In its July 2025 Patch Tuesday release, Microsoft has addressed a substantial 130 security vulnerabilities across its product suite, marking a significant effort to enhance system security. Notably, this update breaks an 11-month streak by not including any fixes for zero-day vulnerabilities that were actively exploited in the wild. However, it does rectify one publicly disclosed flaw.
Overview of the July 2025 Patch Tuesday Release
The comprehensive update encompasses 130 Microsoft-specific vulnerabilities, supplemented by 10 additional non-Microsoft Common Vulnerabilities and Exposures (CVEs) affecting products like Visual Studio, AMD components, and the Chromium-based Edge browser. Among these, 10 vulnerabilities are classified as Critical, while the remaining are deemed Important.
The distribution of these vulnerabilities is as follows:
– Privilege Escalation: 53 vulnerabilities
– Remote Code Execution (RCE): 42 vulnerabilities
– Information Disclosure: 17 vulnerabilities
– Security Feature Bypass: 8 vulnerabilities
This update also includes fixes for two additional flaws in the Edge browser that were identified since the previous month’s Patch Tuesday release.
Publicly Disclosed SQL Server Vulnerability
A significant aspect of this update is the patching of a publicly disclosed information disclosure vulnerability in Microsoft SQL Server, identified as CVE-2025-49719 with a Common Vulnerability Scoring System (CVSS) score of 7.5. This flaw could allow an unauthorized attacker to access uninitialized memory, potentially leading to the exposure of sensitive information.
Adam Barnett, Lead Software Engineer at Rapid7, highlighted the potential risks:
An attacker might well learn nothing of any value, but with luck, persistence, or some very crafty massaging of the exploit, the prize could be cryptographic key material or other crown jewels from the SQL Server.
Mike Walters, President and Co-Founder of Action1, further elaborated on the nature of the flaw:
This vulnerability likely stems from improper input validation in SQL Server’s memory management, allowing access to uninitialized memory. As a result, attackers could retrieve remnants of sensitive data, such as credentials or connection strings.
The vulnerability affects both the SQL Server engine and applications utilizing OLE DB drivers.
Critical SPNEGO Extended Negotiation Vulnerability
The most severe vulnerability addressed in this update is a remote code execution flaw in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, designated as CVE-2025-47981 with a CVSS score of 9.8. This heap-based buffer overflow vulnerability allows an unauthorized attacker to execute code over a network by sending a malicious message to the server.
Microsoft’s advisory states:
Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network. An attacker could exploit this vulnerability by sending a malicious message to the server, potentially leading to remote code execution.
The issue primarily affects Windows client machines running Windows 10, version 1607 and above, due to the default enabling of the Network security: Allow PKU2U authentication requests to this computer to use online identities Group Policy Object (GPO).
Benjamin Harris, founder and CEO of watchTowr, emphasized the urgency of addressing this vulnerability:
As always, Remote Code Execution is bad, but early analysis is suggesting that this vulnerability may be ‘wormable’—the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident. Microsoft is clear on pre-requisites here: no authentication required, just network access, and Microsoft themselves believe exploitation is ‘More Likely.’ We shouldn’t fool ourselves—if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice. Defenders need to drop everything, patch rapidly, and hunt down exposed systems.
Other Notable Vulnerabilities
In addition to the aforementioned flaws, the update addresses several other critical vulnerabilities:
– Windows KDC Proxy Service (CVE-2025-49735): An RCE vulnerability with a CVSS score of 8.1. Exploitation requires an unauthenticated attacker to use a specially crafted application to leverage a cryptographic protocol vulnerability in the KDC Proxy Service.
– Windows Hyper-V (CVE-2025-48822): An RCE vulnerability with a CVSS score of 8.6.
– Microsoft Office (CVE-2025-49695, CVE-2025-49696, and CVE-2025-49697): RCE vulnerabilities with CVSS scores of 8.4. Notably, these issues do not require user interaction, meaning the exploit could be triggered via the preview pane.
Ben McCarthy, Lead Cyber Security Engineer at Immersive Labs, commented on CVE-2025-49735:
What makes CVE-2025-49735 significant is the network exposure combined with no required privileges or user interaction. Despite its high attack complexity, the vulnerability opens the door to pre-auth remote compromise, particularly attractive to APTs and nation-state actors.
He further noted the challenges in exploitation due to the need to win a race condition—a timing flaw where memory is freed and reallocated in a specific window. However, he cautioned that such issues can be weaponized with techniques like heap grooming, making eventual exploitation feasible.
BitLocker Security Feature Bypass Vulnerabilities
The update also addresses five security feature bypass vulnerabilities in BitLocker (CVE-2025-48001, CVE-2025-48003, CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818), each with a CVSS score of 6.8. These flaws could allow an attacker with physical access to a device to access encrypted data.
Microsoft’s advisory on CVE-2025-48804 states:
An attacker could exploit this vulnerability by loading a WinRE.wim file while the OS volume is unlocked, granting access to BitLocker encrypted data.
Researchers Netanel Ben Simon and Alon Leviev from Microsoft Offensive Research and Security Engineering (MORSE) have been acknowledged for reporting these issues.
Jacob Ashdown, Cyber Security Engineer at Immersive Labs, highlighted the risks:
If exploited, these flaws could expose sensitive files, credentials, or allow tampering with system integrity. This poses a particular risk, especially for organizations where devices may be lost or stolen, as attackers with hands-on access could potentially bypass encryption and extract sensitive data.
End of Support for SQL Server 2012
It’s also noteworthy that as of July 8, 2025, Microsoft has officially ended support for SQL Server 2012. This means that the product will no longer receive security patches, as the Extended Security Update (ESU) program has concluded.
Conclusion
Microsoft’s July 2025 Patch Tuesday release underscores the company’s commitment to addressing a wide array of security vulnerabilities across its product ecosystem. Organizations are strongly advised to apply these updates promptly to mitigate potential risks associated with these vulnerabilities.
