Microsoft Plug 140 Vulnerabilities in July Patch Tuesday; SQL Server Zero-Day Disclosed
Summary : July Patch Tuesday
The July 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-49719 in Microsoft SQL Server.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-07-08 |
| No. of Patches | 140 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Microsoft has released security updates addressing 140 vulnerabilities as part of July 2025 Patch Tuesday, including one publicly disclosed zero-day vulnerability affecting Microsoft SQL Server. Fourteen(14) of the vulnerabilities are classified as Critical, with ten(10) enabling Remote Code Execution (RCE).
Microsoft products impacted span across Windows, SQL Server, Microsoft Office, SharePoint, Hyper-V, Visual Studio and Azure services
- 130 Microsoft CVEs addressed
- 10 non-Microsoft CVEs addressed
Breakdown of July 2025 Vulnerabilities
- 41 Remote Code Execution (RCE)
- 18 Information Disclosure
- 53 Elevation of Privilege (EoP)
- 5 Denial of Service (DoS)
- 8 Security Feature Bypass
- 4 Spoofing
- 1 Data Tampering
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| SQL Server Information Disclosure | CVE-2025-49719 | Microsoft SQL Server | High | 7.5 |
Technical Summary
The information disclosure flaw arises from improper input validation, enabling a remote unauthenticated attacker to access data from uninitialized memory.
Microsoft also resolved a significant number of critical RCE vulnerabilities, particularly in Microsoft Office, SharePoint and Windows core components like Hyper-V and KDC Proxy. Several vulnerabilities can be triggered through minimal user interaction, such as viewing a document in the preview pane or interacting with network services.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-49719 | Microsoft SQL Server | Publicly disclosed information disclosure via improper input validation; attackers may access uninitialized memory | Unauthorized data disclosure |
Source: Microsoft and NVD
In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed:
- CVE-2025-49701 and CVE-2025-49704: Microsoft SharePoint, RCE over the Internet via authenticated access (CVSS 8.8)
- CVE-2025-49735: Windows KDC Proxy Service, Use-after-free vulnerability allowing unauthenticated RCE (CVSS 8.1)
- CVE-2025-47981: SPNEGO Extended Negotiation, Heap buffer overflow enabling RCE through crafted messages (CVSS 9.8)
- CVE-2025-48822: Hyper-V Discrete Device Assignment (DDA), RCE via PCI passthrough flaw in virtual environments (CVSS 8.6)
- CVE-2025-49717: Microsoft SQL Server, Heap-based buffer overflow enabling authenticated RCE (CVSS 8.5)
- CVE-2025-49695 to CVE-2025-49703: Microsoft Office/Word, Multiple RCEs via heap overflow, out-of-bounds read, type confusion (CVSS 8.4 & 7.8)
- CVE-2025-36357: AMD L1 Data Queue, Side-channel transient execution attack.
- CVE-2025-36350: AMD Store Queue, Speculative execution side-channel leak.
Key Affected Products and Services
The vulnerabilities addressed in July 2025 impact a wide range of Microsoft products and services, including:
- Windows Components:
Windows Kernel, BitLocker, SSDP Service, Hyper-V, KDC Proxy and Routing and Remote Access Service (RRAS).
- Microsoft Office Suite:
Excel, Word, PowerPoint, and SharePoint with several vulnerabilities enabling Remote Code Execution (RCE) or Elevation of Privilege (EoP).
- Cloud and Enterprise Services:
Azure Monitor Agent, Microsoft Intune and Microsoft SQL Server.
- Development Tools:
Visual Studio and the Python extension for Visual Studio Code.
- Browsers:
Microsoft Edge (Chromium-based).
Remediation:
- Apply Patches Promptly: Install the July 2025 security updates immediately to mitigate risks.
Conclusion:
The July 2025 Patch Tuesday reflects a large-scale update effort from Microsoft, addressing both known and undisclosed security risks. The zero-day (CVE-2025-49719) highlights ongoing concerns with SQL Server, while critical vulnerabilities in Office, SharePoint and core Windows services demand urgent patching.
Organizations should prioritize deployment of these patches and remain vigilant for any post-patch exploitation attempts, especially in externally facing applications.
References: