It’s the second Tuesday of the month, and as expected, Adobe and Microsoft have released their latest security patches. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for July 2025

As of 1:00 PM Central Time, Adobe has not released their scheduled patches for July. This blog will be updated once they do.

Microsoft Patches for June 2025

This month, Microsoft released a whopping 130 new CVEs in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Azure, Teams, Hyper-V, Windows BitLocker, Microsoft Edge (Chromium-based), and the Windows Cryptographic Service. Eight of these bugs were reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 140 CVEs.

Of the patches released today, 10 are rated Critical, and the rest are rated Important in severity. July tends to be a heavier month for patches, though the reason is not clear. Perhaps Microsoft wants to patch as much as possible prior to the Black Hat and DEFECON conferences that take place in early August. Perhaps it’s related to their test cycles and is merely coincidental.

Microsoft lists one bug as being publicly known at the time of release, but nothing is noted as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug many will be talking about:

-   CVE-2025-47981 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
This heap-based buffer overflow impacts the Windows SPNEGO Extended Negotiation component and allows remote, unauthenticated attackers to execute code simply by sending a malicious message to an affected system. Since there’s no user interaction, and since the code executes with elevated privileges, this bug falls into the wormable class of bugs. Microsoft also gives this its highest exploitability index rating, which means they expect attacks within 30 days. Definitely test and deploy these patches quickly.

-  CVE-2025-49717 - Microsoft SQL Server Remote Code Execution Vulnerability
Speaking of heap-based buffer overflows, here’s one in SQL Server that could lead to code execution by an attacker executing a malicious query on an affected SQL Server system. They could also escape the context of the SQL Server and execute code on the host itself. Servicing this will not be easy. If you’re running your own application (or an affected third-party app) on an affected system, you will need to update your application to use Microsoft OLE DB Driver 18 or 19. The bulletin has full details, so be sure to read it carefully to ensure you have taken all steps needed to address this vulnerability fully.

-  CVE-2025-49704 - Microsoft SharePoint Remote Code Execution Vulnerability
This bug originates from Pwn2Own Berlin and was used as a part of a chain by the Viettel Cyber Security team to exploit SharePoint and win $100,000. This particular bug allowed code injection over the network. On its own, it requires some level of authentication. However, at the contest, the team paired it with an authentication bypass bug to evade this requirement. Their demonstration shows how authentication alone cannot be trusted to protect from attacks.

-  CVE-2025-49695 - Microsoft Office Remote Code Execution Vulnerability
This is one of four Critical-rated Office bugs in this release, and all of them have the Preview Pane listed as an attack vector. This is the third month in a row with Critical-rated Office bugs, which is a disturbing trend. There is either a wealth of these bugs to be found, or the patches can be easily bypassed. Either way, Mac users are out of luck since updates for Microsoft Office LTSC for Mac 2021 and 2024 are not available yet. Perhaps it’s time to consider disabling the Preview Pane until Microsoft sorts some of these problems out.

Here’s the full list of CVEs released by Microsoft for July 2025:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

There are only three other Critical-rated bugs to discuss in this month’s release. The first in in Hyper-V and could allow an attacker to execute code on the local system if they can be tricked into importing an INF file. The bug in the Windows KDC Proxy Service could allow code execution if an attacker can leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service. While an enticing target, that’s a tall order for an attacker. Finally, there is a Critical-rated info disclosure bug in the Imaging Component, but it only leaks ream heap memory, so it’s not clear why it is listed as Critical.

Looking at the remaining code execution bugs, there are additional bugs in Office of the open-and-own variety where the Preview Pan is not an attack vector. There’s also our monthly dose of bugs in the RRAS service – 14 for July. There are a couple of bugs in MPEG2 that require authentication. That’s also a requirement for the SQL injection bug in Intune. The SharePoint bug also requires authentication, but anyone with the ability to create a site has the needed permissions. The bug in the Virtual Hard Drive requires a user to mount a specially crafted VHD, which seems unlikely. The bug in RDP Client requires connecting to a malicious RDP server – another unlikely scenario. The bug in Windows Server Setup and Boot Event Collection requires high privileges but could be used to maintain access after an initial intrusion. Speaking of unlikely, the vulnerability in Miracast requires a target user to connect to a malicious Miracast sink and have a non-default configuration. The bug in Windows Connected Devices Platform Service allows for code execution if an attacker sends specially crafted packets to TCP port 5040 on an affected system, but the user would need to restart the service to complete the attack. There’s a bug in the Python component of Visual Studio due to the Python extension allowing an unauthorized attacker to execute code locally. Finally, the bug in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network. Users who have disabled Automatic Extension Upgrades will need to perform a manual update of the agent.

There are more than 50 elevation of privilege (EoP) bugs in the July release. The vast majority of these bugs lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bugs in Virtual Hard Disk and Fast FAT require a target mount a virtual drive. There are a few bugs that allow local attackers to crash a system, which could be used as a part of a privilege escalation. Other bugs elevate to different levels depending on the product. The EoP is Office escapes the Protected View sandbox. Bugs in the Virtualization-Based Security allows attackers to gain Virtual Trust Level 1 (VTL1) privileges. The bugs in Input Method Editor (IME) allow attackers to go from low to medium integrity code execution. The bug in the Universal Print Management Service is a little bit different. In this case, an authenticated attacker could send a specially crafted file to a shared printer resulting in code execution on the system sharing that printer. Lastly, the bug in Azure Fabric Runtime leads to SYSTEM, but the attacker needs a few extra steps. You’ll also need to take additional action if you have disabled automatic updates. You will need to manually update your Server Fabric Cluster to be protected.

Moving on to the security feature bypass (SFB) patches in this month’s release, five are for BitLocker. The scenarios are different, but they all lead to an attacker being able to bypass BitLocker. The bug in SmartScreen allows attackers to bypass SmartScreen protections. While this bug is not under active attack, we’ve seen similar bugs used by ransomware in the wild. The bug in Remote Desktop Licensing requires a machine-in-the-middle (MitM) attack, but Microsoft doesn’t make it clear which specific security feature is being bypassed. The final SFB is in the Office Development Platform and allows attackers to bypass the Office Visual Basic for Applications (VBA) signature scheme.

The July release includes quite a few information disclosure patches. As usual, most of these are in the Windows Storage Management Provider and only result in info leaks consisting of unspecified memory contents. This is useful info to have when exploiting components on a system, but otherwise not quite riveting. That’s also true for the bugs in SQL Server. However, similar to the SQL RCE bug already mentioned, you may need to manually update to Microsoft OLE DB Driver 18 or 19. The bug in GDI could allow the leaking of the ever elusive “sensitive information”. That’s a bit more detailed than what is leaked by the Cryptographic Service. Microsoft simply states the bug allows an “attacker to disclose information over a network.” Neat.

There are five patches for Denial-of-Service (DoS) bugs in this release. However, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network to that component. The only exception is for the bug in Windows Performance Recorder. This vulnerability requires an authenticated attacker to create directories then have an administrator run wprui.exe for the first time. Somehow, I don’t see that one getting exploited in the wild.

Looking at the spoofing bugs receiving patches this month, the first that stands out is in SQL server. This is the bug that allowed Viettel to bypass authentication at Pwn2Own by spoofing an authenticated connection. The bug in Remote Desktop requires some social engineering, as it requires tricking a user into interacting with a spoofed WebAuthn prompt and entering their credentials. The spoofing bug in Storage could be used by an attacker to trick a user into connecting to an attacker-controlled network resource. Finally, the spoofing bug in SMB involves improper certificate validation, which implies certificates could be spoofed over the network.

The last patch for July is in the poorly defined “Tampering” category. It’s in the Windows StateRepository API Server and allows for an AppContaier escape to delete specific files on a system. I suppose that’s a good enough definition of tampering.

No new advisories are being released this month.

Looking Ahead

The next Patch Tuesday of 2025 will be on August 12, and, assuming I survive hacker summer camp, I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!