Microsoft fixed one publicly disclosed zero-day bug in SQL Server yesterday, alongside over 100 additional CVEs, making it one of the biggest Patch Tuesdays so far in 2025.
This year has been notable for the number of zero-days addressed by the tech giant, although in cases like this one, the term refers to a publicly disclosed rather than actively exploited vulnerability.
The flaw in question, CVE-2025-53779, is an elevation of privileges (EoP) vulnerability in Windows Kerberos which could allow an authenticated attacker to gain domain admin privileges.
It relates to delegated Managed Service Accounts (dMSAs), which are designed to allow for migration from traditional service accounts to machine accounts.
“Microsoft’s motivation is unimpeachable: the dMSA supports automated rotation of credentials for service accounts, and is specifically designed to prevent credential harvesting using Kerberoasting. Indeed, CISA has described Kerberoasting as one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network,” explained Adam Barnett, lead software engineer at Rapid7.
“The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act.”
Read more on Patch Tuesday: Microsoft Patches a Whopping Seven Zero-Days in March
That zero-day is one of only two vulnerabilities classed as “moderate” this Patch Tuesday. Elsewhere, there are 13 marked “critical,” nine of which are remote code execution (RCE) vulnerabilities, three that are information disclosure bugs and one EoP flaw.
Nine fall under the “exploitation more likely” category of Microsoft’s Exploitability Index.
“What this means is that adversaries could potentially develop reliable exploits for these vulnerabilities, and, further, that these are the kinds of vulnerabilities that adversaries have targeted in the past,” explained Red Canary principal researcher, Brian Donohue.
He urged sysadmins to focus on patching the following:
- CVE-2025-53778: A critical-rated improper authentication bug in Windows NTLM that allows an authorized attacker to elevate privileges over a network
- CVE-2025-50177: A critical use-after-free bug in Windows Message Queuing that allows an unauthorized attacker to execute code over a network
- CVE-2025-53132: An important-rated race condition in Windows Win32K - GRFX that could allow an authorized attacker to elevate privileges over a network
Aside from July’s Patch Tuesday haul, no other month this year has seen Microsoft address over 100 CVEs.
No tags.
