[[{“value”:”
Microsoft released patch Tuesday June 2025 as a monthly security update, addressing a total of 130 Microsoft Common Vulnerabilities and Exposures (CVEs) and republishing 10 non-Microsoft CVEs.
Out of 130 vulnerabilities, Microsoft fixes 41 Remote Code Execution, 53 Elevation of Privilege, 18 Information Disclosure, 5 Denial of Service, 4 Spoofing, 1 Data Tampering vulnerability, and 8 Security Feature Bypass issues.
The update covers a wide range of products and services, including Windows, Microsoft Office, SQL Server, Microsoft Edge (Chromium-based), and Visual Studio, among others.
This release includes critical and important vulnerabilities, with several allowing remote code execution (RCE). Notably, no zero-day vulnerabilities or actively exploited vulnerabilities were reported in this update.
Critical Vulnerabilities:
CVE-2025-47981 (Windows SPNEGO Extended Negotiation, CVSS 9.8): This vulnerability allows attackers to achieve high confidentiality, integrity, and availability impacts over a network without user interaction, making it a high-priority target for patching.
CVE-2025-49717 (SQL Server, CVSS 8.5): This vulnerability could allow attackers to execute code remotely with significant impact on affected systems.
Important Vulnerabilities:
These vulnerabilities span various Microsoft products and services, including Windows Kernel, Remote Desktop Client, Microsoft Office, Windows BitLocker, and Windows Routing and Remote Access Service (RRAS). Most have CVSS scores ranging from 5.5 to 8.8, indicating moderate to high severity.
A significant portion of the vulnerabilities 55 CVEs could potentially lead to remote code execution, allowing attackers to run arbitrary code on affected systems. Key examples include:
- CVE-2025-47981 (Windows SPNEGO Extended Negotiation, CVSS 9.8): A critical RCE vulnerability exploitable over a network without user interaction.
- CVE-2025-47998, CVE-2025-49657, CVE-2025-49663, CVE-2025-49668 CVE-2025–49674, CVE-2025-49676, CVE-2025-49729, CVE-2025-49753 (Windows RRAS, CVSS 8.8): These vulnerabilities require user interaction but pose significant risks due to their network-based attack vector.
- CVE-2025-49687 (Microsoft Input Method Editor, CVSS 8.8): This local RCE vulnerability affects systems with specific configurations.
- CVE-2025-49701, CVE-2025-49704 (Microsoft Office SharePoint, CVSS 8.8): These vulnerabilities could allow attackers with low privileges to execute code remotely.
Microsoft confirmed that none of the vulnerabilities in this update are actively exploited or classified as zero-day vulnerabilities.
The Exploitability column for all CVEs lists “Exploitation Unlikely” or “Exploitation Less Likely,” indicating no known active exploitation at the time of release.
Key Affected Products and Services
The vulnerabilities impact a broad array of Microsoft products, including:
- Windows Components: Windows Kernel, Windows BitLocker, Windows SSDP Service, Windows Hyper-V, and Windows Routing and Remote Access Service (RRAS).
- Microsoft Office Suite: Vulnerabilities in Excel, Word, PowerPoint, and SharePoint, with several allowing RCE or privilege escalation.
- Cloud and Enterprise Services: Azure Monitor Agent, Microsoft Intune, and SQL Server.
- Development Tools: Visual Studio and Visual Studio Code Python extension.
- Browsers: Microsoft Edge (Chromium-based).
For 120 of the 130 Microsoft CVEs, Microsoft has provided FAQs to guide users on patching and mitigation strategies.
No workarounds are listed for any of the vulnerabilities, indicating that applying the security updates is the primary mitigation strategy.
Only two CVEs (CVE-2025-47981 and CVE-2025-49724) have specific mitigations listed, suggesting that most vulnerabilities require patching to address risks fully.
The post Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed Including 41 RCE appeared first on Cyber Security News.
“}]]
Read More Cyber Security News