
mdbildes - stock.adobe.com
July Patch Tuesday brings over 130 new flaws to address
Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is mercifully light on zero-days
Microsoft has patched a total of 130 new common vulnerabilities and exposures (CVEs) across its product suite in its monthly Patch Tuesday update, including a total of 10 critically dangerous flaws, many of them in Microsoft Office, while a bunch of third-party issues bring the monthly total to approximately 140. However, despite its wide breadth, Redmond’s latest update is light on zero-day issues.
Indeed, the top line vulnerability – and the only one that comes close to being classed as a zero-day, is tracked as CVE-2025-49719. It is an information disclosure vulnerability in Microsoft SQL Server arising from improper input validation, enabling an unauthorised attacker to disclose information – specifically uninitialised memory – over the network.
Credited to Microsoft’s own Vladimir Aleksic, CVE-2025-49719 is considered relatively trivial to exploit, and although Microsoft has no evidence that it is being exploited in the wild, it has already been publicly-disclosed, so attacks will likely begin imminently. CVE-2025-49719 carries a CVSS score of 7.5, and is ranked as being of important severity.
Mike Walters, president and co-founder of Action1, a patch management specialist, outlined a number of advanced attack scenarios in which CVE-2025-49719 could come into play.
“An attacker could map out database structures, identify injection points, and gather information to support more targeted intrusions,” he said. “[Or] by accessing uninitialised memory, they might recover fragments of authentication credentials, potentially enabling further attacks against the database or related systems.
Walters added: “The risk increases when combined with other techniques – for example, using the leaked data to refine SQL injection, bypass authentication, or move laterally using connection strings that contain credentials to other systems.
“The potential impact on organisations is significant, as any user of Microsoft SQL Server could be affected, covering a large portion of the enterprise database market.”
Walters said that the data exposure risk made CVE-2025-49719 a high-priority concern for defenders at any organisation holding valuable or regulated data. He added that the comprehensive nature of the affected versions – which span multiple releases dating back nine years – may indicate a more “fundamental issue” in how SQL Server handles memory management and input validation.
The 10 critical vulnerabilities, in CVE number order, are as follows:
- CVE-2025-47980, an information disclosure vulnerability in Windows Imaging Component;
- CVE-2025-47981, an RCE vulnerability in SPNEGO Extended Negotiation Security Mechanism;
- CVE-2025-48822, an RCE vulnerability in Windows Hyper-V Discrete Device Assignment (DDA).
- CVE-2025-49695, a remote code execution (RCE) vulnerability in Microsoft Office;
- CVE-2025-49696, a second RCE flaw in Microsoft Office;
- CVE-2025-49697, a third RCE flaw in Microsoft Office;
- CVE-2025-49702, a fourth and final RCE flaw the same product suite;
- CVE-2025-49704, an RCE issue in Microsoft SharePoint;
- CVE-2025-49717, an RCE flaw in Microsoft SQL Server;
- CVE-2025-49735, an RCE vulnerability in Windows KDC Proxy Service (KPSSVC);
The July Patch Tuesday drop also lists two critical third-party RCE vulns in AMD processors, to which security teams should pay close attention.
None of the 12 above listed issues is currently known to be being exploited, and nor have exploits yet been made available. However, CVE-2025-47981 in SPNEGO – an important protocol that is used to negotiate authentication on critical services, many of them internet-facing – caught the eye of the Qualys Threat Research Unit’s (TRU’s) senior manager of security research, Saeed Abbasi, who warned that this particular patch should be applied immediately.
“A single unauthenticated NEGOEX packet can drop attacker-controlled code straight into Local Security Authority Subsystem Service (LSASS), running as SYSTEM. No clicks, no creds needed – exactly the recipe that turns bugs into network worms. This isn’t just a bug – it’s a loaded gun pointed at your organisation,” he said.
“Once inside, the exploit can pivot to every Windows 10 endpoint that still has the default PKU2U setting enabled. We expect NEGOEX exploits to be weaponised within days, so attacks are imminent.
“Patch within 48 hours, start with internet-facing or VPN-reachable assets and anything that touches AD. If you absolutely can’t patch, disable ‘Allow PKU2U authentication requests’ via GPO and block inbound 135/445/5985 at the edge,” he said.
WatchTowr founder and CEO Ben Harris agreed this was one to watch. He said: “Remote code execution is bad, but early analysis is suggesting that this vulnerability may be wormable – the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident, and similar.
“Microsoft is clear on pre-requisites here: no authentication required, just network access. We shouldn’t fool ourselves – if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice. Defenders need to drop everything, patch rapidly, and hunt down exposed systems.”
NotLogon – the vulnerability found by an AI
Finally this month, Dor Segal, senior security researcher at Silverfort, highlighted CVE-2025-47978, that his team identified in the Windows Netlogon protocol using an artificial intelligence large language model (LLM) to scan and compare old release notes as part of a test to see whether or not AI could help speed up the vulnerability discovery process.
The Silverfort team has dubbed this issue NotLogon – although note that Microsoft’s disclosure refers to it as affecting the closely-related Windows Kerberos protocol.
Although not critical in its severity, CVE-2025-47978, enables an attacker using a domain-joined machine with minimal privileges to send a specially-crafted authentication request that will have the effect of crashing a domain controller and causing the system to fully reboot.
Such a crash impacts the core Windows LSASS security process and disrupts Active Directory services such as user logins, policy application, and access to authentication-dependent resources.
Segal said the issue was a great example of how even low-privilege computers with basic network access can still be the harbinger of bigger problems.
“This vulnerability shows how only a valid machine account and a crafted RPC message can bring down a domain controller – the backbone of Active Directory operations like authentication, authorisation, policy enforcement, and more,” he said.
“If multiple domain controllers are affected, it can bring business to a halt. NOTLogon is a reminder that new protocol features – especially in privileged authentication services – can become attack surfaces overnight. Staying secure isn't only about applying patches – it's about examining the foundational systems we rely on every day.
“I strongly suggest installing the latest Microsoft Patch Tuesday update immediately across all domain controllers, along with tightening access controls for service and machine accounts,” he concluded.
Read more about Patch Tuesday
- June 2025: Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention.
- May 2025: Microsoft fixes five exploited, and two publicly disclosed, zero-days in the fifth Patch Tuesday update of 2025.
- April 2025: Microsoft is correcting 124 vulnerabilities in its April Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’.
- March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days.
- February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’.
- January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws.
- December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol.
- November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update.
- October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.
- September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy.
- August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update.
- July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention.