Breaking Down the Latest July 2025 Patch Tuesday Report

Microsoft has released its July 2025 Patch Tuesday security updates, addressing 137 vulnerabilities across Windows, Office, SharePoint, SQL Server, Azure, and other products. This month's release includes fixes for one publicly disclosed zero-day vulnerability and 14 critical-severity flaws.

The single zero-day vulnerability is CVE-2025-49719, an information disclosure flaw in Microsoft SQL Server that was publicly disclosed before patches became available. While rated as Important rather than Critical, this vulnerability allows unauthenticated attackers to access data from uninitialized memory.

Among the 14 critical vulnerabilities, several stand out as particularly concerning. CVE-2025-47981 scores a maximum CVSS rating of 9.8 for a remote code execution flaw in Windows SPNEGO Extended Negotiation that requires no authentication. CVE-2025-49735 affects Windows KDC Proxy Service with another critical RCE vulnerability. Microsoft Office components received multiple critical RCE fixes, including CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, and CVE-2025-49702, which can be exploited simply by opening malicious documents or through preview pane interactions.

Additional critical threats include CVE-2025-49704 in Microsoft SharePoint, CVE-2025-48822 in Windows Hyper-V Discrete Device Assignment, and two AMD processor vulnerabilities (CVE-2025-36357 and CVE-2025-36350) related to transient scheduler attacks requiring Windows-based mitigations.

This release addresses various vulnerability types spanning multiple attack vectors. Elevation of privilege issues dominate with 53 patches, followed by 41 remote code execution vulnerabilities. The remaining fixes target 18 information disclosure, 8 security feature bypass, 6 denial of service, and 4 spoofing vulnerabilities.

Key products receiving security updates include Windows operating systems, Microsoft Office suite, SharePoint Server, SQL Server, Azure services, Hyper-V virtualization platform, and various Windows components like Graphics, Kernel, Input Method Editor, and networking services.

Administrators should prioritize testing and deployment of patches for the publicly disclosed SQL Server zero-day and the numerous critical remote code execution vulnerabilities affecting Office applications and core Windows components. The high severity and broad attack surfaces of these flaws make prompt patching essential for maintaining security posture against emerging threats.

Key Highlights - Patch Tuesday July 2025

In July's Patch Tuesday, Microsoft addressed 137 flaws, including one publicly disclosed zero-day vulnerability in Microsoft SQL Server and 14 critical-severity vulnerabilities. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, security feature bypass, denial of service, and spoofing vulnerabilities.

The key affected products in this release span Microsoft's extensive ecosystem, including Windows, Office, SharePoint, SQL Server, Azure, Hyper-V, and numerous Windows components. It is crucial for administrators and end users to apply these security updates promptly to protect their systems from these vulnerabilities.

Key highlights are:

This July Patch Tuesday represents a substantial security update requiring immediate attention. Apply these updates to close critical vulnerabilities before threats exploit them in enterprise environments.

Zero-day Vulnerabilities Patched in July 2025

Microsoft addressed one zero-day vulnerability in the July 2025 Patch Tuesday release. This vulnerability is notable because it was publicly disclosed before patches became available, posing an immediate risk to affected SQL Server environments.

CVE-2025-49719 - Microsoft SQL Server Information Disclosure Vulnerability

Vulnerability type: Information Disclosure

Affected product: Microsoft SQL Server

CVSS v3 base score: 7.5

Severity rating: Important

This vulnerability allows an unauthenticated remote attacker to access data from uninitialized memory in Microsoft SQL Server due to improper input validation. The flaw affects all supported versions of SQL Server dating back to SQL Server 2016, making it a widespread concern for organizations running SQL Server infrastructure.

Microsoft explains that "improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network." While the type of information that could be disclosed is uninitialized memory—which might contain no valuable data—successful exploitation could potentially reveal sensitive information such as cryptographic key material or other confidential data stored in memory.

The vulnerability receives an Important severity rating rather than Critical, likely due to the unpredictable nature of uninitialized memory content and the skill required to craft effective exploits. However, Microsoft's Exploitability Index rates this as "Exploitation Less Likely," suggesting that while possible, successful exploitation would require significant technical expertise.

Interestingly, Microsoft credits Vladimir Aleksic with Microsoft for discovering this vulnerability, yet it was marked as publicly disclosed, indicating that information about this exploit became available through other sources before the official patch release.

Organizations can remediate this vulnerability by installing the latest version of Microsoft SQL Server and updating to Microsoft OLE DB Driver version 18 or 19. Administrators should carefully review the advisory for guidance on navigating SQL Server's complex update structure, including considerations for General Distribution Release (GDR) versus Cumulative Update (CU) versions to ensure proper patch deployment.

This July Patch Tuesday marks a relatively quiet month for zero-day vulnerabilities compared to previous releases, but the SQL Server disclosure underscores the continuing importance of maintaining current patch levels across database infrastructure.

Critical Vulnerabilities Patched in July 2025

Microsoft's July 2025 Patch Tuesday addressed 14 critical vulnerabilities that pose significant security risks across Windows systems, Office applications, and server infrastructure. These vulnerabilities represent the most severe threats requiring immediate attention from security teams.

CVE-2025-47981 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Windows SPNEGO Extended Negotiation

CVSS v3 base score: 9.8

Severity rating: Critical

This vulnerability represents one of the most severe flaws in this month's release, earning the maximum CVSS score of 9.8. The flaw exists in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms through the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) and Microsoft's NEGOEX extension.

An unauthenticated remote attacker can exploit this heap-based buffer overflow by sending a specially crafted message to a vulnerable server, potentially achieving remote code execution in a privileged context. The vulnerability affects Windows client machines running Windows 10 version 1607 and above, as well as all current versions of Windows Server.

Microsoft considers this vulnerability "Exploitation More Likely" due to its pre-authentication nature and the significant impact of successful exploitation. While some mitigations exist through Group Policy Objects (GPOs), particularly on domain-joined systems, patching remains the primary defense against this critical threat.

CVE-2025-49735 - Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Windows KDC Proxy Service

CVSS v3 base score: 8.1

Severity rating: Critical

This use-after-free vulnerability affects the Windows Kerberos Key Distribution Center (KDC) Proxy Service, which enables clients to authenticate to Active Directory domains without direct network access to domain controllers. The service is commonly used in remote access scenarios such as Azure Virtual Desktop environments.

An unauthenticated attacker can exploit this flaw by sending crafted applications to exploit cryptographic protocol vulnerabilities, potentially executing arbitrary code on affected systems. While the advisory mentions that exploitation requires winning a race condition, Microsoft still rates this as "Exploitation More Likely."

This marks the second consecutive month that Microsoft has patched a critical KDC Proxy Service vulnerability, following CVE-2025-33071 in June, indicating ongoing security concerns with this authentication infrastructure component.

Microsoft Office Critical Remote Code Execution Vulnerabilities

Multiple critical RCE vulnerabilities affect Microsoft Office applications, including:

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697 - Microsoft Office Remote Code Execution Vulnerabilities

CVSS v3 base scores: 8.4

Severity rating: Critical

These vulnerabilities involve use-after-free, out-of-bounds read, and heap-based buffer overflow flaws that allow unauthenticated attackers to achieve remote code execution simply by convincing users to open specially crafted documents. The critical nature of these flaws is amplified by their potential exploitation through Outlook's preview pane, requiring no user interaction beyond viewing an email.

CVE-2025-49698, CVE-2025-49703 - Microsoft Word Remote Code Execution Vulnerabilities

CVSS v3 base scores: 7.8

Severity rating: Critical

Additional use-after-free vulnerabilities specifically affecting Microsoft Word can be exploited when users open malicious documents, potentially leading to full system compromise.

CVE-2025-49702 - Microsoft Office Remote Code Execution Vulnerability

CVSS v3 base score: 7.8

Severity rating: Critical

This type confusion vulnerability in Microsoft Office presents another vector for unauthenticated code execution through document-based attacks.

Microsoft notes that security updates for these Office vulnerabilities are not yet available for Microsoft Office LTSC for Mac 2021 and 2024 and will be released shortly.

CVE-2025-49704 - Microsoft SharePoint Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft SharePoint

CVSS v3 base score: 8.8

Severity rating: Critical

This code injection vulnerability allows authenticated attackers to execute arbitrary code on SharePoint servers over the network. While the advisory states there is no requirement for elevated privileges, it also indicates that the minimum privilege level needed for exploitation is Site Owner, suggesting some level of administrative access is necessary.

The vulnerability represents a significant threat to SharePoint environments, as successful exploitation could lead to complete server compromise and potential lateral movement within corporate networks.

CVE-2025-48822 - Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Windows Hyper-V

CVSS v3 base score: 8.6

Severity rating: Critical

This out-of-bounds read vulnerability affects Hyper-V's Discrete Device Assignment feature, which allows virtual machines direct access to physical PCI Express devices. An unauthenticated attacker could potentially achieve remote code execution from a guest VM, representing a serious hypervisor escape scenario.

Given Hyper-V's widespread use in enterprise virtualization environments, this vulnerability poses significant risks for cloud and on-premises infrastructure.

AMD Processor Vulnerabilities

CVE-2025-36357 - AMD Transient Scheduler Attack in L1 Data Queue

CVE-2025-36350 - AMD Transient Scheduler Attack in Store Queue

CVSS v3 base scores: 5.6

Severity rating: Critical

These vulnerabilities affect certain AMD processor models and represent transient execution attacks that could lead to information disclosure. While the CVSS scores are moderate, Microsoft rates them as Critical, likely due to the fundamental nature of processor-level security flaws. Mitigation requires Windows updates to implement proper protections against these side-channel attacks.

Additional Critical Vulnerabilities

CVE-2025-49717 - Microsoft SQL Server Remote Code Execution Vulnerability (CVSS 8.5, Critical)

CVE-2025-47980 - Windows Imaging Component Information Disclosure Vulnerability (CVSS 6.2, Critical)

These round out the critical vulnerabilities, affecting database infrastructure and Windows imaging components respectively, requiring immediate attention from administrators managing these services.

Vulnerabilities by Category

In total, 137 vulnerabilities were addressed in July's Patch Tuesday. Elevation of privilege issues top the list with 53 patches, followed by 41 remote code execution and 18 information disclosure vulnerabilities. The rest consist of 8 security feature bypass, 6 denial of service, and 4 spoofing flaws.

Here is the breakdown of the categories patched this month:

The prominence of elevation of privilege vulnerabilities reflects ongoing challenges in Windows component security, where attackers seek to escalate their access levels within compromised systems. Remote code execution vulnerabilities represent the second-largest category, highlighting the continued focus on preventing attackers from executing arbitrary code on target systems.

Of particular note, 11 of the 41 remote code execution vulnerabilities received critical severity ratings, emphasizing their potential for immediate exploitation and significant system compromise. The single critical information disclosure vulnerability among the 18 in that category demonstrates that even data exposure flaws can pose severe security risks under certain circumstances.

The relatively smaller numbers of security feature bypass, denial of service, and spoofing vulnerabilities indicate that while these attack vectors remain relevant, they constitute a smaller portion of the overall threat landscape addressed in this release.

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's July 2025 Patch Tuesday:

List of Products Patched in July 2025 Patch Tuesday Report

Microsoft's July 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

This extensive list demonstrates the broad scope of Microsoft's July 2025 security updates, covering core operating system components, productivity applications, server infrastructure, development tools, and cloud services across the Microsoft ecosystem.

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Microsoft Office vulnerabilities

SQL Server vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's July 2025 Patch Tuesday addressed 137 vulnerabilities, including one publicly disclosed zero-day in Microsoft SQL Server and 14 critical-severity flaws affecting Windows, Office, SharePoint, and other key products.

This release fixed a variety of vulnerability types, with elevation of privilege issues being most prevalent at 53 instances. Remote code execution ranked second with 41 patches issued. Among the critical bugs are a maximum-rated SPNEGO Extended Negotiation RCE, multiple Office application RCEs, a SharePoint Server RCE, and a Hyper-V Discrete Device Assignment RCE.

The publicly disclosed zero-day CVE-2025-49719 affects Microsoft SQL Server, allowing unauthenticated attackers to access uninitialized memory data. While rated Important, this information disclosure vulnerability requires immediate attention due to its public disclosure status and broad impact across SQL Server environments.

Critical vulnerabilities addressed this month include CVE-2025-47981 with a maximum 9.8 CVSS score for SPNEGO Extended Negotiation RCE, CVE-2025-49735 affecting Windows KDC Proxy Service, and multiple Office application RCEs that can be exploited through document-based attacks or preview pane interactions. The SharePoint RCE (CVE-2025-49704) and Hyper-V vulnerability (CVE-2025-48822) also pose significant risks to server infrastructure.

Alongside the critical problems, numerous important-rated issues were remediated, including elevation of privilege vulnerabilities across Windows components, information disclosure flaws in various services, and security feature bypass issues in BitLocker. AMD processor vulnerabilities also received Windows-based mitigations for transient scheduler attacks.

Overall, July's patches close 137 security gaps across Microsoft's portfolio, with particular emphasis on preventing code execution and privilege escalation attacks. Immediate patching is essential for the SQL Server zero-day and critical Office vulnerabilities that require minimal user interaction for exploitation.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: