The Indian Computer Emergency Response Team (CERT-In) has recently issued a high-severity advisory concerning multiple vulnerabilities in Microsoft Windows and Office products. These security flaws could potentially allow attackers to gain elevated privileges, access sensitive data, execute remote code, and bypass existing security protocols.
Scope of Vulnerabilities
The identified vulnerabilities affect a broad spectrum of Microsoft products, including:
- Microsoft Windows (all supported versions)
- Microsoft Office suite (Word, Excel, Outlook)
- Microsoft Dynamics
- Azure cloud services
- Microsoft SQL Server
- System Center and Developer Tools
- Extended Security Update (ESU) programs for older Windows versions
- Microsoft Edge browser and other Microsoft applications
Specific Vulnerabilities Highlighted
Among the critical vulnerabilities addressed in Microsoft's July 2025 Patch Tuesday are:
- CVE-2025-47981: A remote code execution vulnerability in the Windows SPNEGO Extended Negotiation (NEGOEX) security mechanism, with a CVSS score of 9.8. This flaw allows unauthenticated remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow. (crowdstrike.com)
- CVE-2025-49719: An information disclosure vulnerability in Microsoft SQL Server, rated with a CVSS score of 7.5. This zero-day vulnerability allows unauthenticated attackers to access data from uninitialized memory. (cert.europa.eu)
- CVE-2025-49695 and CVE-2025-49696: Critical remote code execution vulnerabilities in Microsoft Office, each with a CVSS score of 8.4. These flaws can be exploited through the preview pane, enabling attackers to execute arbitrary code without user interaction. (crowdstrike.com)
To mitigate the risks associated with these vulnerabilities, CERT-In recommends the following actions:
- Apply Security Updates: Ensure that all Microsoft products are updated with the latest security patches. Microsoft has released fixes through cumulative updates for Windows and other affected services.
- Enable Automatic Updates: Configure systems to receive automatic updates to ensure timely application of security patches.
- Exercise Caution with Untrusted Sources: Avoid opening files or clicking on links from unknown or untrusted sources, as they may contain malicious content designed to exploit these vulnerabilities.
- Maintain Updated Security Software: Keep antivirus programs and firewalls up to date to provide an additional layer of defense against potential attacks.
Source: Business Standard https://www.business-standard.com/technology/tech-news/cert-in-issues-warning-for-microsoft-windows-office-products-know-why-125071600889_1.html