Microsoft’s July 2025 Patch Tuesday: 140 Flaws Fixed, Including Zero-Day, RCEs & AMD CPU Threats

Microsoft’s July 2025 Patch Tuesday arrives with a hefty load: a total of 140 vulnerabilities patched, including 14 critical and 115 important severity flaws. This month’s release spans Microsoft’s core technologies—Windows Kernel, Hyper-V, SQL Server, Microsoft Office, and SharePoint—reminding defenders once again that the enterprise attack surface continues to grow, and threat actors are watching closely.

Among the vulnerabilities addressed is a publicly disclosed zero-day, multiple remote code execution (RCE) bugs, and even a pair of CPU-level threats tied to AMD processor weaknesses.

The July 2025 vulnerabilities fall under the following categories:

• Elevation of Privilege (EoP): 53
• Remote Code Execution (RCE): 41
• Information Disclosure: 18
• Security Feature Bypass: 8
• Denial of Service (DoS): 6
• Spoofing: 3

This month’s zero-day, CVE-2025-49719, is an Information Disclosure Vulnerability in Microsoft SQL Server, stemming from improper input validation. The flaw could allow unauthenticated attackers to leak sensitive information over a network.

“Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network,” Microsoft explains. Though not rated critical, the zero-day status and network exposure make it a prime candidate for exploitation.

This month’s release includes multiple RCE flaws, several of which could allow unauthenticated, remote attackers to execute arbitrary code—some requiring little user interaction.

• Microsoft SQL Server (CVE-2025-49717) – A heap-based buffer overflow vulnerability may allow an authenticated attacker to execute remote code.
• KDC Proxy Service (CVE-2025-49735) – A use-after-free bug in the Key Distribution Center Proxy Service—used for Kerberos authentication in remote access scenarios—could let attackers gain code execution privileges without authentication.
• SPNEGO Extended Negotiation (CVE-2025-47981) – This vulnerability in the NEGOEX mechanism could be exploited via specially crafted messages to the server, resulting in RCE through a heap-based buffer overflow.
• Hyper-V Discrete Device Assignment (CVE-2025-48822) – A flaw in PCI passthrough allows attackers to target virtual machines using an out-of-bounds read, potentially granting RCE.

July’s update includes six critical vulnerabilities in Microsoft Office and Word, including heap overflows, out-of-bounds reads, use-after-free, and type confusion flaws:

• CVE-2025-49695 to CVE-2025-49703
• Affecting both Microsoft Office and Word
• Exploitable via malicious documents sent over email or embedded in online content

These types of bugs are especially dangerous due to the common practice of enabling macros or content in Office files.

Two AMD-related CVEs—CVE-2025-36357 and CVE-2024-36350—were patched this month. These represent transient execution attacks targeting the L1 Data Queue, potentially enabling attackers to exfiltrate sensitive data via speculative execution vulnerabilities.

Related Posts:

• Microsoft May 2025 Patch Tuesday Fixes 83 Vulnerabilities, Including 5 Exploited in the Wild
• Google releases Android July patch to fix multiple security vulnerabilities
• CISA & Microsoft Warn of 6 Actively Exploited Zero-Day Vulnerabilities
• Microsoft April 2025 Patch Tuesday: Critical Security Updates and Zero-Day Exploits