- 145/2025
- Critical
Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed one zero-day vulnerability.
Microsoft has fixed (130) vulnerabilities, with one classified as critical, as they could allow the attacker to gain elevated privileges, perform denial of service attacks, obtain sensitive information, bypass security restrictions, or execute arbitrary code and gain access to the affected systems.
July’s Patch Tuesday was released to fix security flaws in several Microsoft products such as Microsoft Excel, Microsoft office, Visual Studio Code, Microsoft SQL Server, Windows Server, Microsoft 365 Apps for Enterprise, Microsoft SharePoint Server, Microsoft PowerPoint, Microsoft Configuration Manager, Office Online Server, Windows Kernel, Remote Desktop Client, Windows Hyper-V, Windows BitLocker, Windows SMB, Windows NTFS, Windows Shell, Windows Version 10 and Windows Version 11.
The publicly disclosed zero-day vulnerability in July’s Patch is:
- Microsoft SQL Server Information Disclosure Vulnerability “CVE-2025-49719” could allow the remote, unauthenticated attacker to access data from uninitialized memory.
Sample of the addressed vulnerabilities:
1. Microsoft SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability (CVE-2025-47981):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2025- 49740):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Security Bypass
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.