Patch Tuesday July 2025: No Active Exploitation of Zero-days Belies Importance of Addressing Wormable RCE Flaw

July’s Patch Tuesday marks a significant escalation in vulnerability severity, with Microsoft addressing 130 vulnerabilities, including a publicly disclosed zero-day vulnerability and a critical wormable remote code execution flaw that could soon be weaponized.
This month’s release breaks an 11-month streak of Microsoft addressing zero-day vulnerabilities that are Under Active Exploitation yet system admins and patch teams should not let the lack of any detected exploitation of these vulnerabilities delay addressing them. Adding to the urgency, major vendors including Adobe, Cisco, and Google have released critical updates addressing Actively Exploited vulnerabilities, making this one of the most consequential Patch Tuesdays of 2025.
Microsoft Vulnerabilities
Microsoft’s July update addresses 140 vulnerabilities, including 10 republished CVEs, with 14 rated as critical severity. The patches span across Windows Kernel, Remote Desktop Client, Microsoft Office, Windows BitLocker, and SQL Server for systems affected by the notable vulnerabilities of the month. From an impact perspective, Remote Code Execution vulnerabilities accounted for 37%, while Information Disclosure for 12% and Escalation of Privilege for 38%.
The standout vulnerability this month is CVE-2025-47981, a heap-based buffer overflow in the Windows SPNEGO Extended Negotiation component. With a CVSS score of 9.8, this critical flaw allows remote, unauthenticated attackers to execute code simply by sending a malicious message to an affected system. Microsoft has rated this vulnerability with its highest exploitability index rating, which means they expect attacks within 30 days.
Due to the nature of this vulnerability it would be prudent to ensure that any affected systems are patched quickly. Microsoft additional mitigation guidance points out that “This vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the following GPO being enabled by default on these operating systems: « Network security: Allow PKU2U authentication requests to this computer to use online identities« . This suggests that disabling this GPO could prevent exploitation of this vulnerability in the event that the Security Update must be deferred, however deferment should be the exception NOT the rule.
CVE-2025-49719, this month’s zero-day vulnerability, is a SQL Server flaw described as an improper input validation issue that could allow unauthenticated attackers to leak information over the network. While the security defect has not yet (at time of writing) been Actively Exploited as a zero-day, it was publicly disclosed before patches were released. The vulnerability affects all versions as far back as SQL Server 2016 and requires organizations to update the Microsoft OLE DB Driver for SQL Server to version 18.7 or later.
Microsoft Office received its share of critical patches this month, with four Critical-rated Office bugs, all of which have the Preview Pane listed as an attack vector. CVE-2025-49695 and CVE-2025-49696 are particularly concerning as they are rated 8.4, and could allow an attacker to achieve remote code execution without user interaction. This continues a pattern of multiple vulnerabilities this year involving the Preview Pane as a vector. An additional note on these CVEs, the security update for Microsoft Office LTSC for Mac 2021 and 2024 will be released at a later date.
Multiple BitLocker Security Feature Bypass vulnerabilities were also addressed, including CVE-2025-48804, CVE-2025-48800, and CVE-2025-48818. These vulnerabilities allow an unauthorized attacker to bypass a security feature with a physical attack, potentially compromising encrypted data on affected systems.
Other Vendor Vulnerabilities
Adobe
Adobe’s July release addressed 60 unique CVEs across multiple products. The most critical update is for ColdFusion, which is the only update listed as Priority 1, and addresses 13 CVEs, five of which are rated Critical. Organizations still running ColdFusion should prioritize migration to more modern platforms given the recurring critical vulnerabilities.
Cisco
Cisco released emergency patches for CVE-2025-20309, a maximum severity vulnerability (CVSS 10.0) in Unified Communications Manager. The flaw stems from hard-coded root SSH credentials that cannot be changed or removed. An attacker with network access could log in as root and execute arbitrary commands with full system privileges. The vulnerability affects Cisco Unified CM and Unified CM SME ES version 15.0.1.13010-1 through 15.0.1.13017-1, and Cisco strongly advises all users of Unified CM and Unified CM SME to apply the latest updates without delay.
Google Chrome
Google patched its fourth zero-day vulnerability of 2025 with CVE-2025-6554, a type confusion flaw in the V8 JavaScript and WebAssembly engine. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group on June 25, 2025, and Google confirmed in their security update that an exploit for CVE-2025-6554 exists in the wild. Users should update to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog with a due date of July 23, 2025.
Critical Infrastructure Under Attack
While not part of this month’s Patch Tuesday releases, two critical vulnerability sets continue to pose immediate threats.
Linux Sudo vulnerabilities CVE-2025-32463 (CVSS 9.3) and CVE-2025-32462, patched in late June, remain a concern as many Linux distros have yet to supply fixes. The Sudo flaws allow local privilege escalation to root, with CVE-2025-32462 having existed undetected for over 12 years.
Similarly, Citrix NetScaler’s CVE-2025-5777 known as CitrixBleed 2, patched on June 17, continues to see Active Exploitation with evidence that earlier exploitations have occurred than originally thought. Security researcher Kevin Beaumont reports ongoing attacks since mid-June, with threat actors dumping memory and hijacking sessions. Organizations should urgently check for indicators of compromise, including repeated POST requests to doAuthentication in Netscaler logs, as proof of concept for the vulnerability was released in early July.
Vulnerability Prioritization
Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying solely on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability, the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.
For July 2025’s vulnerabilities, temporal factors dramatically reshape traditional prioritization models. Consider CVE-2025-47981, the Windows SPNEGO vulnerability: while its CVSS 9.8 score signals criticality, Microsoft’s assessment that exploitation is expected within 30 days creates an accelerated temporal window that demands immediate action. Similarly, CVE-2025-6554 in Chrome carries additional temporal weight as Google TAG’s discovery suggests sophisticated threat actors already possess working exploits.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available
CVE Number |
CVE Title |
Severity |
Status |
BitLocker Security Feature Bypass Vulnerability |
I |
EML |
|
BitLocker Security Feature Bypass Vulnerability |
I |
EML |
|
Microsoft Office Remote Code Execution Vulnerability |
C |
EML |
|
BitLocker Security Feature Bypass Vulnerability |
I |
EML |
|
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability |
C |
EML |
|
Windows Kerberos Denial of Service Vulnerability |
I |
EML |
|
BitLocker Security Feature Bypass Vulnerability |
I |
EML |
|
Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability |
I |
EML |
|
Microsoft Office Remote Code Execution Vulnerability |
C |
EML |
|
Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability |
C |
EML |
|
Win32k Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Update Service Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Graphics Component Elevation of Privilege Vulnerability |
I |
EML |
|
Microsoft SQL Server Information Disclosure Vulnerability |
I |
EML |
|
Microsoft SharePoint Remote Code Execution Vulnerability |
C |
EML |
|
Microsoft SharePoint Remote Code Execution Vulnerability |
I |
EML |
|
Windows Connected Devices Platform Service Remote Code Execution Vulnerability |
I |
EML |
|
Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Office Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Imaging Component Information Disclosure Vulnerability |
C |
ELL |
|
AMD: CVE-2024-36350 Transient Scheduler Attack in Store Queue |
C |
ELL |
|
AMD: CVE-2025-36357 Transient Scheduler Attack in L1 Data Queue |
C |
ELL |
|
Microsoft SQL Server Remote Code Execution Vulnerability |
C |
EU |
|
Microsoft SQL Server Information Disclosure Vulnerability |
I |
ELL |
|
Microsoft Word Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Word Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Office Remote Code Execution Vulnerability |
C |
ELL |
Summary
As organizations look to strengthen their cyber resilience, they should integrate third-party patching priorities into their existing patch management routines, ensuring that traditionally Microsoft-focused processes expand to address the multi-vendor threat landscape that characterizes modern environments. The convergence of Actively Exploited vulnerabilities across multiple platforms underscores the importance of comprehensive, risk-based patch management strategies that extend beyond severity ratings to encompass real-world exploitation patterns and business-critical system exposure.
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling into your Patch Management routines for patches related to zero-day vulnerabilities, vulnerabilities with Detected Exploitations, and those with a higher likelihood of exploitation. The convergence of Actively Exploited vulnerabilities across multiple vendors underscores the need for comprehensive, risk-based approaches that extend beyond traditional Microsoft-focused patch management to address the multi-vendor reality of modern business networks.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.