{"id":350079,"date":"2025-07-08T12:45:05","date_gmt":"2025-07-08T19:45:05","guid":{"rendered":"https:\/\/msftnewsnow.com\/?p=350079"},"modified":"2025-07-08T12:45:05","modified_gmt":"2025-07-08T19:45:05","slug":"july-2025-microsoft-patch-tuesday-vulnerabilities","status":"publish","type":"post","link":"https:\/\/msftnewsnow.com\/july-2025-microsoft-patch-tuesday-vulnerabilities\/","title":{"rendered":"July 2025 Microsoft Patch Tuesday: 137 Vulnerabilities Fixed, One Zero-Day in SQL Server, Critical Office and AMD Flaws"},"content":{"rendered":"

Microsoft has released its July 2025 Patch Tuesday security updates, addressing a sweeping total of 137 vulnerabilities<\/strong> across its product portfolio<\/a>. This month\u2019s Microsoft Patch Tuesday cycle is headlined by a publicly disclosed zero-day vulnerability in Microsoft SQL Server, alongside a host of critical flaws in Microsoft Office, SharePoint, and AMD processors.<\/p>\n

Microsoft Patch Tuesday <\/strong>July 2025 <\/strong>Highlights<\/strong><\/h2>\n

Total vulnerabilities fixed<\/strong>: 137
\nZero-days resolved<\/strong>: 1 (publicly disclosed)
\nCritical vulnerabilities<\/strong>:\u00a014 (including 10 remote code execution, 1 information disclosure, 2 AMD side channel attacks)
\nMajor products affected<\/strong>: SQL Server, Office, SharePoint, Windows, AMD CPUs<\/p>\n

Vulnerability Breakdown<\/strong><\/h3>\n\n\n\n\n\n\n\n\n\n\n
Category<\/th>\nNumber Fixed<\/th>\n<\/tr>\n<\/thead>\n
Elevation of Privilege<\/td>\n53<\/td>\n<\/tr>\n
Security Feature Bypass<\/td>\n8<\/td>\n<\/tr>\n
Remote Code Execution (RCE)<\/td>\n41<\/td>\n<\/tr>\n
Information Disclosure<\/td>\n18<\/td>\n<\/tr>\n
Denial of Service<\/td>\n6<\/td>\n<\/tr>\n
Spoofing<\/td>\n4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Note<\/strong>: These counts do not include four Mariner and three Microsoft Edge issues patched earlier this month<\/a>.<\/p>\n

Zero-Day: Microsoft SQL Server Information Disclosure (CVE-2025-49719)<\/strong><\/h2>\n

The most urgent update this month is for a publicly disclosed zero-day in Microsoft SQL Server<\/a>. Tracked as CVE-2025-49719<\/a>, this vulnerability allows a remote, unauthenticated attacker to access data from uninitialized memory due to improper input validation. Exploiting this flaw could let attackers extract sensitive information over a network.<\/p>\n

\n “Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network,” Microsoft explains<\/a>.\n<\/p><\/blockquote>\n

Mitigation<\/strong><\/h3>\n

Admins are urged to install the latest version of Microsoft SQL Server and update the Microsoft OLE DB Driver to version 18 or 19. The flaw was discovered by Vladimir Aleksic of Microsoft<\/a>; further disclosure details remain undisclosed.<\/p>\n

Critical Microsoft Office and SharePoint Vulnerabilities<\/strong><\/h2>\n

While only one zero-day was addressed, Microsoft also patched numerous critical remote code execution (RCE) vulnerabilities in Microsoft Office. These flaws can be triggered simply by opening a malicious document or previewing it, making them especially dangerous for end users and enterprises.<\/p>\n

    \n
  1. Affected Products<\/strong>: Microsoft Office (Word, Excel, PowerPoint), SharePoint<\/li>\n
  2. Notable CVEs<\/strong>: CVE-2025-49697<\/a>, CVE-2025-49695<\/a>, CVE-2025-49696<\/a>, CVE-2025-49702<\/a>, CVE-2025-49703<\/a>, CVE-2025-49698<\/a>, CVE-2025-49704<\/a> (SharePoint), among others.<\/li>\n
  3. Attack Vector<\/strong>: Documents crafted to exploit these vulnerabilities can execute code with the user\u2019s privileges.<\/li>\n<\/ol>\n

    Important Note<\/strong>: Security updates for these Office flaws are not yet available<\/strong> for Microsoft Office LTSC for Mac 2021 and 2024. Microsoft states these updates will be released soon.<\/p>\n

    AMD Side Channel Attack Flaws<\/strong><\/h2>\n

    Two of this month\u2019s critical vulnerabilities relate to AMD side channel attacks<\/strong><\/a>. These are based on new research into transient scheduler attacks, which can potentially leak sensitive data from affected CPUs under specific microarchitectural conditions.<\/p>\n

    Mitigation<\/strong><\/h3>\n

    AMD and Microsoft recommend applying all available firmware and OS updates, and following secure coding and deployment best practices.<\/p>\n

    Other Notable Vulnerabilities<\/strong><\/h2>\n
      \n
    1. Remote Code Execution (RCE)<\/strong>: 41 vulnerabilities, including critical issues in Office, SharePoint, Hyper-V, and the Windows kernel.<\/li>\n
    2. Elevation of Privilege<\/strong>: 53 vulnerabilities, impacting components like the Windows kernel, drivers, and system services.<\/li>\n
    3. Information Disclosure<\/strong>: 18 vulnerabilities, including the SQL Server zero-day and flaws in Windows components.<\/li>\n
    4. Denial of Service & Spoofing<\/strong>: 10 vulnerabilities combined, affecting various Windows services and protocols.<\/li>\n<\/ol>\n

      Full List of Resolved CVEs<\/strong><\/h2>\n

      Microsoft published a comprehensive list of all 137 vulnerabilities<\/a> addressed in July 2025. Some of the most critical and widely impactful CVEs include:<\/p>\n