For July 2025 Patch Tuesday, Microsoft has released patches for 130 vulnerabilities, among them one that’s publicly disclosed (CVE-2025-49719) and a wormable RCE bug on Windows and Windows Server (CVE-2025-47981).
CVE-2025-49719 and CVE-2025-49717, in Microsoft SQL Server
CVE-2025-49719 is an uninitialized memory disclosure vulnerability affecting Microsoft SQL Server, which can be remotely triggered by unauthorized attackers.
Microsoft says that exploit code for it is “unproven” – i.e., not publicly available or simply theoretical – and judges exploitation of the flaw to be “less likely”.
“Users of SQL Server can update to the latest version, which includes [the necessary] driver fixes. However, if users have built their own apps or use software from another vendor that happens to use SQL Server, they need to update to Microsoft OLE DB Driver for SQL Server version 18 or 19 or ensure compatibility before updating,” says Satnam Narang, senior staff research engineer at Tenable.
“Microsoft has details in its advisory including a matrix for supported general distribution releases and cumulative update versions.”
These updated versions also fix CVE-2025-49717, a buffer overflow vulnerability that could be triggered by authenticated attackers running a malicious query against a vulnerable SQL Server and could allow them to escape the context of the SQL server and execute code on the underlying host.
Vulnerabilities requiring your attention
First and foremost, you should patch CVE-2025-47981, which is another buffer overflow vulnerability that can lead to RCE. This one is in Windows’ SPNEGO Extended Negotiation security mechanism, allowing unauthorized attackers to trigger it by sending a malicious message to a vulnerable system.
“Since there’s no user interaction, and since the code executes with elevated privileges, this bug falls into the wormable class of bugs. Microsoft also gives this its highest exploitability index rating, which means they expect attacks within 30 days. Definitely test and deploy these patches quickly,” advised Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
A fix for this flaw has been added to the security updates for a wide range of Windows and Windows Server versions.
“This vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the following GPO being enabled by default on these operating systems: ‘Network security: Allow PKU2U authentication requests to this computer to use online identities’,” Microsoft explained.
Saeed Abbasi, senior manager of security research at the Qualys Threat Research Unit, advised admins to start with patching internet-facing or VPN-reachable assets and anything that touches AD. “If you absolutely can’t patch, disable ‘Allow PKU2U authentication requests’ via GPO and block inbound 135/445/5985 at the edge,” he added.
Among the “more likely” to be exploited vulnerabilities are:
- Four allowing attackers to bypass the BitLocker Device Encryption feature on the system storage device (but these can only be exploited by attackers with physical access to vulnerable systems)
- Four Microsoft Office RCE vulnerabilities, three of which require no user interaction. For all, the Preview Pane is an attack vector. Patches have been provided for Office versions on Windows and Android, but Mac users will have to wait
- CVE-2025-49704, allowing code injection and execution on Microsoft SharePoint by authenticated remote attackers with low privileges
“[CVE-2025-49704] originates from Pwn2Own Berlin and was used as a part of a chain by the Viettel Cyber Security team to exploit SharePoint and win $100,000. This particular bug allowed code injection over the network. On its own, it requires some level of authentication. However, at the contest, the team paired it with an authentication bypass bug to evade this requirement,” Childs pointed out.
Chris Goettl, VP of Security Product Management at Ivanti, advised admins not to forget the Windows Server updates, which resolve 16 CVEs in Windows Routing and Remote Access Service (RRAS).
“These vulnerabilities could allow an unauthenticated attacker to convince a user to initiate a connection to a malicious server that could allow them to execute arbitrary code. The attack would require no privileges and could be exploited over the network,” he explained.
“Applying the updates to the OS is the best solution, but additional mitigations like restricting RRAS ports to trusted networks or VPN concentrators can limit exposure, as well as employing firewall rules and disabling unused RRAS features.”
Finally, don’t forget to update Microsoft Edge, to fix CVE-2025-6554, which has been exploited in the wild to target Chrome users.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
