Microsoft’s latest Patch Tuesday release of fixes for 130 vulnerabilities did not include any updates for zero-day flaws that are currently being exploited. Still, the company acknowledged that one of the patched issues had already been made public before the update was issued.
A Broad Sweep: 130 Vulnerabilities Resolved in July Update
Microsoft’s July update addresses 130 vulnerabilities across its ecosystem, in addition to 10 externally reported issues affecting software like Visual Studio, AMD components, and the Chromium-based Edge browser. Ten of these issues are categorized as Critical, with the remainder considered Important in terms of severity.
According to Tenable’s Satnam Narang, this month breaks a nearly year-long pattern where every monthly update included at least one fix for a vulnerability being actively exploited in the wild.
Privilege Escalation and Remote Attacks Dominate
The vulnerabilities fixed in this cycle include a variety of threat types. The highest number are elevation of privilege flaws, totaling 53. This is followed by 42 cases of remote code execution, 17 vulnerabilities that leak information, and 8 that allow security features to be bypassed. Microsoft also issued additional fixes for two vulnerabilities in Edge since last month’s release.
Exposed SQL Server Vulnerability Draws Attention
A notable concern is CVE-2025-49719, an information leak issue affecting Microsoft SQL Server with a severity rating of 7.5 on the CVSS scale. This publicly known flaw may allow attackers to access fragments of memory that were not properly cleared.
Experts at Rapid7 have raised concerns that this type of vulnerability, while seemingly low-impact, can sometimes expose critical data like encryption keys. Action1’s Mike Walters suggested the root of the problem lies in SQL Server’s mishandling of memory input validation, which could result in sensitive information being exposed to unauthorized actors—especially when OLE DB drivers are involved.
SPNEGO Flaw Emerges as Most Dangerous
Topping the list of threats this month is CVE-2025-47981, rated 9.8 out of 10. This critical flaw exists in the SPNEGO Extended Negotiation (NEGOEX) protocol and allows for remote code execution without the need for authentication. An attacker could exploit the issue by sending a crafted message over the network.
The vulnerability was discovered by an anonymous contributor and security researcher Yuki Chen. It impacts Windows 10 (version 1607 and later) systems where a particular Group Policy setting—intended for enabling PKU2U authentication—is switched on by default.
watchTowr’s Benjamin Harris flagged the vulnerability as having the potential to be “wormable,” meaning it could spread across systems without user interaction, similar to past malware events like WannaCry.
Other High-Severity Bugs to Watch
The July release also addressed a number of other serious issues:
- CVE-2025-49735 – A remote code execution flaw in Windows KDC Proxy Service (CVSS 8.1)
- CVE-2025-48822 – An RCE vulnerability affecting Hyper-V (CVSS 8.6)
- CVE-2025-49695, CVE-2025-49696, CVE-2025-49697 – A trio of RCE flaws in Microsoft Office (CVSS 8.4 each)
Ben McCarthy of Immersive highlighted the significance of CVE-2025-49735 due to its potential to allow remote access without requiring user privileges or interaction. He noted that while the vulnerability currently relies on a timing issue—making exploitation difficult—advanced attackers could refine their methods over time to bypass this limitation.
BitLocker Vulnerabilities Expose Devices to Physical Attacks
Five separate flaws were also fixed in BitLocker, Microsoft’s built-in encryption tool. These vulnerabilities –CVE-2025-48001, 48003, 48800, 48804, and 48818—each scored 6.8 on the CVSS scale and could allow someone with physical access to extract encrypted information.
One possible attack method involves loading a custom recovery environment file (`WinRE.wim`) when the operating system volume is unlocked. Microsoft attributed the discovery of these flaws to its internal research team, MORSE (Microsoft Offensive Research and Security Engineering).
Cybersecurity engineer Jacob Ashdown warned that these kinds of vulnerabilities are especially dangerous in environments where laptops or mobile devices can be lost or stolen. In such cases, attackers might be able to bypass encryption safeguards and extract valuable data directly from the device.
Final Curtain for SQL Server 2012
July 8, 2025 also marks the end of extended support for SQL Server 2012. With the conclusion of the Extended Security Updates (ESU) program, organizations still relying on this version will no longer receive official security patches, leaving them vulnerable unless they migrate to a newer, supported version.