.png)
4 months ago
3
Microsoft has posted one of its heaviest Patch Tuesday security patches in recent memory with a whopping 130 individual bug fixes.
The Redmond, Washington-based software giant said that the July edition of its monthly update program includes patches for 12 vulnerabilities rated by Microsoft as "critical" security risks. Nearly all were of the remainders were deemed "important" level risks save for one flaw deemed to be a "high" level bug.
Thankfully, none of the serious flaws were found to be exploited in the wild, though one bug (CVE-2025-49719) was disclosed to the public prior to the patch announcement. The lone high-risk bug (CVE-2025-6554) is believed to be under active exploitation, though the flaw is in the Chromium engine rather than Microsoft’s own code.
According to experts, when it comes to testing and deploying patches the top priorities for administrators should include CVE-2025-49717. That remote code execution bug, traced back to a buffer overflow error in SQL server, could allow an attacker to target a client application with exploit code and potentially achieve remote code execution on the host machine.
“Servicing this will not be easy,” explained Dustin Childs, head of research with the Trend Micro Zero Day Initiative.
“If you are running your own application (or an affected third-party app) on an affected system, you will need to update your application to use Microsoft OLE DB Driver 18 or 19.”
Childs also noted a SharePoint flaw allowing for remote code execution (CVE-2025-49704) and a flaw in Office (CVE-2025-49695), which allows code execution through the Preview Pane as patch that should take priority for administrators.
Other notable fixes this month include a critical vulnerability in the Windows SPNEGO security component which allows for remote code execution (CVE-2025-47981) and a remote code vulnerability in Hyper-V (CVE-2025-48822.)
Also included in this month’s update with fixes for five different security bypass vulnerabilities in the BitLocker platform. Those include CVE-2025-48001, CVE-2025-48003, CVE-2025-48800, CVE-2025-48804 and CVE-2025-48818.
Experts noted that July has traditionally been a busy month for Microsoft when it comes to issuing security fixes. Dating back to 2023, Microsoft has had to issue more than 125 bug fixes in its July update.
There is, however, some good news. Satnam Narang, senior staff research engineer with Tenable Research, noted that this is the first time in nearly a year that Microsoft has been able to issue a release that did not include fixes for a zero-day flaw in its own code.
In a statement to SC Media, Narang also highlighted the SQL server bug as a top priority for administrators to address.
“While there were a few Microsoft SQL Server vulnerabilities patched this month, CVE-2025-49719, an information disclosure bug in SQL Server, was disclosed publicly prior to being patched,” Narang noted.
“Despite its public disclosure, it is less likely to be exploited by an attacker.”
