its August Patch Tuesday updates, addressing 107 new security vulnerabilities across its products and services, including Windows, Office, and the Edge browser.
While several of these vulnerabilities in Windows and Office are classified as critical, Microsoft has confirmed that, as of the release, none are currently being exploited in the wild. The next scheduled Patch Tuesday is set for September 9th, 2025.
A significant portion of the patched vulnerabilities, 67 in total, are spread across Windows 10, Windows 11, and Windows Server, which are the versions still receiving security updates. Users on Windows 7 and Windows 8.1 are advised to upgrade to Windows 11 24H2 to ensure continued security, as these older versions no longer receive updates.
Among the critical Windows vulnerabilities are CVE-2025-53766, a Remote Code Execution (RCE) flaw in the Graphics Device Interface API, and CVE-2025-50165, another RCE vulnerability found in the Windows Graphics Component. Both can be exploited simply by visiting a specially crafted website, allowing an attacker to inject and execute arbitrary code without user interaction. In the case of CVE-2025-50165, an attacker only needs to embed a malicious image in a web page.
Hyper-V also saw three critical vulnerabilities addressed: CVE-2025-48807, an RCE vulnerability that could allow code execution on the host system from a guest; CVE-2025-53781, a data leak vulnerability enabling access to confidential information; and CVE-2025-49707, a spoofing vulnerability that allows a virtual machine to fake its identity to external systems.
The Routing and Remote Access Service (RRAS) had 12 vulnerabilities fixed, categorized as high risk. Half of these are RCE vulnerabilities, and the other half are data leaks. Additionally, CVE-2025-53779 in Kerberos for Windows Server 2025, which was previously publicized, allows an attacker to potentially gain administrator rights for domains under certain conditions, though Microsoft has classified this as medium risk.
Microsoft’s Office product family received fixes for 18 vulnerabilities, 16 of which are RCE flaws. Four of these RCE vulnerabilities are considered critical because the preview window itself can serve as an attack vector. This means an attack can be executed simply by displaying a malicious file in the preview pane, without the user needing to click or open it. Two of these critical vulnerabilities were found in Microsoft Word.
The remaining Office vulnerabilities are categorized as high risk, requiring the user to open a specially prepared file for the exploit code to take effect.
The latest security update for the Edge browser, version 139.0.3405.86, was released on August 7th. This update is based on Chromium 139.0.7258.67 and includes fixes for several vulnerabilities inherited from the Chromium base.
Edge for Android also received an update, version 139.0.3405.86, which specifically addresses two Edge-specific security gaps identified by Microsoft.
