Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint Server 2016:
- KB 5002771 – SharePoint Server 2016 (language independent)
- KB 5002772 – SharePoint Server 2016 (language dependent)
Microsoft Support recommends to install the complete August 2025 CU for SharePoint 2016 rather than individual security fixes.
SharePoint Server 2019:
- KB 5002769 – SharePoint Server 2019 (language independent)
- KB 5002770 – SharePoint Server 2019 (language dependent)
Microsoft Support recommends to install the complete August 2025 CU for SharePoint 2019 rather than individual security fixes.
SharePoint Server Subscription Edition:
- KB 5002773 – SharePoint Server Subscription Edition
This security fix is identical with August 2025 CU for SharePoint Server Subscription Edition.
Office Online Server:
- KB 5002752 – Office Online Server
More information:
Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
Security Vulnerabilities fixed in this PU
| Vulnerability | SP 2016 | SP 2019 | SP SE | OOS | Impact | Max Severity |
|---|---|---|---|---|---|---|
| CVE-2025-49712 | x | x | Remote Code Execution | Important | ||
| CVE-2025-53733 | x | x | Remote Code Execution | Critical | ||
| CVE-2025-53735 | x | Remote Code Execution | Important | |||
| CVE-2025-53736 | x | x | Information Disclosure | Important | ||
| CVE-2025-53737 | x | Remote Code Execution | Important | |||
| CVE-2025-53739 | x | Remote Code Execution | Important | |||
| CVE-2025-53741 | x | Remote Code Execution | Important | |||
| CVE-2025-53759 | x | Remote Code Execution | Important | |||
| CVE-2025-53760 | x | x | x | Elevation of Priviledge | Important |
See the Security Update Guide below for more details about the relevant fixes:
Permalink
Hi Stefan,
As usual, the August CU includes all fixes from the July CU, right?
Were the issues reported with the July CU resolved in the August CU, or is this part of the security hardening and something that needs to be reviewed and potentially adjusted in the web.config if necessary?
„[SPRequestModule.PostAuthenticateRequestHandler] Risky signout bypass limited (Access Denied). request path: ““
Is it still necessary to rotate the MachineKeys after installing the July or August CU?
A daily IIS reset is not a sustainable solution for a high-availability SharePoint environment and causes operational overhead.
Additional issues in SP2019 have been reported here:
https://learn.microsoft.com/en-us/answers/questions/5495733/issues-after-applying-sharepoint-2019-updates-kb50
https://learn.microsoft.com/en-us/answers/questions/5515893/after-kb5002760-and-kb5002759-deployment-2010-coll
Are these still relevant with the August CU, are they known issues?
Many thanks in advance,
SC
Permalink
Hi SC,
yes. All SharePoint fixes are cumulative. The message you highlighted is from July 21st security update and part of the fix to address the CVE.
If machine keys have not been rotated after installing the July 21st fix, you still need to do it. Same if the July 21st fix was skipped and August CU was installed instead.
If the machine keys have already been rotated after installing July 21st security fix there is no need for another rotation.
The issues listed are not known if patching was done correctly. Most navigating issues happened when side-by-side patching was used but the side-by-side token was not updated after applying the security fix.
Cheers,
Stefan
Permalink
Hi Stefan
Is there a known issue regarding SharePoint Workflow Manager August 2025 update? After the patch I’m start getting this exception:
Could not load file or assembly ‘System.Memory, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51’ or one of its dependencies. The system cannot find the file specified.
Permalink
Hi MV,
I haven’t heard about this. Sounds as if an assembly redirect is missing. Best would be to open a ticket with Microsoft support to get this analyzed.
Cheers
Stefan
Permalink
Hello Stefan
I’ve just confirmed with another environment which was working fine before this update, when I apply the August 2025 patch it fails the ServiceBus components, looks like the issue is because the DLL upgraded for SQL library from System.Data.SqlClient to Microsoft.Data.SqlClient.
Microsoft.Data.SqlClient requires the below DLLs based on my research:
System.Memory 4.0.1.1
System.Buffers 4.0.3.0
System.Runtime.CompilerServices.Unsafe 6.0.3.0
ServiceBus logs when try to Upgrade:
System.Management.Automation.CmdletInvocationException: Could not load file or assembly ‘System.Memory, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51’ or one of its dependencies. The system cannot find the file specified. —> System.IO.FileNotFoundException: Could not load file or assembly ‘System.Memory, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51’ or one of its dependencies. The system cannot find the file specified.
at Microsoft.Data.LocalDBAPI.GetLocalDbInstanceNameFromServerName(String serverName)
at Microsoft.Data.SqlClient.SqlConnectionString..ctor(String connectionString)
at Microsoft.Data.SqlClient.SqlConnectionFactory.CreateConnectionOptions(String connectionString, DbConnectionOptions previous)
at Microsoft.Data.ProviderBase.DbConnectionFactory.GetConnectionPoolGroup(DbConnectionPoolKey key, DbConnectionPoolGroupOptions
Solution:
I’ve just downloaded the NuGet packages for such DLLs and put in into the GAC_MSIL, after that and a reboot it start working again. Just a headsup regarding this change, not sure if this is the right approach to resolve this.
OS is WS2016 / AppFabric 11.1
Permalink
Hi Mario,
I assume this happens when installing the August CU for SharePoint Workflow Manager?
Please confirm.
Cheers,
Stefan
Permalink
Hi Stefan,
We had the same problem with our SharePoint Workflow Manager (single server) after installing the August CU (coming from June CU). The Service Bus and Workflow services weren’t starting. SharePoint itself and MS SQL 2022 are running on different servers. OS is Windows Server 2025.
We also have a dev instance with SharePoint SE, SPWFM and SQL 2022 all on one server, there the problem didn’t occur.
I fixed the issue by copying the “System.Buffers”, “System.Runtime.CompilerServices.Unsafe”, “System.Memory” folder under “C:\Windows\Microsoft.NET\assembly\GAC_MSIL” from the dev to the prod system and restarting the server afterwards. Thanks to Mario for the tip!
Permalink
Yes, KB before update: KB5002737 (June 2025).
Forgot to mention it also need .NET Framework update 4.7.1 for WS2016
Permalink
Thanks for sharing the details and workaround! I sent a heads-up to the relevant team in the product group.
Permalink
Hi MV,
see here for details and workaround:
https://blog.stefan-gossner.com/2025/08/21/trending-issue-system-memory-dll-missing-after-installing-august-2025-cu-for-sharepoint-workflow-manager/
Cheers,
Stefan
Permalink
Hi Stefan,
Under Improvements and fixes I see it says „Improves the People Picker Search experience“. Do you know where I could find more information about exactly what has changed?
Thank you
Permalink
Hi Dan,
the fix addresses a SQL performance problem when using OIDC trust with a UPA backed claims provider with 600.000 or more trusted users.
Cheers,
Stefan