News
Microsoft July Patch Tuesday: 137 Bugs, 1 Zero-Day SQL Flaw
This month's Patch Tuesday is here, packed with 137 vulnerability fixes, including 14 rated critical and one publicly disclosed zero-day affecting Microsoft SQL Server.
The zero-day flaw fix (CVE-2025-49719) addresses an information disclosure issue in Microsoft SQL Server and associated OLE DB drivers. The problem stems from improper memory handling that could expose uninitialized data, including authentication credentials and connection strings. While Microsoft rated the flaw "Exploitation Less Likely," its public disclosure raises the potential for widespread misuse.
Mike Walters, president of security firm Action1, said that while Microsoft has said the threat for active exploitation is low, motivated attackers will find a way. Walters explains:
This vulnerability can be exploited in advanced attack scenarios.
- An attacker could map out database structures, identify injection points, and gather information to support more targeted intrusions.
- By accessing uninitialized memory, they might recover fragments of authentication credentials, potentially enabling further attacks against the database or related systems.
Moving on to this month's "critical" issues, one high-importance item is CVE-2025-47981, a heap-based buffer overflow in the Windows SPNEGO Extended Negotiation mechanism. If unpatched, it could allow remote code execution without user interaction. The vulnerability could be abused in older or poorly managed environments, particularly those with default Group Policy settings enabling PKU2U authentication.
Among the remaining 14 critical vulnerabilities, multiple remote code execution bugs in Microsoft Office and SharePoint make up quite a few of the monthly fixes. CVEs 2025-49695, 2025-49696, 2025-49697 and 2025-49702 all target Microsoft Office and can be triggered via the Preview Pane, a feature that allows exploitation without opening a document.
SharePoint administrators are advised to patch CVE-2025-49704 as soon as possible. The flaw could allow attackers with site owner rights to inject server-side code that executes within the app pool context, potentially exposing back-end systems.
CVE-2025-49717 is another SQL Server vulnerability that could lead to a “changed scope” attack -- allowing code execution not only within the database engine but also on the host OS. An attacker could use stolen credentials or app flaws to escalate privileges, deploy ransomware or move freely in a compromised network.
One interesting thing to note this month was that Microsoft Word was also impacted by three nearly identical "important" vulnerabilities (CVE-2025-49698, 2025-49700 and 2025-49703), both involving use-after-free conditions that could be exploited by specially crafted documents. Though exploitation is considered technically challenging due to modern mitigations like ASLR, the ability to trigger attacks through the Preview Pane elevates their risk.
Despite the volume of updates, experts say organizations must not delay. Tyler Reguly, associate director at Forta security firm, emphasized the importance of having a robust configuration management database (CMDB) to ensure comprehensive patch coverage.
"You can't patch systems and software that you don't know about, and you also can't manage their vulnerabilities," said Reguly. "This is where a CMDB or Configuration Management Database is critical to the survival of an organization. As a CSO, ask yourself if you have a CMDB deployed and then ask your team if it is being maintained on a regular basis. A CMDB is only as good as the last entry and if that last entry was a year ago, you are likely missing key information that could inform your patching decisions."
Click here for the full list of July's security bulletins.