Researchers are especially concerned about a high-severity defect in SQL Server and a critical vulnerability in SPNEGO, a foundational protocol.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Microsoft addressed 130 vulnerabilities across its products and underlying Windows systems, but none have been actively exploited in the wild, the company said in its latest security update Tuesday.
A proof-of-concept exploit for a high-severity defect in SQL Server — CVE-2025-49719 — has been shared publicly, researchers said. The information disclosure vulnerability, which has a CVSS score of 7.5, was publicly disclosed before it was patched, but Microsoft said exploitation is less likely.
“This vulnerability likely stems from improper input validation in SQL Server’s memory management, allowing access to uninitialized memory. As a result, attackers could retrieve remnants of sensitive data, such as credentials or connection strings,” Mike Walters, president and co-founder of Action1, said in an email.
Walters said the defect is especially concerning because authentication isn’t required, databases hold vast amounts of sensitive data and affected versions span releases from 2016 through 2022.
“Although rated as ‘exploitation less likely,’ the public disclosure suggests technical details may already be circulating, which could lead to increased exploitation over time,” he added. “This vulnerability can be exploited in advanced attack scenarios.”
The most critical vulnerability in this month’s security update — CVE-2025-47981 — is a remote code execution vulnerability in Windows SPNEGO Extended Negotiation with a CVSS score of 9.8. The foundational protocol negotiates authentication on critical services.
“This vulnerability enables unauthenticated, pre-authentication remote code execution with no user interaction and low attack complexity, making it a high-value target for adversaries seeking lateral movement or initial access in enterprise networks,” Ben McCarthy, lead cyber security engineer at Immersive Labs, said in an email.
Ben Harris, CEO at watchTowr, encouraged defenders to patch CVE-2025-47981 quickly and hunt down exposed systems.
“We shouldn’t fool ourselves,” Harris said. “If the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice.”
Microsoft’s batch of CVE disclosures includes 16 vulnerabilities that affect Microsoft Office and standalone Office products, including four defects the company described as more likely to be exploited.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
