Let me start this month off with a question. Have you already decided what you are going to do for your remediation plan this month? Think about it for a second. OS updates, productivity apps, browsers, and other apps are already likely under consideration for your August patch maintenance. The real decisions you need to consider are around timing. Do you proceed with your typical Patch Tuesday plan or do you need to accelerate any zero-days, etc?
What you just thought about was a generalization of defining your risk appetite. There is a lot of discussion across the vulnerability management market about how to modernize vulnerability management. When you think about trends like 32% of 1H 2025 known exploited vulnerabilities (KEVs) being zero-day or 1-day exploits it can feel overwhelming. How do you keep up with a continuous stream of updates? Ideally by defining your outcome and configuring for success.
If we break this month’s Patch Tuesday down into parallel remediation streams:
- Routine Maintenance: Much of what just released today will fall into your reoccurring monthly maintenance which typically starts on Patch Tuesday and runs for two weeks or more depending on your SLAs, OS, productivity apps, third-party apps, etc.
- Priority updates: Browsers tend to release more frequently (typically weekly) and may warrant a priority update track to keep up with the constant stream of new exposures in your environment. This patch cycle you may be resolving CVEs in multiple browsers from the past four weeks if you don’t have a more frequent update plan in place for the browsers.
- Zero-day Response: The recent SharePoint exploits are a good example of the disruptive\unpredictable nature of zero-day exploits.
- Continuous Compliance: The three previous tracks could solve most of your remediation challenges, but what about users who are on vacation, leave of absence, got a new system and shipping bypassed the current month’s maintenance window or installed something new that was not the latest version? Defining a baseline and keeping that updated as new updates pass your quality tests would keep your systems in compliance when the multitude of reasons for drift occur.
Microsoft’s publicly disclosed vulnerabilities
- Microsoft resolved one publicly disclosed vulnerability in Windows Kerberos (CVE-2025-53779). The CVE is an Elevation of Privilege vulnerability that could allow an attacker to gain domain admin privileges. The CVE is rated Medium and has a CVSS score of 7.2. The vulnerability only affects Windows Server 2025.
Third-party vulnerabilities
- Adobe released thirteen new updates on Patch Tuesday, but the most urgent is the Adobe Experience Manager Forms update released on August 5 resolving two publicly disclosed CVEs (CVE-2025-54253 and CVE-2025-54254). APSB25-82
- Google Chrome 139.0.7258 released resolving five CVEs and is rated Critical. This will also affect Microsoft Edge so watch for that update to come likely later this week.
August update priorities
- Microsoft SharePoint is the top priority this month to resolve recent zero-day exploits being targeted by multiple nation state level threat actors. Update ASAP.
- Adobe Experience Manager Forms update released on August 5 is your second highest priority.
- Windows OS and Office have Critical CVEs this month. Get them updated as part of your regular maintenance and you should be good.
- Microsoft Exchange Server and SQL Server each received updates. The CVEs were only rated as Important so no need to escalate remediation, but server admins should start to test and rollout within the next month.
