July Patch Tuesday – Australian Cyber Security Magazine

July Patch Tuesday - Australian Cyber Security Magazine

Microsoft has addressed 128 CVEs in its July 2025 Patch Tuesday release, with 12 rated critical, and 115 rated important and one rated as moderate.

Tenable’s Satnam Narang, sr. staff research engineer noted the release omitted nine vulnerabilities reported by AMD and MITRE. Elevation of Privilege (EoP) vulnerabilities accounted for 41.4% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 31.3%.

Brian Donohue, Principal Security Researcher at Red Canary has provided analysis, “None appear to have been exploited actively in the wild, according to Microsoft. In fact, Microsoft considers the vast majority – around 87 percent – either unlikely to be exploited or less likely to be exploited.

“The very simple, but often impractical advice for security updates is just to install them all as soon as possible. Of course, that’s easier said than done considering that installing updates is time consuming and can have downstream consequences that adversely affect systems and processes. As such, organizations should pay close attention to Microsoft’s exploitability rankings and the CVSS scores assigned to vulnerabilities. They should prioritize anything where exploitation is more likely or has already been detected, and patches with higher CVSS scores. Anything that enables remote code execution is especially important to patch immediately.”

“Noteworthy patches in the July edition of patch Tuesday include:

  • CVE-2025-47981: A heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network.
  • CVE-2025-49695: A use after free in Microsoft Office that allows an unauthorized attacker to execute code locally.
  • CVE-2025-49735: A use after free in Windows KDC Proxy Service (KPSSVC) that allows an unauthorized attacker to execute code over a network.
  • CVE-2025-49696: An out-of-bounds read in Microsoft Office that allows an unauthorized attacker to execute code locally.
  • CVE-2025-49724: A use after free in Windows Connected Devices Platform Service that allows an unauthorized attacker to execute code over a network.
  • CVE-2025-49701: An improper authorization in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.
  • CVE-2025-49704: An improper control of generation of code (‘code injection’) in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network.

“Independent of when or whether an organization is able to install updates for these and other Microsoft CVEs, vulnerability exploitation is just a means to an end. An adversary might exploit a vulnerability to execute arbitrary code, elevate their privilege level, or bypass a security control – to list a few common classes of exploit.

“However, the real risk comes from what an adversary does after they exploit a vulnerability. Having thorough visibility into their IT environment and broad and deep detection coverage mitigates some of the risk from unpatched or even unknown vulnerabilities because it can empower organizations to catch and stop threats regardless of their origin.”

According to Narang at Tenable, “For the third consecutive July, Microsoft patched over 125 CVEs: 130 in 2023, 138 in 2024, and 127 in 2025. This month’s count is well above the average of 100 since July 2017.

“The 11-month streak of patching at least one zero day that was exploited in the wild ended this month. However, there was still one zero day patched this month.

“While there were a few Microsoft SQL Server vulnerabilities patched this month, CVE-2025-49719, an information disclosure bug in SQL Server, was disclosed publicly prior to being patched. Despite its public disclosure, it is less likely to be exploited by an attacker. Users of SQL Server can update to the latest version, which includes driver fixes. However, if users have built their own apps or use software from another vendor that happens to use SQL Server, they need to update to Microsoft OLE DB Driver for SQL Server version 18 or 19 or ensure compatibility before updating. Microsoft has details in its advisory including a matrix for supported general distribution releases and cumulative update versions.

“The highest-rated vulnerability this month is CVE-2025-47981, a remote code execution flaw in SPNEGO Extended Negotiation (NEGOEX), an extension of the SPNEGO negotiation mechanism used to allow for negotiating what security mechanism is used before authenticating. This is a peculiar bug because, while it is considered more likely to be exploited, it only affects Windows 10 version 1607 and above due to a specific group policy object being enabled by default. Since 2022, there haven’t been many flaws in SPNEGO NEGOEX. There was one in 2022 (CVE-2022-37958) and one earlier this year in January (CVE-2025-21295), both of which were rated as not likely to be exploited.

“SharePoint continues to be a hot target: two new remote code execution bugs (CVE-2025-49701 and CVE-2025-49704) require prior authentication to a vulnerable SharePoint Server with Site Owner privileges at minimum to exploit these flaws. Each year, a large number of SharePoint bugs are disclosed across Patch Tuesday releases. So far in 2025, there have been 16 SharePoint flaws. In prior years, there were 20 in 2022, 25 in 2023 and 20 in 2024.

“While not Patch Tuesday released, I’d be remiss not to highlight the concerns around CitrixBleed 2. CitrixBleed one was a significant flaw that had a long tail impact because of the ability for attackers to steal session tokens, which can’t be neutralised until they’ve been invalidated. CitrixBleed 2 also allows session token theft, which makes this just as severe as CitrixBleed. So even if an organisation has applied the available patches, if those session tokens are still valid, attackers can replay them back. It’s vital for organisations to not only apply the patches, but it is paramount to review log files for known indicators of compromise and invalidate session tokens promptly.”




Source link