Microsoft on Tuesday introduced safety fixes for 130 vulnerabilities throughout its merchandise, together with a beforehand disclosed SQL Server bug.
Tracked as CVE-2025-49719 (CVSS rating of seven.5), the already disclosed SQL Server flaw is described as an improper enter validation problem that would enable unauthenticated attackers to leak data over the community.
In line with Microsoft, the safety defect has not been exploited as a zero-day, nevertheless it was publicly disclosed earlier than patches have been launched.
“Replace your related model of SQL Server. Any relevant driver fixes are included in these updates. Replace your software to make use of Microsoft OLE DB Driver 18 or 19. Replace the drivers to the variations listed on this web page, which give safety towards this vulnerability,” the corporate notes in its advisory.
Regardless of the inclusion of this SQL Server bug, this month’s set of patches breaks an 11-month streak of zero-day mitigations from Redmond.
The July 2025 Patch Tuesday record additionally contains roughly a dozen patches rated essential severity, together with 10 addressing vulnerabilities that would result in distant code execution (RCE).
Important patches concentrating on RCE flaws have been launched for the SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism, SharePoint (CVE-2025-49701 and CVE-2025-49704), and Kerberos Key Distribution Heart proxy service (KPSSVC) (CVE-2025-49735).
Redmond’s Workplace suite additionally obtained its share of patches for code execution flaws that could possibly be exploited by convincing customers to open malicious paperwork.Commercial. Scroll to proceed studying.
Two Workplace bugs addressed this month that would result in native code execution are CVE-2025-49695 (a use-after-free) and CVE-2025-49696 (an out-of-bounds learn).
One other noteworthy bug resolved on Tuesday is CVE-2025-49724, a use-after-free in Home windows Linked Units Platform Service that could possibly be exploited by distant, unauthenticated attackers for code execution.
In line with Microsoft, nevertheless, profitable exploitation requires for the attacker to ship crafted visitors to a tool that has the Close by Sharing function enabled, and for the consumer to take particular actions.
Of the entire 130 flaws that Redmond resolved this month, 53 may result in privilege escalation, 41 to RCE, 18 to data disclosure, 8 to safety bypasses, 6 to denial-of-service, and 4 to spoofing.
The fixes ought to roll out to methods with the automated updates enabled shortly. Customers who would not have the function enabled are suggested to use the obtainable patches as quickly as doable.
Associated: Microsoft Patch Tuesday Covers WebDAV Flaw Marked as ‘Already Exploited’
Associated: Zero-Day Assaults Spotlight One other Busy Microsoft Patch Tuesday
Associated: Microsoft Patches 125 Home windows Vulns, Together with Exploited CLFS Zero-Day