July Patch Tuesday brings over 130 new flaws to deal with

Microsoft has patched a complete of 130 new frequent vulnerabilities and exposures (CVEs) throughout its product suite in its month-to-month Patch Tuesday replace, together with a complete of 10 critically harmful flaws, lots of them in Microsoft Workplace, whereas a bunch of third-party points deliver the month-to-month complete to roughly 140. Nevertheless, regardless of its broad breadth, Redmond’s newest replace is mild on zero-day points.

Certainly, the highest line vulnerability – and the one one which comes near being classed as a zero-day, is tracked as CVE-2025-49719. It’s an data disclosure vulnerability in Microsoft SQL Server arising from improper enter validation, enabling an unauthorised attacker to reveal data – particularly uninitialised reminiscence – over the community.

Credited to Microsoft’s personal Vladimir Aleksic, CVE-2025-49719 is taken into account comparatively trivial to take advantage of, and though Microsoft has no proof that it’s being exploited within the wild, it has already been publicly-disclosed, so assaults will probably start imminently. CVE-2025-49719 carries a CVSS rating of seven.5, and is ranked as being of vital severity.

Mike Walters, president and co-founder of Action1, a patch administration specialist, outlined plenty of superior assault situations through which CVE-2025-49719 may come into play.

“An attacker may map out database constructions, establish injection factors, and collect data to help extra focused intrusions,” he mentioned. “[Or] by accessing uninitialised reminiscence, they could recuperate fragments of authentication credentials, probably enabling additional assaults towards the database or associated techniques.

Walters added: “The danger will increase when mixed with different strategies – for instance, utilizing the leaked knowledge to refine SQL injection, bypass authentication, or transfer laterally utilizing connection strings that include credentials to different techniques.

“The potential influence on organisations is critical, as any person of Microsoft SQL Server might be affected, protecting a big portion of the enterprise database market.”

Walters mentioned that the information publicity threat made CVE-2025-49719 a high-priority concern for defenders at any organisation holding priceless or regulated knowledge. He added that the great nature of the affected variations – which span a number of releases relationship again 9 years – might point out a extra “elementary subject” in how SQL Server handles reminiscence administration and enter validation.

The ten important vulnerabilities, in CVE quantity order, are as follows:

• CVE-2025-47980, an data disclosure vulnerability in Home windows Imaging Element;
• CVE-2025-47981, an RCE vulnerability in SPNEGO Prolonged Negotiation Safety Mechanism;
• CVE-2025-48822, an RCE vulnerability in Home windows Hyper-V Discrete Machine Task (DDA).
• CVE-2025-49695, a distant code execution (RCE) vulnerability in Microsoft Workplace;
• CVE-2025-49696, a second RCE flaw in Microsoft Workplace;
• CVE-2025-49697, a 3rd RCE flaw in Microsoft Workplace;
• CVE-2025-49702, a fourth and last RCE flaw the identical product suite;
• CVE-2025-49704, an RCE subject in Microsoft SharePoint;
• CVE-2025-49717, an RCE flaw in Microsoft SQL Server;
• CVE-2025-49735, an RCE vulnerability in Home windows KDC Proxy Service (KPSSVC);

The July Patch Tuesday drop additionally lists two important third-party RCE vulns in AMD processors, to which safety groups ought to pay shut consideration.

Not one of the 12 above listed points is at present identified to be being exploited, and nor have exploits but been made obtainable. Nevertheless, CVE-2025-47981 in  SPNEGO – an vital protocol that’s used to barter authentication on important providers, lots of them internet-facing – caught the attention of the Qualys Risk Analysis Unit’s (TRU’s) senior supervisor of safety analysis, Saeed Abbasi, who warned that this explicit patch must be utilized instantly.

“A single unauthenticated NEGOEX packet can drop attacker-controlled code straight into Native Safety Authority Subsystem Service (LSASS), operating as SYSTEM. No clicks, no creds wanted – precisely the recipe that turns bugs into community worms. This isn’t only a bug – it’s a loaded gun pointed at your organisation,” he mentioned.

“As soon as inside, the exploit can pivot to each Home windows 10 endpoint that also has the default PKU2U setting enabled. We count on NEGOEX exploits to be weaponised inside days, so assaults are imminent. 

“Patch inside 48 hours, begin with internet-facing or VPN-reachable property and something that touches AD. In the event you completely can’t patch, disable ‘Enable PKU2U authentication requests’ by way of GPO and block inbound 135/445/5985 on the edge,” he mentioned.

WatchTowr founder and CEO Ben Harris agreed this was one to observe. He mentioned: “Distant code execution is unhealthy, however early evaluation is suggesting that this vulnerability could also be wormable – the kind of vulnerability that might be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident, and comparable.

“Microsoft is evident on pre-requisites right here: no authentication required, simply community entry. We shouldn’t idiot ourselves – if the personal trade has observed this vulnerability, it’s definitely already on the radar of each attacker with an oz. of malice. Defenders must drop every little thing, patch quickly, and search out uncovered techniques.”