Adobe Patches for July 2025
For July, Adobe (eventually) released 13 bulletins addressing 60 unique CVEs in Adobe ColdFusion, After Effects, Substance 3D Viewer, Audition, InCopy, InDesign, Connect, Dimension, Substance 3D Stager, Illustrator, FrameMaker, Experience Manager Forms, and Experience Manager Screens. The obvious place to start here is ColdFusion. It’s the only update listed as Priority 1 and addresses 13 CVEs, five of which are rated Critical. ColdFusion should probably be considered “legacy” at this point. If you’re still using it, you should think about migrating to something more modern. The patch for FrameMaker is also somewhat large. It fixes 15 CVEs – including 13 Critical bugs that could lead to code execution. The only other double-digit CVE bulletin is for Illustrator with 10 bugs. The most severe of these bugs could lead to code execution.
The remaining patches are much smaller. The After Effects patch fixes two Important severity bugs. The fix for Substance 3D Viewer addresses one Critical and two Important vulnerabilities. There’s a single denial-of-service (DoS) bug fixed in the Audition patch. The update for InCopy includes three Critical-rated bugs that could lead to code execution. The fixes for InDesign correct six similar Critical bugs. There’s just a single Critical bug in the patch for Connect. That’s the same for the Experience Manager Forms patch. The update for Substance 3D Stager corrects a single memory leak. The patch for Dimension also includes a memory leak fix and a Critical-rated code execution bug. Finally, the update for Experience Manager Screens addresses two cross-site scripting (XSS) bugs.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the patch for ColdFusion, all updates are listed as deployment priority 3.
Microsoft Patches for June 2025
This month, Microsoft released a whopping 130 new CVEs in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Azure, Teams, Hyper-V, Windows BitLocker, Microsoft Edge (Chromium-based), and the Windows Cryptographic Service. Eight of these bugs were reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 140 CVEs.
Of the patches released today, 10 are rated Critical, and the rest are rated Important in severity. July tends to be a heavier month for patches, though the reason is not clear. Perhaps Microsoft wants to patch as much as possible prior to the Black Hat and DEFECON conferences that take place in early August. Perhaps it’s related to their test cycles and is merely coincidental.
Microsoft lists one bug as being publicly known at the time of release, but nothing is noted as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug many will be talking about:
– CVE-2025-47981 – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
This heap-based buffer overflow impacts the Windows SPNEGO Extended Negotiation component and allows remote, unauthenticated attackers to execute code simply by sending a malicious message to an affected system. Since there’s no user interaction, and since the code executes with elevated privileges, this bug falls into the wormable class of bugs. Microsoft also gives this its highest exploitability index rating, which means they expect attacks within 30 days. Definitely test and deploy these patches quickly.
– CVE-2025-49717 – Microsoft SQL Server Remote Code Execution Vulnerability
Speaking of heap-based buffer overflows, here’s one in SQL Server that could lead to code execution by an attacker executing a malicious query on an affected SQL Server system. They could also escape the context of the SQL Server and execute code on the host itself. Servicing this will not be easy. If you’re running your own application (or an affected third-party app) on an affected system, you will need to update your application to use Microsoft OLE DB Driver 18 or 19. The bulletin has full details, so be sure to read it carefully to ensure you have taken all steps needed to address this vulnerability fully.
– CVE-2025-49704 – Microsoft SharePoint Remote Code Execution Vulnerability
This bug originates from Pwn2Own Berlin and was used as a part of a chain by the Viettel Cyber Security team to exploit SharePoint and win $100,000. This particular bug allowed code injection over the network. On its own, it requires some level of authentication. However, at the contest, the team paired it with an authentication bypass bug to evade this requirement. Their demonstration shows how authentication alone cannot be trusted to protect from attacks.
– CVE-2025-49695 – Microsoft Office Remote Code Execution Vulnerability
This is one of four Critical-rated Office bugs in this release, and all of them have the Preview Pane listed as an attack vector. This is the third month in a row with Critical-rated Office bugs, which is a disturbing trend. There is either a wealth of these bugs to be found, or the patches can be easily bypassed. Either way, Mac users are out of luck since updates for Microsoft Office LTSC for Mac 2021 and 2024 are not available yet. Perhaps it’s time to consider disabling the Preview Pane until Microsoft sorts some of these problems out.
Here’s the full list of CVEs released by Microsoft for July 2025:
