Microsoft has released a massive security update this July, patching 130 vulnerabilities across its products and platforms. Among the flaws fixed are several high-risk ones, including a critical remote code execution vulnerability in SPNEGO and a publicly known information leak in SQL Server.
This marks the first Patch Tuesday of 2025 without any actively exploited zero-day vulnerabilities. However, experts are still advising organizations to patch as soon as possible due to the severity of some of the bugs.
Key vulnerabilities to watch out for
Of the 130 flaws fixed, 10 are critical, and the rest are important. The most dangerous is a remote code execution flaw in the SPNEGO Extended Negotiation (NEGOEX) protocol, tracked as CVE-2025-47981 and rated 9.8 out of 10 on the CVSS severity scale.
Microsoft said the bug, caused by a heap-based buffer overflow, allows attackers to execute code over the network without authentication. The company warned that exploitation is “more likely,” and since the vulnerability is wormable, some experts believe it could be self-propagating like past malware outbreaks.
The vulnerability impacts Windows client computers running Windows 10 version 1607 and later, and security experts advise applying a patch as soon as possible. It’s tied to a default Group Policy setting that enables PKU2U authentication using online identities.
SQL Server flaw could leak sensitive data
Also notable is CVE-2025-49719, an information disclosure bug in Microsoft SQL Server that was publicly known before the patch. Although it has a lower severity score of 7.5, experts warn that it could pose significant risks.
The flaw is due to uninitialized memory handling and allows attackers to extract leftover data, including sensitive items like cryptographic keys or credentials. This impacts the SQL Server engine and applications using OLE DB drivers. Analysts said attackers could use trial and error to pull valuable fragments of memory, making data leaks possible.
Microsoft confirmed the flaw was not exploited in the wild, but since it was publicly known, it’s more urgent to patch.
Other high-risk issues and product retirement
The update also includes patches for remote code execution bugs in Windows KDC Proxy Service (CVE-2025-49735), Hyper-V (CVE-2025-48822), and Microsoft Office (CVE-2025-49695 to 49697). Some of these flaws could allow attackers to compromise systems over the network without user interaction.
BitLocker, Microsoft’s disk encryption feature, got five fixes for bypass bugs. These flaws could allow attackers with physical access to a device to access encrypted data if certain recovery environments are loaded incorrectly.
It is evident that internal testing and review are crucial, as Microsoft's offensive security team identified the BitLocker issues.
Finally, Microsoft announced that support for SQL Server 2012 ended on July 8, 2025. If you are still using this version, you will no longer receive security updates, and your systems will be exposed if not upgraded.
Patching is the best defense
Despite the no zero-days this month, security experts say the sheer volume and severity of the patches mean you need to act fast. Remote code execution vulnerabilities are the top concern for defenders, especially when they require little to no user interaction to exploit.
You should review the full list of vulnerabilities, patch critical and internet-facing systems, and consider retiring unsupported software to stay secure.
