In the latest round of security updates, Microsoft has addressed a significant number of vulnerabilities, releasing patches for 130 issues as part of the July 2025 Patch Tuesday. Among these vulnerabilities, two notable entries stand out: CVE-2025-49719, which has been publicly disclosed, and CVE-2025-47981, a wormable remote code execution (RCE) flaw affecting Windows and Windows Server.
CVE-2025-49719 and CVE-2025-49717, in Microsoft SQL Server
CVE-2025-49719 is an uninitialized memory disclosure vulnerability within Microsoft SQL Server. This flaw can potentially be triggered remotely by unauthorized attackers. Microsoft has assessed the exploit code for this vulnerability as “unproven,” indicating that it is not widely available or merely theoretical, leading them to conclude that exploitation is “less likely.”
As noted by Satnam Narang, a senior staff research engineer at Tenable, users of SQL Server are encouraged to update to the latest version, which includes essential driver fixes. For those who have developed their own applications or utilize third-party software relying on SQL Server, it is crucial to update to the Microsoft OLE DB Driver for SQL Server version 18 or 19, ensuring compatibility before proceeding with the update. Microsoft has provided detailed advisories, including a matrix for supported general distribution releases and cumulative update versions.
Additionally, the updates address CVE-2025-49717, a buffer overflow vulnerability that could be exploited by authenticated attackers executing a malicious query against a vulnerable SQL Server. This could allow them to escape the SQL Server context and execute code on the underlying host.
Vulnerabilities requiring your attention
Among the vulnerabilities that demand immediate attention is CVE-2025-47981, another buffer overflow issue that can lead to RCE. This particular flaw resides within Windows’ SPNEGO Extended Negotiation security mechanism, enabling unauthorized attackers to exploit it by sending a malicious message to a vulnerable system. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, emphasizes the urgency of addressing this vulnerability, noting that it falls into the wormable category and has received the highest exploitability index rating from Microsoft. This indicates a high likelihood of attacks occurring within 30 days, making prompt testing and deployment of patches essential.
The fix for this vulnerability has been included in security updates for a broad range of Windows and Windows Server versions. Microsoft elaborates that the vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the default enabling of the Group Policy Object (GPO) allowing PKU2U authentication requests to utilize online identities.
Saeed Abbasi, a senior manager of security research at the Qualys Threat Research Unit, advises administrators to prioritize patching internet-facing or VPN-reachable assets, as well as any systems that interact with Active Directory. For those unable to patch immediately, he suggests disabling the ‘Allow PKU2U authentication requests’ GPO and blocking inbound ports 135, 445, and 5985 at the network edge.
Other vulnerabilities that are considered “more likely” to be exploited include:
- Four vulnerabilities that allow attackers to bypass the BitLocker Device Encryption feature on system storage devices, which can only be exploited by individuals with physical access to the affected systems.
- Four Microsoft Office RCE vulnerabilities, three of which do not require user interaction, with the Preview Pane serving as a potential attack vector. Patches have been rolled out for Office versions on Windows and Android, while Mac users will need to wait for their updates.
- CVE-2025-49704, which permits code injection and execution on Microsoft SharePoint by authenticated remote attackers with low privileges.
Childs highlights that CVE-2025-49704 originated from the Pwn2Own Berlin competition, where it was utilized by the Viettel Cyber Security team to exploit SharePoint, earning them a 0,000 reward. This vulnerability allows for network-based code injection, requiring some level of authentication. However, during the competition, it was paired with an authentication bypass bug to circumvent this requirement.
Chris Goettl, VP of Security Product Management at Ivanti, reminds administrators not to overlook the Windows Server updates, which address 16 CVEs in Windows Routing and Remote Access Service (RRAS). These vulnerabilities could enable an unauthenticated attacker to persuade a user to connect to a malicious server, potentially allowing arbitrary code execution without any privileges, and could be exploited over the network.
Goettl advises that while applying updates to the operating system is the most effective solution, additional mitigations such as restricting RRAS ports to trusted networks or VPN concentrators, implementing firewall rules, and disabling unused RRAS features can further limit exposure.
Lastly, it is crucial to update Microsoft Edge to address CVE-2025-6554, which has been actively exploited in the wild to target Chrome users.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
