Microsoft is addressing 137 vulnerabilities this July 2025 Patch Tuesday, which is above average. Microsoft is aware of public disclosure for just one of the vulnerabilities published today, and Microsoft isn’t aware of in-the-wild exploitation for any of today’s batch. This is the tenth consecutive month with no Patch Tuesday zero-day vulnerabilities evaluated as critical severity at time of publication. Today also sees the publication of 11 critical remote code execution (RCE) vulnerabilities. Three browser vulnerabilities have already been published separately this month, and are not included in the total.
SQL Server: zero-day info disclosure
It has been a quiet few months on the SQL Server front, but today Microsoft has published CVE-2025-49719, a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft ranks this vulnerability as important, but not critical. Older versions of SQL Server with remaining Extended Security Update (ESU) program viability are not listed as receiving patches; instead, the advisory rather bluntly tells us that assets running SQL Server where the version number is not represented in the table on the advisory means that SQL Server version is no longer supported. ESU updates are released only for vulnerabilities which Microsoft deems to be critical severity, so ESU subscribers must now be hoping that today’s SQL Server zero-day vulnerability was first introduced in the SQL Server 2016 codebase.
It’s somewhat noteworthy that Microsoft has marked CVE-2025-49719 as publicly disclosed, since the advisory credits a Microsoft researcher with reporting the vulnerability, so Microsoft must be aware of other public information about this exploit. As is tradition for SQL Server security advisories, the lengthy FAQ on the advisory is mostly concerned with helping administrators sort through the dizzying array of SQL Server variants, feature packs, GDR vs. CU, etc., etc., and it thoughtfully avoids overburdening the reader with insights into the nature of the vulnerability itself. We do learn that “the type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory”; an attacker might well learn nothing of any value, but with luck, persistence, or some very crafty massaging of the exploit, the prize could be cryptographic key material or other crown jewels from the SQL Server.
Windows NEGOX: critical RCE
Any vulnerability with a CVSSv3 base score of 9.8 is worth a look, so let’s consider CVE-2025-47981, which is a remote code execution vulnerability in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. The optimistically named Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) is a generic capability defined in RFC-4178; SPNEGO is implemented in Windows alongside a significant Microsoft-specific extension of its capabilities called NEGOX; the flaw is in NEGOX, and the advisory FAQ sets out that the vulnerability affects any Windows client machine running Windows 10 1607 or above. Patches are also available for all current versions of Windows Server, although Windows Server assets might not be immediately exploitable, since the “Network security: Allow PKU2U authentication requests to this computer to use online identities” GPO is typically only enabled on Windows client assets. Domain-joined client assets might also possess a similar mitigation, since the relevant GPO is typically disabled in that context. Nevertheless, patching is surely advisable for all Windows assets, since this is a pre-authentication remote code execution, and presumably in a privileged context. Unsurprisingly, Microsoft considers exploitation more likely.
KPSSVC: critical RCE
Anyone who has been responsible for securing a Windows KDC Proxy server for more than a month can rely on their past experience today when addressing CVE-2025-49735, since this unauthenticated critical RCE appears to be very similar to last month’s CVE-2025-33071.
SharePoint: critical RCE
SharePoint admins will be familiar with a certain class of vulnerability where an attacker with some level of existing SharePoint privilege can overstep a security boundary and remotely execute code on the SharePoint server itself. Today’s edition is CVE-2025-49704, which has some unusual characteristics: the FAQ claims that there is no requirement for elevated privileges, but also claims that the minimum privilege level required for exploitation is Site Owner. There’s probably a good explanation for this apparent discrepancy, but since attack complexity is low, it’s best to patch first and ask questions later.
Microsoft lifecycle update
In Microsoft product lifecycle news, today is the end of the road for SQL Server 2012, since the ESU program is now completed, meaning that there will be no future security patches even for critical vulnerabilities, and even if you’re willing to pay for the privilege; although Microsoft does occasionally release free updates for obsolete products for the most serious vulnerabilities, that’s not a reliable foundation for a security program. The Visual Studio 2022 17.8 LTSC channel also draws to a close, although newer LTSC versions of Visual Studio 2022 remain available.
Missing advisories
At time of writing, Microsoft appears to have unpublished all security advisories which it initially published during June 2025; this is surely inadvertent, and those advisories will presumably be restored shortly.
Summary charts
Summary tables
Apps vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-49738 | Microsoft PC Manager Elevation of Privilege Vulnerability | No | No | 7.8 |
Azure vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-47988 | Azure Monitor Agent Remote Code Execution Vulnerability | No | No | 7.5 |
| CVE-2025-21195 | Azure Service Fabric Runtime Elevation of Privilege Vulnerability | No | No | 6 |
Browser vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-49713 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49741 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | No | No | 7.4 |
| CVE-2025-6554 | Chromium: CVE-2025-6554 Type Confusion in V8 | No | No | N/A |
Developer Tools vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-49739 | Visual Studio Elevation of Privilege Vulnerability | No | No | 8.8 |
| CVE-2025-49714 | Visual Studio Code Python Extension Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-48386 | MITRE: CVE-2025-48386 Git Credential Helper Vulnerability | No | No | N/A |
| CVE-2025-48385 | MITRE: CVE-2025-48385 Git Protocol Injection Vulnerability | No | No | N/A |
| CVE-2025-48384 | MITRE: CVE-2025-48384 Git Symlink Vulnerability | No | No | N/A |
| CVE-2025-46835 | MITRE: CVE-2025-46835 Git File Overwrite Vulnerability | No | No | N/A |
| CVE-2025-46334 | MITRE: CVE-2025-46334 Git Malicious Shell Vulnerability | No | No | N/A |
| CVE-2025-27614 | MITRE: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability | No | No | N/A |
| CVE-2025-27613 | MITRE: CVE-2025-27613 Gitk Arguments Vulnerability | No | No | N/A |
ESU Windows vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability | No | No | 9.8 |
| CVE-2025-48824 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49657 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49670 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49672 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49674 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49676 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49688 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49753 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-47998 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49663 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49668 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49669 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49673 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49729 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49687 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | No | No | 8.8 |
| CVE-2025-47986 | Universal Print Management Service Elevation of Privilege Vulnerability | No | No | 8.8 |
| CVE-2025-48817 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49735 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability | No | No | 8.1 |
| CVE-2025-49665 | Workspace Broker Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49667 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49659 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49686 | Windows TCP/IP Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47976 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-48815 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49679 | Windows Shell Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47996 | Windows MBT Transport Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49742 | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49732 | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49721 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47985 | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49660 | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49661 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49730 | Microsoft Windows QoS Scheduler Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49683 | Microsoft Virtual Hard Disk Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-47971 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49689 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47973 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-48805 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-48806 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49675 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-48816 | HID Class Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47987 | Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47984 | Windows GDI Information Disclosure Vulnerability | No | No | 7.5 |
| CVE-2025-48814 | Remote Desktop Licensing Service Security Feature Bypass Vulnerability | No | No | 7.5 |
| CVE-2025-48819 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability | No | No | 7.1 |
| CVE-2025-48821 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability | No | No | 7.1 |
| CVE-2025-47975 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-49727 | Win32k Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-49678 | NTFS Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-48001 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.8 |
| CVE-2025-48804 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.8 |
| CVE-2025-49671 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2025-49681 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2025-47980 | Windows Imaging Component Information Disclosure Vulnerability | No | No | 6.2 |
| CVE-2025-49716 | Windows Netlogon Denial of Service Vulnerability | No | No | 5.9 |
| CVE-2025-49722 | Windows Print Spooler Denial of Service Vulnerability | No | No | 5.7 |
| CVE-2025-49664 | Windows User-Mode Driver Framework Host Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-49658 | Windows Transport Driver Interface (TDI) Translation Driver Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-49684 | Windows Storage Port Driver Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-48808 | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 |
Microsoft Office vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49701 | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-49695 | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.4 |
| CVE-2025-49696 | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.4 |
| CVE-2025-49697 | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.4 |
| CVE-2025-49703 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49698 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49700 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49705 | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49702 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-47994 | Microsoft Office Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49711 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-49737 | Microsoft Teams Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-49699 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7 |
| CVE-2025-49706 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 6.3 |
| CVE-2025-48812 | Microsoft Excel Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-49756 | Office Developer Platform Security Feature Bypass Vulnerability | No | No | 3.3 |
| CVE-2025-49731 | Microsoft Teams Elevation of Privilege Vulnerability | No | No | 3.1 |
SQL Server vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-49717 | Microsoft SQL Server Remote Code Execution Vulnerability | No | No | 8.5 |
| CVE-2025-49719 | Microsoft SQL Server Information Disclosure Vulnerability | No | Yes | 7.5 |
| CVE-2025-49718 | Microsoft SQL Server Information Disclosure Vulnerability | No | No | 7.5 |
System Center vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-47178 | Microsoft Configuration Manager Remote Code Execution Vulnerability | No | No | 8 |
Windows vulnerabilities
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-49723 | Windows StateRepository API Server file Tampering Vulnerability | No | No | 8.8 |
| CVE-2025-49740 | Windows SmartScreen Security Feature Bypass Vulnerability | No | No | 8.8 |
| CVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-48822 | Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability | No | No | 8.6 |
| CVE-2025-33054 | Remote Desktop Spoofing Vulnerability | No | No | 8.1 |
| CVE-2025-49691 | Windows Miracast Wireless Display Remote Code Execution Vulnerability | No | No | 8 |
| CVE-2025-47972 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | No | No | 8 |
| CVE-2025-47159 | Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-48799 | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47982 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49726 | Windows Notification Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49725 | Windows Notification Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47991 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-48000 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-48820 | Windows AppX Deployment Service Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49733 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-47993 | Microsoft PC Manager Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49694 | Microsoft Brokering File System Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49693 | Microsoft Brokering File System Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-49690 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability | No | No | 7.4 |
| CVE-2025-49680 | Windows Performance Recorder (WPR) Denial of Service Vulnerability | No | No | 7.3 |
| CVE-2025-49682 | Windows Media Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2025-49666 | Windows Server Setup and Boot Event Collection Remote Code Execution Vulnerability | No | No | 7.2 |
| CVE-2025-49685 | Windows Search Service Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-49744 | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-49677 | Microsoft Brokering File System Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-47999 | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.8 |
| CVE-2025-48003 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.8 |
| CVE-2025-48800 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.8 |
| CVE-2025-48818 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.8 |
| CVE-2025-48811 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability | No | No | 6.7 |
| CVE-2025-48803 | Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability | No | No | 6.7 |
| CVE-2025-48802 | Windows SMB Server Spoofing Vulnerability | No | No | 6.5 |
| CVE-2025-47978 | Windows Kerberos Denial of Service Vulnerability | No | No | 6.5 |
| CVE-2025-48823 | Windows Cryptographic Services Information Disclosure Vulnerability | No | No | 5.9 |
| CVE-2025-48002 | Windows Hyper-V Information Disclosure Vulnerability | No | No | 5.7 |
| CVE-2025-36357 | AMD: CVE-2025-36357 Transient Scheduler Attack in L1 Data Queue | No | No | 5.6 |
| CVE-2025-36350 | AMD: CVE-2024-36350 Transient Scheduler Attack in Store Queue | No | No | 5.6 |
| CVE-2025-48809 | Windows Secure Kernel Mode Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-48810 | Windows Secure Kernel Mode Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-26636 | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-49760 | Windows Storage Spoofing Vulnerability | No | No | 3.5 |