For the first time in 2025, Microsoft’s patch Tuesday update did not bundle fixes for exploited security vulnerabilities, but acknowledged that one of the flaws addressed was publicly known.
The patch resolves a whopping 130 vulnerabilities along with Visual Studio, AMD, and 10 other non-microsoft CVEs that affect its chrome-based edge browsers. Of these 10, they are rated critical, while the rest are all rated important in severity.
“A 11-month winning streak patching at least one zero-day exploited in the wild that ended this month,” said Tenable’s senior staff research engineer, Satnam Naran.
Of these drawbacks, 53 are classified as privilege escalation bugs, followed by 42 as remote code execution, 8 as information disclosure, and 8 as security feature bypass. These patches add to two other flaws the company has addressed in the Edge browser since the release of patch Tuesday’s update last month.
The vulnerability listed as publicly known is a flaw in the disclosure of Microsoft SQL Server (CVE-2025-49719, CVSS score: 7.5).
“Attackers may not be worth anything, but with luck, persistence, or some very crafty exploit massage, the award could be a key material for encryption or another crown jewel in a SQL server,” says Adam Barnett, lead software engineer at Rapid7.
Mike Walters 1, president and co-founder of Action1, said the flaw was a result of inappropriate input verification in SQL Server’s memory management, and likely allows access to uninitialized memory.
“As a result, the attacker was able to retrieve the remains of sensitive data, such as credentials and connection strings,” Walters added. “Using the OLE DB driver affects both the SQL Server engine and the application.”
The most important flaw that Microsoft patched as part of this month’s update concerns cases of remote code execution that affect SPNEGO Extension Negotiation (NEGOEX). Tracked as CVE-2025-47981, it has a CVSS score of 9.8 out of 10.0.
“The heap-based buffer overflow of Windows Spnego Extension Negotiations allows rogue attackers to run code on the network,” Microsoft said in its advisory. “Attackers could exploit this vulnerability by sending malicious messages to the server, leading to remote code execution.”
Anonymous researcher and Yuki Chen are believed to have discovered and repaired the defect. Microsoft said the issue only affects Windows client machines running Windows 10, version 1607, etc., in order to “Network Security: Allow PKU2U authentication requests to this computer to use an online ID”.
“As usual, remote code execution is a bad thing, but early analysis suggests that this vulnerability could be “decorable.” This can be exploited in self-propagating malware and can cause many incredible trauma.”
“Microsoft is clear about the prerequisites here. No authentication is required. It’s just network access, and Microsoft itself considers exploitation “more likely.” We shouldn’t fool ourselves – if the private industry realizes this vulnerability, it certainly needs all attackers to drop everything on all attackers’ radar, patch them quickly, and corner the exposed system. ”
Other vulnerabilities of importance include remote code execution flaws impacting Windows KDC Proxy Service (CVE-2025-49735, CVSS score: 8.1), Windows Hyper-V (CVE-2025-48822, CVSS score: 8.6), and Microsoft Office (CVE-2025-49695, CVE-2025-496966, and CVE-2025-49697, CVSS score: 8.4).
“What makes CVE-2025-49735 important is the lack of network exposure combined with required privileges and user interaction. Despite the high complexity of the attack, it states that vulnerability is particularly appealing and attractive to actors in APTS and nation-states.
“Attackers must win the race conditions (the flaws of timing when memory is freed and reassigned in a particular window), meaning that they are not reliable. Still, such issues can be weaponized with techniques such as grooming the heap, making final exploitation feasible.”
Elsewhere, this update closes five security feature bypasses for BitLocker (CVE-2025-48001, CVE-2025-48003, CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818, CVSS score: 6.8).
“Attackers could exploit this vulnerability by loading the winre.wim file while the OS volume is unlocked and granting access to bitlocker-encrypted data,” Microsoft said of CVE-2025-48804.
Researchers at Microsoft Offensive Research and Security Engineering (MORSE) Netanel Ben Simon and Alon Levieviv have been recognized for reporting five issues with the built-in disk encryption tool.
“If exploited, these flaws can reveal sensitive files, credentials, and tamper with system integrity,” says Jacob Ashdown, cybersecurity engineer at Immersive. “This poses a particular risk, especially for organizations where devices can be lost or stolen, as attackers with practical access can bypass encryption and extract sensitive data.”
It is also worth noting that on July 8, 2025, it officially marks the end of the road for SQL Server 2012.
Software patches from other vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks, rectifying several vulnerabilities, including -.
Adobe Amd Atlassian Bitdefender Broadcom (including VMware)Cisco Citrix D-Link Dell Drupal F5 Fortinet Fortra Gigabyte Gitlab Google Chrome Chrome Chrome Chrome Google Chrome Grafana Hikvision HP Enterprise Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, Suse, Ubuntu Mitsubishi Electric Mongodb Moxa Moxila Thunderbird Nvidia Oppo Palo Alte Networks Progress Software Supermicro Veeam WordPress Zimbra, and Zoom
Source link
