Microsoft has patched a total of 130 new common vulnerabilities and exposures (CVEs) across its product suite in its monthly Patch Tuesday update, including a total of 10 critically dangerous flaws, many of them in Microsoft Office, while a bunch of third-party issues bring the monthly total to approximately 140. However, despite its wide breadth, Redmond’s latest update is light on zero-day issues.

Indeed, the top line vulnerability – and the only one that comes close to being classed as a zero-day, is tracked as CVE-2025-49719. It is an information disclosure vulnerability in Microsoft SQL Server arising from improper input validation, enabling an unauthorised attacker to disclose information – specifically uninitialised memory – over the network.

Credited to Microsoft’s own Vladimir Aleksic, CVE-2025-49719 is considered relatively trivial to exploit, and although Microsoft has no evidence that it is being exploited in the wild, it has already been publicly-disclosed, so attacks will likely begin imminently. CVE-2025-49719 carries a CVSS score of 7.5, and is ranked as being of important severity.

Mike Walters, president and co-founder of Action1, a patch management specialist, outlined a number of advanced attack scenarios in which CVE-2025-49719 could come into play.

“An attacker could map out database structures, identify injection points, and gather information to support more targeted intrusions,” he said. “[Or] by accessing uninitialised memory, they might recover fragments of authentication credentials, potentially enabling further attacks against the database or related systems.

Walters added: “The risk increases when combined with other techniques – for example, using the leaked data to refine SQL injection, bypass authentication, or move laterally using connection strings that contain credentials to other systems.

“The potential impact on organisations is significant, as any user of Microsoft SQL Server could be affected, covering a large portion of the enterprise database market.”

Walters said that the data exposure risk made CVE-2025-49719 a high-priority concern for defenders at any organisation holding valuable or regulated data. He added that the comprehensive nature of the affected versions – which span multiple releases dating back nine years – may indicate a more “fundamental issue” in how SQL Server handles memory management and input validation.

The 10 critical vulnerabilities, in CVE number order, are as follows:

• CVE-2025-47980, an information disclosure vulnerability in Windows Imaging Component;
• CVE-2025-47981, an RCE vulnerability in SPNEGO Extended Negotiation Security Mechanism;
• CVE-2025-48822, an RCE vulnerability in Windows Hyper-V Discrete Device Assignment (DDA).
• CVE-2025-49695, a remote code execution (RCE) vulnerability in Microsoft Office;
• CVE-2025-49696, a second RCE flaw in Microsoft Office;
• CVE-2025-49697, a third RCE flaw in Microsoft Office;
• CVE-2025-49702, a fourth and final RCE flaw the same product suite;
• CVE-2025-49704, an RCE issue in Microsoft SharePoint;
• CVE-2025-49717, an RCE flaw in Microsoft SQL Server;
• CVE-2025-49735, an RCE vulnerability in Windows KDC Proxy Service (KPSSVC);

The July Patch Tuesday drop also lists two critical third-party RCE vulns in AMD processors, to which security teams should pay close attention.

None of the 12 above listed issues is currently known to be being exploited, and nor have exploits yet been made available. However, CVE-2025-47981 in  SPNEGO – an important protocol that is used to negotiate authentication on critical services, many of them internet-facing – caught the eye of the Qualys Threat Research Unit’s (TRU’s) senior manager of security research, Saeed Abbasi, who warned that this particular patch should be applied immediately.

“A single unauthenticated NEGOEX packet can drop attacker-controlled code straight into Local Security Authority Subsystem Service (LSASS), running as SYSTEM. No clicks, no creds needed – exactly the recipe that turns bugs into network worms. This isn’t just a bug – it’s a loaded gun pointed at your organisation,” he said.

“Once inside, the exploit can pivot to every Windows 10 endpoint that still has the default PKU2U setting enabled. We expect NEGOEX exploits to be weaponised within days, so attacks are imminent. 

“Patch within 48 hours, start with internet-facing or VPN-reachable assets and anything that touches AD. If you absolutely can’t patch, disable ‘Allow PKU2U authentication requests’ via GPO and block inbound 135/445/5985 at the edge,” he said.

WatchTowr founder and CEO Ben Harris agreed this was one to watch. He said: “Remote code execution is bad, but early analysis is suggesting that this vulnerability may be wormable – the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident, and similar.

“Microsoft is clear on pre-requisites here: no authentication required, just network access. We shouldn’t fool ourselves – if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice. Defenders need to drop everything, patch rapidly, and hunt down exposed systems.”

Read more on Application security and coding requirements

• 
  

  Latest Citrix vulnerability could be every bit as bad as Citrix Bleed

  By: Alex Scroxton

• 
  

  June Patch Tuesday brings a lighter load for defenders

  By: Alex Scroxton

• 
  

  May Patch Tuesday brings five exploited zero-days to fix

  By: Alex Scroxton

• 
  

  Microsoft’s April 2025 bumper Patch Tuesday corrects 124 bugs

  By: Brian McKenna