Microsoft Releases Critical Fixes for Vulnerabilities in Windows, Exchange Server, and Edge Browser

Microsoft has rolled out fixes for a massive set of 111 security flaws across its software portfolio, including a publicly disclosed zero-day vulnerability in Windows Kerberos. The vulnerability, known as BadSuccessor, allows an attacker with sufficient privileges to compromise an Active Directory domain by misusing delegated Managed Service Account (dMSA) objects.

According to Adam Barnett, lead software engineer at Rapid7, successful exploitation of the vulnerability requires an attacker to have pre-existing control of two attributes of the dMSA: msds-groupMSAMembership and msds-ManagedAccountPrecededByLink. However, abuse of the vulnerability is still plausible as the final link of a multi-exploit chain, which can stretch from no access to total control of the Active Directory domain.

The vulnerability can be abused by an attacker to create improper delegation relationships, enabling them to impersonate privileged accounts, escalate to a domain administrator, and potentially gain full control of the Active Directory domain. “An attacker who already has a compromised privileged account can use it to move from limited administrative rights to full domain control,” said Mike Walters, Action1’s Mike Walters. “It can also be paired with methods such as Kerberoasting or Silver Ticket attacks to maintain persistence.”

Satnam Narang, senior staff research engineer at Tenable, noted that the immediate impact of BadSuccessor is limited, as only 0.7% of Active Directory domains had met the prerequisite at the time of disclosure. To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise.

In addition to the Kerberos vulnerability, Microsoft has also released fixes for 110 other security flaws, including 16 Critical-rated vulnerabilities. Notable Critical-rated vulnerabilities patched by Redmond this month include a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786) and a vulnerability in a Rust-based component of the Windows kernel that can result in a system crash (CVE-2025-30388).

Other vendors, including Zoom and Xerox, have also released critical security updates to address vulnerabilities in their products. Fortinet has warned about a critical security flaw in FortiSIEM, which has been exploited in the wild.

Microsoft has emphasized the importance of patching the vulnerabilities as soon as possible to prevent potential attacks. “The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well-protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act,” said Barnett.

The patch for the Kerberos vulnerability is available now, and users are advised to apply it as soon as possible to prevent potential attacks.