Microsoft and Adobe Patch Tuesday, July 2025 Security Update Review

With cybersecurity threats continuing to evolve, Microsoft's July 2025 Patch Tuesday highlights the need for consistent patching - this month's release includes key fixes for actively exploited vulnerabilities. Here's a quick breakdown of what you need to know.

Microsoft Patch Tuesday for July 2025

In this month's Patch Tuesday, the July 2025 edition, Microsoft addressed 140 vulnerabilities. The updates include 14 critical and 115 important severity vulnerabilities. In this month's updates, Microsoft has addressed one zero-day vulnerability that is being publicly disclosed.

Microsoft has addressed three vulnerabilities in Microsoft Edge (Chromium-based) in this month's updates.

Microsoft Patch Tuesday, July edition includes updates for vulnerabilities in Windows Kernel, Remote Desktop Client, Windows Visual Basic Scripting, Microsoft Intune, Windows Routing and Remote Access Service (RRAS), Windows Hyper-V, Windows Connected Devices Platform Service, Windows BitLocker, and more.

Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).

The July 2025 Microsoft vulnerabilities are classified as follows:

Zero-day Vulnerability Patched in July Patch Tuesday Edition

Microsoft SQL Server is a powerful and popular relational database management system (RDBMS). It is used to store and retrieve data requested by other software applications.

Improper input validation flaw in SQL Server could allow an unauthenticated attacker to disclose information over a network.

Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition

The vulnerability assigned to this CVE is in certain processor models offered by AMD. The mitigation for this vulnerability requires a Windows update.

Refer to AMD-SB-7029 for more information.

A heap-based buffer overflow flaw in SQL Server may allow an authenticated attacker to achieve remote code execution.

The KDC (Key Distribution Center) Proxy service in Windows allows clients to authenticate to an Active Directory domain when they don't have direct network access to a Domain Controller, typically for remote access scenarios like Azure Virtual Desktop. It acts as a relay for Kerberos authentication traffic, encapsulating Kerberos messages within HTTPS requests sent over the internet.

A use-after-free flaw in Windows KDC Proxy Service (KPSSVC) could allow an unauthenticated attacker to achieve remote code execution.

The Windows Imaging Component (WIC) is a Microsoft technology that provides a framework for working with digital images and image metadata in Windows applications.

Exposure of sensitive information to an unauthenticated attacker in the Windows Imaging Component could allow an attacker to disclose information locally. Upon successful exploitation, an attacker could read small portions of heap memory.

SPNEGO is an Internet standard for a client and server to negotiate which Generic Security Service Application Program Interface (GSSAPI) technology will be used for authentication.

A heap-based buffer overflow flaw in Windows SPNEGO Extended Negotiation may allow an unauthenticated attacker to achieve remote code execution. An attacker could exploit this vulnerability by sending a malicious message to the server.

Hyper-V Discrete Device Assignment (DDA), also known as PCI passthrough, allows you to give a virtual machine (VM) direct access to a physical PCI Express (PCIe) device on the host machine. This enables the VM to utilize the device at near-native performance, bypassing the hypervisor's virtualization layer.

An out-of-bounds read flaw in Windows Hyper-V could allow an unauthenticated attacker to achieve remote code execution.

The use-after-free vulnerability in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.

An out-of-bounds read flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

The heap-based buffer overflow flaw in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.

The use-after-free vulnerability in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution.

A type confusion flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

A code injection flaw in Microsoft Office SharePoint could allow an authenticated attacker to execute code over a network.

Other Microsoft Vulnerability Highlights

• CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
• CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network.
• CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally.
• CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device.
• CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network.
• CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network.
• CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution.
• CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
• CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Microsoft Release Summary

This month's release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Service Fabric, Virtual Hard Disk (VHDX), Microsoft Input Method Editor (IME), Windows SSDP Service, Windows Kerberos, Windows Imaging Component, Windows SPNEGO Extended Negotiation, Windows Storage VSP Driver, Windows GDI, Windows Event Tracing, Universal Print Management Service, Windows Cred SSProvider Protocol, Azure Monitor Agent, Microsoft PC Manager, Microsoft Office, Windows MBT Transport driver, Windows Update Service, Windows SMB, Windows Virtualization-Based Security (VBS) Enclave, Microsoft MPEG-2 Video Extension, Windows Secure Kernel Mode, Microsoft Office Excel, Windows Remote Desktop Licensing Service, HID class driver, Windows Universal Plug and Play (UPnP) Device Host, Windows AppX Deployment Service, Windows Cryptographic Services, Windows TDX.sys, Windows Ancillary Function Driver for WinSock, Windows User-Mode Driver Framework Host, Workspace Broker, Windows Win32K - ICOMP, Kernel Streaming WOW Thunk Service Driver, Microsoft Brokering File System, Windows NTFS, Windows Shell, Windows Performance Recorder, Windows Media, Storage Port Driver, Microsoft Windows Search Component, Windows TCP/IP, Capability Access Management Service (camsvc), Microsoft Office Word, Microsoft Office SharePoint, Microsoft Office PowerPoint, Microsoft Edge (Chromium-based), Visual Studio Code - Python extension, Windows Netlogon, SQL Server, Windows Fast FAT Driver, Windows Print Spooler Components, Windows StateRepository API, Windows Notification, Windows Win32K - GRFX, Microsoft Windows QoS scheduler, Microsoft Teams, Microsoft Graphics Component, Windows KDC Proxy Service (KPSSVC), Visual Studio, Windows SmartScreen, Office Developer Platform, Windows Storage, AMD Store Queue, and AMD L1 Data Queue.

Microsoft July 2025 Patch Tuesday Mitigations

As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and CVE-2025-47986.

For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V.

Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set.

The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to 'This Month in Vulnerabilities and Patch's webinar.'

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month's high-impact vulnerabilities, including those that are a part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.

Join the webinar

This Month in Vulnerabilities & Patches

Related