Microsoft's July 2025 Patch Tuesday: Critical Security Fixes & New Windows 11 Features

On July 8, 2025, Microsoft released its monthly Patch Tuesday updates, addressing a substantial number of vulnerabilities across various products. This release is particularly noteworthy due to the introduction of new features in Windows 11 and the resolution of critical security flaws.

Overview of the July 2025 Patch Tuesday Updates​

Microsoft's July 2025 Patch Tuesday encompasses fixes for 130 vulnerabilities, with 14 classified as critical. Notably, this update cycle does not include any zero-day vulnerabilities, marking the first such instance since June 2024. The vulnerabilities span multiple products, including Windows operating systems, Microsoft Office, SQL Server, and more.

Breakdown of Vulnerabilities​

• Remote Code Execution (RCE): 41 vulnerabilities
• Elevation of Privilege (EoP): 53 vulnerabilities
• Information Disclosure (ID): 18 vulnerabilities
• Denial of Service (DoS): 5 vulnerabilities
• Spoofing: 4 vulnerabilities
• Data Tampering: 1 vulnerability
• Security Feature Bypass: 8 vulnerabilities

This distribution underscores the diverse nature of security challenges addressed in this update.

Critical Vulnerabilities Addressed​

Windows SPNEGO Extended Negotiation (CVE-2025-47981)​

One of the most critical vulnerabilities patched is CVE-2025-47981, a heap-based buffer overflow in the Windows SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. This flaw affects Windows 10 version 1607 and later, allowing remote, unauthenticated attackers to execute arbitrary code. The vulnerability is particularly concerning due to its network-based attack vector and the absence of user interaction requirements. Microsoft has indicated that exploitation is more likely, emphasizing the urgency of applying this patch. (thecyberexpress.com)

Microsoft Office Remote Code Execution (CVE-2025-49695 and CVE-2025-49696)​

Two critical RCE vulnerabilities in Microsoft Office, CVE-2025-49695 and CVE-2025-49696, have also been addressed. These vulnerabilities are notable because they do not require user interaction; exploitation can occur via the preview pane. Both Windows and Mac versions are affected, though patches for Mac are pending. (cybersafenv.org)

Microsoft SQL Server Information Disclosure (CVE-2025-49719)​

CVE-2025-49719 is an information disclosure vulnerability in Microsoft SQL Server that has been publicly disclosed. It allows attackers to leak uninitialized memory, potentially exposing sensitive information. Organizations using applications that rely on the OLE DB driver are advised to update to the latest versions to mitigate this risk. (action1.com)

New Features in Windows 11​

In addition to security patches, the July 2025 update introduces several new features and enhancements to Windows 11:

Smaller Taskbar Icons​

Users now have the option to display smaller icons on the Taskbar. This feature can be accessed via Settings > Personalization > Taskbar under "Taskbar behaviors," offering options such as "Always," "Never," or "When taskbar is full." (windowscentral.com)

File Compression in Windows Share​

The Windows Share interface now includes a file compression feature. When sharing files through File Explorer, users can select compression levels—Original, Low, Medium, or High—to reduce file sizes before sending. (windowscentral.com)

Region Details in Language Settings​

The language settings page now displays the region selected during setup, allowing users to confirm regional preferences without additional steps. This information is available under Settings > Time & Language > Language & Region. (windowscentral.com)

Screen Curtain in Windows Narrator​

A new "Screen Curtain" feature in Windows Narrator enhances privacy by blacking out the screen while continuing to read content aloud. This ensures that on-screen information remains confidential during narration sessions. (windowscentral.com)

PC-to-PC File Transfer in Windows Backup​

The Windows Backup app has been updated with a "Transfer to a new PC" feature, enabling users to transfer files and settings between computers over a local network without using the cloud. While currently a teaser, full functionality is expected later in the year. (windowscentral.com)

Microsoft 365 Actions in Click to Do​

For users with Copilot+ PCs, the Click to Do feature now includes an "Ask M365 Copilot" action, allowing selected text or images to be sent to the Microsoft 365 Copilot chatbot. This feature is targeted at commercial customers with a Microsoft 365 subscription. (windowscentral.com)

Default Browser Settings for European Users​

To comply with the Digital Markets Act in the European Economic Area, Microsoft has updated the default browser settings. Users can now set a default browser for additional file types and have the option to pin the new browser to the Taskbar and Start menu directly from the settings page. (windowscentral.com)

Recommendations for Users and Administrators​

Given the critical nature of some vulnerabilities and the introduction of new features, it is imperative for users and system administrators to:

• Apply Updates Promptly: Ensure that all systems are updated with the latest patches to mitigate security risks.
• Review New Features: Familiarize yourself with the new functionalities introduced in Windows 11 to leverage them effectively.
• Monitor for Issues: After applying updates, monitor systems for any anomalies or issues that may arise and report them to Microsoft as needed.

Staying informed and proactive in applying updates is crucial in maintaining system security and functionality.

---

Source: BornCity Patchday: Windows 10/11 Updates (July 8, 2025) | Born's Tech and Windows World

 

[ChatGPT]

Microsoft’s July 2025 Patch Tuesday arrived with a notably heavy security payload, reflecting both mounting pressure on software vendors and continually evolving threat landscapes. In total, Microsoft released fixes for 137 distinct vulnerabilities—impacting a spectrum from Windows operating systems to SQL Server and critical Office components. While Microsoft reports that none of these vulnerabilities have been observed in active exploitation at release time, 14 of them have merited the company’s highest “critical” severity label, due to the severe risks they pose if weaponized. The balance of this month’s update advises urgency, particularly among enterprise IT teams, while home users too should exercise diligence and caution before proceeding with mass patch deployments.

Patch Volume and Severity: A Daunting Scope​

Microsoft Patch Tuesday in July 2025 stands out for its size, patching 137 vulnerabilities across its software portfolio. Cross-referenced with Microsoft’s own release notes and InfoSec advisory feeds, this figure is accurate, and it ranks among the higher end for monthly patch cycles in recent years. Expected clusters—Windows, Office, and SQL Server—are all well-represented, yet it’s the critical nature and breadth of affected versions that signal a larger security challenge for organizations.
The most serious vulnerabilities—those rated “critical”—typically allow remote code execution (RCE). Such bugs can let attackers seize full control of systems with minimal or no user interaction, a class of exploit that consistently ranks among the top concerns for defenders and red-teamers alike. While no active exploitation had been reported as of release, the mere existence of critical RCE flaws underscores the need for rapid response and thorough asset inventory within enterprise environments.

Highlights: Noteworthy Flaws Demanding Urgent Attention​

While the patch total is substantial, certain vulnerabilities stand out for their technical significance and potential impact.

CVE-2025-49719: SQL Server Information Disclosure​

Perhaps the most wide-reaching, in terms of both versions affected and downstream supply-chain exposure, is CVE-2025-49719. This information disclosure vulnerability has been patched in all supported SQL Server versions dating as far back as 2016—a rare move that hints at both the depth and the potential misuse of the flaw.
Here’s why CVE-2025-49719 is a critical concern, particularly for organizations managing sensitive financial or regulated assets:

• Exploit Without Authentication: Security researchers, including Mike Walters (Action1), have confirmed that the flaw can be abused without requiring valid user credentials. This dramatically broadens the threat surface.
• Supply Chain Ripple: Because myriad third-party applications and custom in-house tools leverage SQL Server (and by extension, its drivers and data connectors), an unpatched driver could expose organizations to indirect compromise—even if they do not directly administer a vulnerable SQL Server instance.
• Enterprise Data Risk: Any leak of internal configuration, credentials, or customer information could not only result in immediate business loss but—depending on the jurisdiction—also regulatory penalties under privacy laws such as GDPR, HIPAA, or PCI DSS.

The officially published CVSS score for CVE-2025-49719 remains below the “critical” threshold, in part because Microsoft considers exploitation less likely. However, the existence of proof-of-concept code and the lack of mitigation via authentication is significant: prudent IT teams should treat its patch as high-priority irrespective of the rating.

CVE-2025-47981: Remote Code Execution in Authentication Negotiation​

Adam Barnett (Rapid7), a highly cited vulnerability analyst, has drawn fresh attention to CVE-2025-47981. This bug stands out with a terrifying 9.8 rating on the CVSS scale—a near-maximum score.
Key facts about CVE-2025-47981:

• Affects All Supported Windows Systems: The flaw impacts every Windows client from Windows 10 version 1607 onwards, as well as all currently supported Windows Server editions.
• Pre-Authentication Exploit: The vulnerability is exploitable before user authentication, meaning it could be triggered by attackers on the network without any form of login or local access.
• Remote Code Execution: This type of vulnerability historically forms the backbone of major worms and ransomware campaigns, allowing code execution remotely and at scale.

Microsoft’s advisory, along with amplified warnings from the cybersecurity community, stresses the likelihood of exploitation. Such flaws are prized by both financially motivated cybercrime groups and nation-state actors alike, capable of opening the door for lateral movement, privilege escalation, and industrial-scale data theft.

Office Suite Under Fire: Four Critical RCE Flaws​

Office, an omnipresent fixture of modern businesses, also sees four critical patches this cycle: CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, and CVE-2025-49702.

• Email Preview Exposure: For the first two bugs—CVE-2025-49695 and CVE-2025-49696—the risk is even greater due to the presence of attack vectors that require no user action. Simply previewing a malicious document in Outlook could trigger exploitation, bypassing most routine user-awareness defense.
• Remote Code Execution via Documents: With Office’s deep system access, remote code execution in this context has previously been a conduit for ransomware campaigns—including those delivered through phishing emails and poisoned file attachments.

Security Bypass and Configuration Manager RCE​

Two additional high-severity entries are particularly notable:

• CVE-2025-49740: This vulnerability allows threat actors to subvert Microsoft Defender SmartScreen, potentially exposing users to malicious websites and downloads even where protective controls are in place.
• CVE-2025-47178: A particularly concerning bug for enterprises relying on Microsoft Configuration Manager, this RCE vulnerability can be exploited even by users with only read-only access, according to Ben Hopkins (Immersive Labs). Successful use of the flaw enables arbitrary SQL execution as a privileged service account—a gateway to widespread compromise:
• Attackers could manipulate deployment policies
• Push malware or reconnaissance tools across fleets of endpoints
• Harvest sensitive configuration or compliance data
• Escalate privileges across the domain

Hopkins describes the attack chain here as a potential pivot point for network-wide sabotage, data theft, and persistence. The impact on environments with heavily integrated Configuration Manager deployments could be catastrophic, stressing the absolute necessity of immediate patching.

End of Life: SQL Server 2012​

For organizations still running SQL Server 2012, this Patch Tuesday marks an important inflection point. Adam Barnett confirms—supported by Microsoft’s own lifecycle documentation—that SQL Server 2012 has officially reached its end-of-support milestone. This means:

• No further security patches will be provided—critical or otherwise—even for organizations enrolled in extended support programs.
• Running production systems on unsupported SQL Server versions now represents a clear and present risk of unpatchable exploitation.

Companies should immediately prioritize upgrade/migration paths, as unsupported assets are the most attractive targets for criminals. Historical breaches at large institutions have repeatedly traced root cause to outdated, unpatched systems.

Adobe Patches: A Broader Wave Beyond Microsoft​

Coordinated with Microsoft’s Patch Tuesday, Adobe released its own collection of security updates for popular creative and productivity applications—including After Effects, Audition, Illustrator, FrameMaker, and ColdFusion. These updates encompass fixes for critical and high-severity flaws that, if exploited, could potentially allow attackers to run arbitrary code or compromise content and intellectual property.
While the specifics of Adobe’s vulnerabilities are less granular in mainstream coverage, security professionals should not ignore them, especially in organizations where Adobe apps interface with sensitive files or external media.

The Human Factor: Patch Management and Testing​

The staggering number of security updates raises inevitable questions about deployment strategy. Patch management, especially at scale, is never trivial—even in smaller organizations. Compatibility issues, emergency rollbacks, and downstream application breakages must all be considered, particularly for critical infrastructure or regulated environments.
Security analysts and sysadmins are encouraged to monitor reputable industry resources:

• SANS Internet Storm Center: They categorize and analyze each patch with severity notes, known issues, and real-time feedback from boots-on-the-ground IT teams.
• AskWoody: Independent coverage often highlights “wonky” updates—those that cause system instabilities or present unexpected side effects.

Such resources can provide invaluable early warning about update-induced problems, giving IT teams a window to stage updates, perform backups, and validate fixes in controlled labs before broad production rollout.

Home Users: Best Practices for Safer Patching​

For non-enterprise users, mass patch events bring their own risks. Microsoft’s Patch Tuesday rollout is uniform, but home computing environments vary widely in terms of software configuration, hardware drivers, and local policy.
Recommended steps for safe updating:

• Back Up Critical Data: Always perform a full system or targeted data backup before applying major updates. Third-party imaging tools or built-in Windows Backup are both solid options.
• Stagger Rollouts on Multiple Devices: If managing several PCs, consider patching one system first and monitoring for issues before repeating across others.
• Monitor for Post-Update Anomalies: Keep a close eye on system performance, connectivity, and application stability following update installation. Report any issues on community forums for visibility and troubleshooting guidance.

Analysis: Strengths, Risks, and the Road Ahead​

Microsoft’s July 2025 Patch Tuesday stands as a case study in the complexity of modern software assurance. On the one hand, the sheer number and scope of vulnerabilities addressed reveals both an active effort on Microsoft’s part and the mounting difficulty of securing interconnected platforms. On the other, the persistent emergence of pre-authentication RCEs, supply chain exposures, and critical flaws in ubiquitous software highlight fundamental concerns in secure coding, design, and maintenance.
Strengths:

• Scope and Transparency: Frequent, detailed advisories and consistent monthly cadence enable IT teams to build patching workflows around predictable releases.
• Depth of Coverage: Inclusion of legacy products (e.g., SQL Server 2016 and above) demonstrates Microsoft’s commitment to protecting business-critical assets.
• Cross-Vendor Coordination: Parallel Adobe releases and broad vulnerability remediation across the software ecosystem increase the defensive posture for organizations.

Risks:

• Patch Fatigue: High patch volume can overwhelm IT teams, raise the risk of missed deployments, and open tactical windows for attackers to exploit slow-moving organizations.
• Zero-Day/Late Discovery: While none of this month’s vulnerabilities are actively exploited as of release, the emergence of proof-of-concept code—such as with CVE-2025-49719—proves that criminals are watching patch advisories closely for new opportunities.
• Legacy Asset Exposure: The end-of-support status for core applications like SQL Server 2012 will create a surge in unpatchable systems, challenging organizations that lack clear upgrade paths.

Caution is warranted with vulnerabilities not yet seen in the wild. As documented by threat intelligence agencies, exploit development increasingly lags just days or weeks behind public patch releases.

Conclusion: Security is a Moving Target​

The July 2025 Patch Tuesday demonstrates the relentless tempo of modern cybersecurity operations. Whether protecting a single workstation or tens of thousands of endpoints, responsible patch management remains a cornerstone of digital defense. The urgency of this month’s updates—particularly for SQL Server deployments, Windows authentication, and Office exposures—requires both immediate technical action and renewed investment in layered, proactive defenses.
As organizations and individuals digest and deploy this latest wave of updates, one fact becomes clear: software risk is not simply a technical issue, but a persistent business and personal challenge that demands constant vigilance, up-to-date information, and—when things inevitably go wrong—a comprehensive backup and recovery plan. The road ahead promises no shortage of security fixes, but with the right approach and community support, defenders can continue to tip the balance away from would-be attackers and toward a more resilient digital future.

---

Source: Krebs on Security Microsoft Patch Tuesday, July 2025 Edition – Krebs on Security

 

[ChatGPT]

On July 8, 2025, Microsoft released its monthly Patch Tuesday updates, addressing a total of 137 vulnerabilities across various products, including Windows Server editions. This comprehensive update includes fixes for critical security flaws, notably in SQL Server, Netlogon, Office, and the .NET Framework.
SQL Server Vulnerabilities
Two significant vulnerabilities in Microsoft SQL Server were patched:

• CVE-2025-49719: This information disclosure vulnerability allows unauthenticated attackers to extract uninitialized memory by submitting crafted queries. Although no active exploitation has been confirmed, its public disclosure prior to the update increases its risk profile. (techrepublic.com)
• CVE-2025-49717: A remote code execution (RCE) flaw with a CVSS score of 8.5, caused by a heap-based buffer overflow. An authenticated attacker could execute arbitrary code over the network with the privileges of the SQL Server service account. Despite the absence of prior disclosure, its severity necessitates immediate attention. (techrepublic.com)

Netlogon Vulnerability
A high-risk vulnerability in the Netlogon protocol, identified as CVE-2025-47978, was also addressed. This flaw allows any low-privileged device on a network to remotely crash a Windows domain controller, potentially disabling Active Directory services and authentication processes, leading to widespread service disruption. (techrepublic.com)
SPNEGO Vulnerability
Another critical vulnerability, CVE-2025-47981, was fixed in the SPNEGO Extended Negotiation component of Windows. With a severity score of 9.8, this RCE flaw enables an attacker to exploit the bug via network access without user interaction, potentially leading to a full system takeover on affected devices. (techrepublic.com)
Office Vulnerabilities
Several RCE vulnerabilities in Microsoft Office were addressed, including CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, and CVE-2025-49702. These flaws allow attackers to run malicious code simply by having a user open or preview an infected document, including within Outlook’s Preview Pane. Given the ease of exploitation via phishing emails or web-delivered Office files, organizations should treat these as serious risk factors for end-user compromise. (redmondmag.com)
Windows Server 2025 Hotpatching
In addition to these security updates, Microsoft announced that starting July 1, 2025, the hotpatching feature for Windows Server 2025 will require a subscription. Hotpatching allows for the application of OS security updates without restarting the machine, reducing downtime. This feature will be available for $1.50 per CPU core per month and requires Windows Server 2025 Standard or Datacenter editions connected to Azure Arc. (forbes.com)
Recommendations
Organizations are strongly advised to apply these updates promptly to mitigate potential security risks. Given the critical nature of some vulnerabilities, especially those affecting SQL Server and authentication mechanisms, delaying updates could expose systems to exploitation. Additionally, organizations should evaluate the cost-benefit of subscribing to the hotpatching service to minimize downtime associated with future updates.
For a detailed list of all vulnerabilities addressed in this update, refer to Microsoft's official release notes.

---

Source: BornCity Patchday: Windows Server Updates (July 8, 2025) | Born's Tech and Windows World