With cybersecurity threats continuing to evolve, Microsoft’s July 2025 Patch Tuesday highlights the need for consistent patching — this month’s release includes key fixes for actively exploited vulnerabilities. Here’s a quick breakdown of what you need to know.
Microsoft Patch Tuesday for July 2025
In this month’s Patch Tuesday, the July 2025 edition, Microsoft addressed 140 vulnerabilities. The updates include 14 critical and 115 important severity vulnerabilities. In this month’s updates, Microsoft has addressed one zero-day vulnerability that is being publicly disclosed.
Microsoft has addressed three vulnerabilities in Microsoft Edge (Chromium-based) in this month’s updates.
Microsoft Patch Tuesday, July edition includes updates for vulnerabilities in Windows Kernel, Remote Desktop Client, Windows Visual Basic Scripting, Microsoft Intune, Windows Routing and Remote Access Service (RRAS), Windows Hyper-V, Windows Connected Devices Platform Service, Windows BitLocker, and more.
Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).
The July 2025 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 3 | Important: 3 |
| Denial of Service Vulnerability | 6 | Important: 6 |
| Elevation of Privilege Vulnerability | 53 | Important: 53 |
| Information Disclosure Vulnerability | 18 | Critical: 1 Important: 17 |
| Remote Code Execution Vulnerability | 41 | Critical: 11 Important: 30 |
| Security Feature Bypass Vulnerability | 8 | Important: 8 |
Zero-day Vulnerability Patched in July Patch Tuesday Edition
CVE-2025-49719: Microsoft SQL Server Information Disclosure Vulnerability
Microsoft SQL Server is a powerful and popular relational database management system (RDBMS). It is used to store and retrieve data requested by other software applications.
Improper input validation flaw in SQL Server could allow an unauthenticated attacker to disclose information over a network.
Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
AMD: CVE-2025-36357 & CVE-2024-36350 Transient Scheduler Attack in L1 Data Queue
The vulnerability assigned to this CVE is in certain processor models offered by AMD. The mitigation for this vulnerability requires a Windows update.
Refer to AMD-SB-7029 for more information.
CVE-2025-49717: Microsoft SQL Server Remote Code Execution Vulnerability
A heap-based buffer overflow flaw in SQL Server may allow an authenticated attacker to achieve remote code execution.
CVE-2025-49735: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability
The KDC (Key Distribution Center) Proxy service in Windows allows clients to authenticate to an Active Directory domain when they don’t have direct network access to a Domain Controller, typically for remote access scenarios like Azure Virtual Desktop. It acts as a relay for Kerberos authentication traffic, encapsulating Kerberos messages within HTTPS requests sent over the internet.
A use-after-free flaw in Windows KDC Proxy Service (KPSSVC) could allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-47980: Windows Imaging Component Information Disclosure Vulnerability
The Windows Imaging Component (WIC) is a Microsoft technology that provides a framework for working with digital images and image metadata in Windows applications.
Exposure of sensitive information to an unauthenticated attacker in the Windows Imaging Component could allow an attacker to disclose information locally. Upon successful exploitation, an attacker could read small portions of heap memory.
CVE-2025-47981: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
SPNEGO is an Internet standard for a client and server to negotiate which Generic Security Service Application Program Interface (GSSAPI) technology will be used for authentication.
A heap-based buffer overflow flaw in Windows SPNEGO Extended Negotiation may allow an unauthenticated attacker to achieve remote code execution. An attacker could exploit this vulnerability by sending a malicious message to the server.
CVE-2025-48822: Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability
Hyper-V Discrete Device Assignment (DDA), also known as PCI passthrough, allows you to give a virtual machine (VM) direct access to a physical PCI Express (PCIe) device on the host machine. This enables the VM to utilize the device at near-native performance, bypassing the hypervisor’s virtualization layer.
An out-of-bounds read flaw in Windows Hyper-V could allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-49695: Microsoft Office Remote Code Execution Vulnerability
The use-after-free vulnerability in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-49696: Microsoft Office Remote Code Execution Vulnerability
An out-of-bounds read flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-49697: Microsoft Office Remote Code Execution Vulnerability
The heap-based buffer overflow flaw in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-49698 & CVE-2025-49703: Microsoft Word Remote Code Execution Vulnerability
The use-after-free vulnerability in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-49702: Microsoft Office Remote Code Execution Vulnerability
A type confusion flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-49704: Microsoft SharePoint Remote Code Execution Vulnerability
A code injection flaw in Microsoft Office SharePoint could allow an authenticated attacker to execute code over a network.
Other Microsoft Vulnerability Highlights
- CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network.
- CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally.
- CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device.
- CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network.
- CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network.
- CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution.
- CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Service Fabric, Virtual Hard Disk (VHDX), Microsoft Input Method Editor (IME), Windows SSDP Service, Windows Kerberos, Windows Imaging Component, Windows SPNEGO Extended Negotiation, Windows Storage VSP Driver, Windows GDI, Windows Event Tracing, Universal Print Management Service, Windows Cred SSProvider Protocol, Azure Monitor Agent, Microsoft PC Manager, Microsoft Office, Windows MBT Transport driver, Windows Update Service, Windows SMB, Windows Virtualization-Based Security (VBS) Enclave, Microsoft MPEG-2 Video Extension, Windows Secure Kernel Mode, Microsoft Office Excel, Windows Remote Desktop Licensing Service, HID class driver, Windows Universal Plug and Play (UPnP) Device Host, Windows AppX Deployment Service, Windows Cryptographic Services, Windows TDX.sys, Windows Ancillary Function Driver for WinSock, Windows User-Mode Driver Framework Host, Workspace Broker, Windows Win32K – ICOMP, Kernel Streaming WOW Thunk Service Driver, Microsoft Brokering File System, Windows NTFS, Windows Shell, Windows Performance Recorder, Windows Media, Storage Port Driver, Microsoft Windows Search Component, Windows TCP/IP, Capability Access Management Service (camsvc), Microsoft Office Word, Microsoft Office SharePoint, Microsoft Office PowerPoint, Microsoft Edge (Chromium-based), Visual Studio Code – Python extension, Windows Netlogon, SQL Server, Windows Fast FAT Driver, Windows Print Spooler Components, Windows StateRepository API, Windows Notification, Windows Win32K – GRFX, Microsoft Windows QoS scheduler, Microsoft Teams, Microsoft Graphics Component, Windows KDC Proxy Service (KPSSVC), Visual Studio, Windows SmartScreen, Office Developer Platform, Windows Storage, AMD Store Queue, and AMD L1 Data Queue.
Microsoft July 2025 Patch Tuesday Mitigations
As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and CVE-2025-47986.
For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V.
Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set.
The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches
