“For the third consecutive July, Microsoft patched over 125 CVEs: 130 in 2023, 138 in 2024, and 127 in 2025. This month’s count is well above the average of 100 since July 2017.
“The 11-month streak of patching at least one zero day that was exploited in the wild ended this month. However, there was still one zero day patched this month.
“While there were a few Microsoft SQL Server vulnerabilities patched this month, CVE-2025-49719, an information disclosure bug in SQL Server, was disclosed publicly prior to being patched. Despite its public disclosure, it is less likely to be exploited by an attacker. Users of SQL Server can update to the latest version, which includes driver fixes. However, if users have built their own apps or use software from another vendor that happens to use SQL Server, they need to update to Microsoft OLE DB Driver for SQL Server version 18 or 19 or ensure compatibility before updating. Microsoft has details in its advisory including a matrix for supported general distribution releases and cumulative update versions.
“The highest-rated vulnerability this month is CVE-2025-47981, a remote code execution flaw in SPNEGO Extended Negotiation (NEGOEX), an extension of the SPNEGO negotiation mechanism used to allow for negotiating what security mechanism is used before authenticating. This is a peculiar bug because, while it is considered more likely to be exploited, it only affects Windows 10 version 1607 and above due to a specific group policy object being enabled by default. Since 2022, there haven’t been many flaws in SPNEGO NEGOEX. There was one in 2022 (CVE-2022-37958) and one earlier this year in January (CVE-2025-21295), both of which were rated as not likely to be exploited.
“SharePoint continues to be a hot target: two new remote code execution bugs (CVE-2025-49701 and CVE-2025-49704) require prior authentication to a vulnerable SharePoint Server with Site Owner privileges at minimum to exploit these flaws. Each year, a large number of SharePoint bugs are disclosed across Patch Tuesday releases. So far in 2025, there have been 16 SharePoint flaws. In prior years, there were 20 in 2022, 25 in 2023 and 20 in 2024.
“While not Patch Tuesday released, I’d be remiss not to highlight the concerns around CitrixBleed 2. CitrixBleed one was a significant flaw that had a long tail impact because of the ability for attackers to steal session tokens, which can’t be neutralised until they’ve been invalidated. CitrixBleed 2 also allows session token theft, which makes this just as severe as CitrixBleed. So even if an organisation has applied the available patches, if those session tokens are still valid, attackers can replay them back. It’s vital for organisations to not only apply the patches, but it is paramount to review log files for known indicators of compromise and invalidate session tokens promptly.” – Satnam Narang, sr. staff research engineer, Tenable
