Report Name: Microsoft Patch Tuesday, July 2025
Generated: 2025-07-16 13:06:48

Product Name	Prevalence	U	C	H	M	L	A	Comment
AMD Processor	0.9				2		2	Processor
Windows Kernel	0.9			1	2		3	Windows Kernel
Windows TCP/IP Driver	0.9			1			1	A kernel mode driver
Windows Win32k	0.9			1	1		2	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
BitLocker	0.8			4	1		5	A full volume encryption feature included with Microsoft Windows versions starting with Windows Vista
Chromium	0.8		1	1	6		8	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Kernel Streaming WOW Thunk Service Driver	0.8			1			1	Windows component
Microsoft Edge	0.8			2	3		5	Web browser
Microsoft Office	0.8			6			6	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Windows QoS Scheduler Driver	0.8				1		1	Windows component
Windows Ancillary Function Driver for WinSock	0.8			1			1	Windows component
Windows AppX Deployment Service	0.8			1			1	Windows component
Windows Connected Devices Platform Service	0.8			1	1		2	Windows component
Windows Cryptographic Services	0.8				1		1	Windows component
Windows Event Tracing	0.8			2			2	Windows component
Windows Fast FAT File System Driver	0.8			1			1	Windows component
Windows GDI	0.8			1			1	Windows component
Windows Graphics Component	0.8			2	1		3	Windows component
Windows Hyper-V Discrete Device Assignment (DDA)	0.8			1			1	Windows component
Windows Imaging Component	0.8				1		1	Windows component
Windows Input Method Editor (IME)	0.8			2	1		3	Windows component
Windows KDC Proxy Service (KPSSVC)	0.8			1			1	Windows component
Windows Kerberos	0.8				1		1	Windows component
Windows MBT Transport Driver	0.8			1			1	Windows component
Windows Media	0.8				1		1	Windows component
Windows Miracast Wireless Display	0.8			1			1	Windows component
Windows NTFS	0.8				1		1	The default file system of the Windows NT family
Windows Netlogon	0.8			1			1	Windows component
Windows Notification	0.8			2			2	Windows component
Windows Performance Recorder (WPR)	0.8				1		1	Windows component
Windows Print Spooler	0.8				1		1	Windows component
Windows Remote Desktop Client	0.8			1			1	Remote Desktop Protocol Client
Windows Routing and Remote Access Service (RRAS)	0.8			14	2		16	Windows component
Windows SMB Server	0.8				1		1	Windows component
Windows Search Service	0.8				1		1	Windows component
Windows Secure Kernel Mode	0.8				2		2	Windows component
Windows Server Setup and Boot Event Collection	0.8			1			1	Windows component
Windows Shell	0.8			1			1	Windows component
Windows Simple Search and Discovery Protocol (SSDP) Service	0.8			2	1		3	Windows component
Windows SmartScreen	0.8			1			1	SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products, including operating systems Windows 8 and later, the applications Internet Explorer, Microsoft Edge
Windows StateRepository API Server file	0.8				1		1	Windows component
Windows Storage	0.8				1		1	Windows component
Windows Storage Port Driver	0.8				1		1	Windows component
Windows Storage VSP Driver	0.8			1			1	Windows component
Windows Transport Driver Interface (TDI) Translation Driver	0.8			1	1		2	Windows component
Windows Universal Plug and Play (UPnP) Device Host	0.8			2			2	Windows component
Windows Update Service	0.8		1				1	Windows component
Windows User-Mode Driver Framework Host	0.8				1		1	Windows component
Windows Virtualization-Based Security (VBS)	0.8			1	1		2	Windows component
Windows Virtualization-Based Security (VBS) Enclave	0.8				1		1	Windows component
Windows Win32 Kernel Subsystem	0.8			1			1	Windows component
Microsoft SharePoint	0.7			2			2	Microsoft SharePoint
Microsoft Excel	0.6				2		2	MS Office product
Microsoft PowerPoint	0.6				1		1	Microsoft PowerPoint
Microsoft Word	0.6				3		3	Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product.
Python	0.6				1		1	Python is a high-level, general-purpose programming language
Windows Hyper-V	0.6				2		2	Hardware virtualization component of the client editions of Windows NT
Azure Monitor Agent	0.5				1		1	Azure Monitor Agent
Azure Service Fabric Runtime	0.5				1		1	Azure Service Fabric Runtime
Capability Access Management Service (camsvc)	0.5				1		1	Capability Access Management Service (camsvc)
Credential Security Support Provider Protocol (CredSSP)	0.5				1		1	Credential Security Support Provider Protocol (CredSSP)
Dynamics 365 FastTrack Implementation Assets	0.5				1		1	Dynamics 365 FastTrack Implementation Assets
HID Class Driver	0.5				1		1	HID Class Driver
M365 Copilot	0.5				1		1	M365 Copilot
Microsoft Brokering File System	0.5				3		3	Microsoft Brokering File System
Microsoft Configuration Manager	0.5			1			1	Microsoft Configuration Manager
Microsoft PC Manager	0.5				2		2	Microsoft PC Manager
Microsoft SQL Server	0.5				3		3	Microsoft SQL Server
Microsoft SharePoint Server	0.5				1		1	Microsoft SharePoint Server
Microsoft Teams	0.5				2		2	Microsoft Teams
Microsoft Virtual Hard Disk	0.5				4		4	The Virtual Hard Disk (VHD) format is a publicly-available image format specification that allows encapsulation of the hard disk into an individual file.
Office Developer Platform	0.5				1		1	Office Developer Platform
Remote Desktop	0.5				1		1	Remote Desktop
Remote Desktop Licensing Service	0.5				1		1	Remote Desktop Licensing Service
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism	0.5			1			1	SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
Universal Print Management Service	0.5				1		1	Universal Print Management Service
Visual Studio Code Python Extension	0.5				1		1	Visual Studio Code Python Extension
Workspace Broker	0.5				1		1	Workspace Broker
Git	0.4				5		5	Git
Microsoft MPEG-2 Video Extension	0.4				2		2	This extension helps video apps installed on Windows 10, such as Microsoft Movies & TV, to play MPEG-1 and MPEG-2 videos.
Visual Studio	0.3				1		1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0			33	15		48
Arbitrary File Writing	0.95				1		1
Security Feature Bypass	0.9			5	5		10
Elevation of Privilege	0.85		1	24	29		54
Information Disclosure	0.83			2	17		19
Denial of Service	0.7			1	4		5
Incorrect Calculation	0.5				3		3
Memory Corruption	0.5		1		4		5
Spoofing	0.4				6		6
Tampering	0.3				1		1

Source	U	C	H	M	L	A
MS PT Extended		1	3	11		15
Qualys		1	17	22		40
Tenable			5	2		7
Rapid7			3	1		4
ZDI			3	1		4

Urgent (0)

Critical (2)

1. Memory Corruption - Chromium (CVE-2025-6554) - Critical [639]

Description: Chromium: CVE-2025-6554 Type Confusion in V8

MS PT Extended: CVE-2025-6554 was published before July 2025 Patch Tuesday from 2025-06-11 to 2025-07-07

2. Elevation of Privilege - Windows Update Service (CVE-2025-48799) - Critical [606]

Description: Windows Update Service Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

High (65)

3. Remote Code Execution - Microsoft Edge (CVE-2025-49713) - High [466]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-49713 was published before July 2025 Patch Tuesday from 2025-06-11 to 2025-07-07

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

4. Remote Code Execution - Windows Connected Devices Platform Service (CVE-2025-49724) - High [466]

Description: Windows Connected Devices Platform Service Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Qualys: CVE-2025-49724: Windows Connected Devices Platform Service Remote Code Execution Vulnerability This vulnerability has a CVSS: 3.1 8.8 / 7.7 Policy Audit Control IDs (CIDs): 30756 Status of the ‘Nearby sharing’ setting (CdpSessionUserAuthzPolicy) 30757 Status of the ‘Nearby sharing’ setting (NearShareChannelUserAuthzPolicy) The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [30756, 30757]

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution Vulnerability

Tenable: CVE-2025-49724 is a RCE vulnerability in the Windows Connected Devices Platform Service. It was assigned a CVSSv3 score of 8.8 and is rated important. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted data packets to a system with the “Nearby Sharing” feature enabled. Microsoft’s advisory notes that the “Nearby Sharing” feature is not enabled by default.

5. Remote Code Execution - Windows KDC Proxy Service (KPSSVC) (CVE-2025-49735) - High [454]

Description: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Qualys: CVE-2025-49735: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability The KDC (Key Distribution Center) Proxy service in Windows allows clients to authenticate to an Active Directory domain when they don’t have direct network access to a Domain Controller, typically for remote access scenarios like Azure Virtual Desktop. It acts as a relay for Kerberos authentication traffic, encapsulating Kerberos messages within HTTPS requests sent over the internet. A use-after-free flaw in Windows KDC Proxy Service (KPSSVC) could allow an unauthenticated attacker to achieve remote code execution.

Tenable: CVE-2025-49735 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Tenable: CVE-2025-49735 is an RCE vulnerability affecting Windows Kerberos Key Distribution Center (KDC) proxy service, an authentication mechanism used for KDC servers over HTTPS. It was assigned a CVSSv3 score of 8.1 and rated critical. An unauthenticated attacker could exploit this vulnerability utilizing a crafted application to exploit a cryptographic protocol vulnerability in order to execute arbitrary code.

Rapid7: Anyone who has been responsible for securing a Windows KDC Proxy server for more than a month can rely on their past experience today when addressing CVE-2025-49735, since this unauthenticated critical RCE appears to be very similar to last month’s CVE-2025-33071.

6. Remote Code Execution - Microsoft SharePoint (CVE-2025-49704) - High [449]

Description: Microsoft SharePoint Remote Code Execution Vulnerability

Qualys: CVE-2025-49704: Microsoft SharePoint Remote Code Execution Vulnerability A code injection flaw in Microsoft Office SharePoint could allow an authenticated attacker to execute code over a network.

Tenable: CVE-2025-49701 and CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability

Tenable: CVE-2025-49701 and CVE-2025-49704 are RCE vulnerabilities in Microsoft SharePoint. They were both assigned a CVSSv3 score of 8.8 and CVE-2025-49704 was rated as critical while CVE-2025-49701 was rated as important. To exploit these flaws, an attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could write arbitrary code to a vulnerable SharePoint Server to gain RCE.

Tenable: So far in 2025, there have been 16 vulnerabilities disclosed in Microsoft SharePoint, including CVE-2025-49706, a spoofing flaw that was disclosed alongside CVE-2025-49701 and CVE-2025-49704. There were 20 SharePoint vulnerabilities in 2024, 25 in 2023, and 20 in 2022.

Rapid7: SharePoint admins will be familiar with a certain class of vulnerability where an attacker with some level of existing SharePoint privilege can overstep a security boundary and remotely execute code on the SharePoint server itself. Today’s edition is CVE-2025-49704, which has some unusual characteristics: the FAQ claims that there is no requirement for elevated privileges, but also claims that the minimum privilege level required for exploitation is Site Owner. There’s probably a good explanation for this apparent discrepancy, but since attack complexity is low, it’s best to patch first and ask questions later.

ZDI: CVE-2025-49704 - Microsoft SharePoint Remote Code Execution Vulnerability. This bug originates from Pwn2Own Berlin and was used as a part of a chain by the Viettel Cyber Security team to exploit SharePoint and win $100,000. This particular bug allowed code injection over the network. On its own, it requires some level of authentication. However, at the contest, the team paired it with an authentication bypass bug to evade this requirement. Their demonstration shows how authentication alone cannot be trusted to protect from attacks.

7. Remote Code Execution - Microsoft Office (CVE-2025-49702) - High [442]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-49702: Microsoft Office Remote Code Execution Vulnerability A type confusion flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

8. Remote Code Execution - Windows Hyper-V Discrete Device Assignment (DDA) (CVE-2025-48822) - High [442]

Description: Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability

Qualys: CVE-2025-48822: Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability Hyper-V Discrete Device Assignment (DDA), also known as PCI passthrough, allows you to give a virtual machine (VM) direct access to a physical PCI Express (PCIe) device on the host machine. This enables the VM to utilize the device at near-native performance, bypassing the hypervisor’s virtualization layer. An out-of-bounds read flaw in Windows Hyper-V could allow an unauthenticated attacker to achieve remote code execution.

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

9. Remote Code Execution - Windows Miracast Wireless Display (CVE-2025-49691) - High [442]

Description: Windows Miracast Wireless Display Remote Code Execution Vulnerability

10. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-47998) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

11. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-48824) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

12. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49657) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

13. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49663) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

14. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49668) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

15. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49669) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

16. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49672) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

17. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49673) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

18. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49674) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

19. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49676) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

20. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49688) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

21. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49729) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

22. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49753) - High [442]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

23. Remote Code Execution - Microsoft SharePoint (CVE-2025-49701) - High [438]

Description: Microsoft SharePoint Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Tenable: CVE-2025-49701 and CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability

Tenable: CVE-2025-49701 and CVE-2025-49704 are RCE vulnerabilities in Microsoft SharePoint. They were both assigned a CVSSv3 score of 8.8 and CVE-2025-49704 was rated as critical while CVE-2025-49701 was rated as important. To exploit these flaws, an attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could write arbitrary code to a vulnerable SharePoint Server to gain RCE.

Tenable: So far in 2025, there have been 16 vulnerabilities disclosed in Microsoft SharePoint, including CVE-2025-49706, a spoofing flaw that was disclosed alongside CVE-2025-49701 and CVE-2025-49704. There were 20 SharePoint vulnerabilities in 2024, 25 in 2023, and 20 in 2022.

24. Remote Code Execution - Windows Kernel (CVE-2025-46334) - High [435]

Description: Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

25. Remote Code Execution - Chromium (CVE-2025-5959) - High [430]

Description: Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-5959 was published before July 2025 Patch Tuesday from 2025-06-11 to 2025-07-07

26. Remote Code Execution - Microsoft Office (CVE-2025-49695) - High [430]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-49695: Microsoft Office Remote Code Execution Vulnerability The use-after-free vulnerability in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.

ZDI: CVE-2025-49695 - Microsoft Office Remote Code Execution Vulnerability. This is one of four Critical-rated Office bugs in this release, and all of them have the Preview Pane listed as an attack vector. This is the third month in a row with Critical-rated Office bugs, which is a disturbing trend. There is either a wealth of these bugs to be found, or the patches can be easily bypassed. Either way, Mac users are out of luck since updates for Microsoft Office LTSC for Mac 2021 and 2024 are not available yet. Perhaps it’s time to consider disabling the Preview Pane until Microsoft sorts some of these problems out.

27. Remote Code Execution - Microsoft Office (CVE-2025-49696) - High [430]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-49696: Microsoft Office Remote Code Execution Vulnerability An out-of-bounds read flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

28. Remote Code Execution - Microsoft Office (CVE-2025-49697) - High [430]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-49697: Microsoft Office Remote Code Execution Vulnerability The heap-based buffer overflow flaw in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.

29. Remote Code Execution - Windows Graphics Component (CVE-2025-49742) - High [430]

Description: Windows Graphics Component Remote Code Execution Vulnerability

30. Remote Code Execution - Windows Remote Desktop Client (CVE-2025-48817) - High [430]

Description: Remote Desktop Client Remote Code Execution Vulnerability

31. Remote Code Execution - Windows Server Setup and Boot Event Collection (CVE-2025-49666) - High [430]

Description: Windows Server Setup and Boot Event Collection Remote Code Execution Vulnerability

32. Remote Code Execution - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2025-47981) - High [428]

Description: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

Qualys: CVE-2025-47981: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability SPNEGO is an Internet standard for a client and server to negotiate which Generic Security Service Application Program Interface (GSSAPI) technology will be used for authentication. A heap-based buffer overflow flaw in Windows SPNEGO Extended Negotiation may allow an unauthenticated attacker to achieve remote code execution. An attacker could exploit this vulnerability by sending a malicious message to the server.

Qualys: CVE-2025-47981: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability This vulnerability has a CVSS: 3.1 9.8 / 8.5 Policy Audit Control IDs (CIDs): 5267 Status of the ‘Network security: Allow PKU2U authentication requests to this computer to use online identities’ setting The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [5267]

Tenable: CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

Tenable: CVE-2025-47981 is a RCE in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. It was assigned a CVSSv3 score of 9.8 and is rated critical. It is assessed as "Exploitation More Likely." An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted message to a vulnerable server. Successful exploitation could grant an attacker RCE privileges. Microsoft states that this vulnerability only affects Windows machines 10 version 1607 and above because of a specific group policy object (GPO) enabled by default in these versions, Network security: Allow PKU2U authentication requests to this computer to use online identities.

Tenable: This is only the third vulnerability in SPNEGO NEGOEX since 2022, but it is the second in 2025, as CVE-2025-21295 was addressed in the January 2025 Patch Tuesday release. Both CVE-2025-47981 and CVE-2025-21295 were disclosed by security researcher Yuki Chen.

Rapid7: Any vulnerability with a CVSSv3 base score of 9.8 is worth a look, so let’s consider CVE-2025-47981, which is a remote code execution vulnerability in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. The optimistically named Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) is a generic capability defined in RFC-4178; SPNEGO is implemented in Windows alongside a significant Microsoft-specific extension of its capabilities called NEGOX; the flaw is in NEGOX, and the advisory FAQ sets out that the vulnerability affects any Windows client machine running Windows 10 1607 or above. Patches are also available for all current versions of Windows Server, although Windows Server assets might not be immediately exploitable, since the “Network security: Allow PKU2U authentication requests to this computer to use online identities” GPO is typically only enabled on Windows client assets. Domain-joined client assets might also possess a similar mitigation, since the relevant GPO is typically disabled in that context. Nevertheless, patching is surely advisable for all Windows assets, since this is a pre-authentication remote code execution, and presumably in a privileged context. Unsurprisingly, Microsoft considers exploitation more likely.

ZDI: CVE-2025-47981 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability. This heap-based buffer overflow impacts the Windows SPNEGO Extended Negotiation component and allows remote, unauthenticated attackers to execute code simply by sending a malicious message to an affected system. Since there’s no user interaction, and since the code executes with elevated privileges, this bug falls into the wormable class of bugs. Microsoft also gives this its highest exploitability index rating, which means they expect attacks within 30 days. Definitely test and deploy these patches quickly.

33. Elevation of Privilege - Microsoft Office (CVE-2025-47994) - High [427]

Description: Microsoft Office Elevation of Privilege Vulnerability

34. Elevation of Privilege - Windows Universal Plug and Play (UPnP) Device Host (CVE-2025-48819) - High [427]

Description: Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

35. Elevation of Privilege - Windows Universal Plug and Play (UPnP) Device Host (CVE-2025-48821) - High [427]

Description: Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

36. Security Feature Bypass - Windows SmartScreen (CVE-2025-49740) - High [425]

Description: Windows SmartScreen Security Feature Bypass Vulnerability

37. Elevation of Privilege - Windows TCP/IP Driver (CVE-2025-49686) - High [420]

Description: Windows TCP/IP Driver Elevation of Privilege Vulnerability

38. Elevation of Privilege - Windows Win32k (CVE-2025-49733) - High [420]

Description: Win32k Elevation of Privilege Vulnerability

39. Remote Code Execution - Microsoft Office (CVE-2025-49699) - High [419]

Description: Microsoft Office Remote Code Execution Vulnerability

40. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49670) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

41. Elevation of Privilege - Windows Input Method Editor (IME) (CVE-2025-49687) - High [416]

Description: Windows Input Method Editor (IME) Elevation of Privilege Vulnerability

42. Elevation of Privilege - Windows Shell (CVE-2025-49679) - High [416]

Description: Windows Shell Elevation of Privilege Vulnerability

43. Elevation of Privilege - Windows Simple Search and Discovery Protocol (SSDP) Service (CVE-2025-48815) - High [416]

Description: Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

44. Remote Code Execution - Microsoft Configuration Manager (CVE-2025-47178) - High [416]

Description: Microsoft Configuration Manager Remote Code Execution Vulnerability

45. Denial of Service - Windows Netlogon (CVE-2025-49716) - High [413]

Description: Windows Netlogon Denial of Service Vulnerability

46. Security Feature Bypass - BitLocker (CVE-2025-48003) - High [413]

Description: BitLocker Security Feature Bypass Vulnerability

47. Security Feature Bypass - BitLocker (CVE-2025-48800) - High [413]

Description: BitLocker Security Feature Bypass Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

48. Information Disclosure - Windows GDI (CVE-2025-47984) - High [412]

Description: Windows GDI Information Disclosure Vulnerability

49. Elevation of Privilege - Kernel Streaming WOW Thunk Service Driver (CVE-2025-49675) - High [404]

Description: Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability

50. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2025-49661) - High [404]

Description: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

51. Elevation of Privilege - Windows AppX Deployment Service (CVE-2025-48820) - High [404]

Description: Windows AppX Deployment Service Elevation of Privilege Vulnerability

52. Elevation of Privilege - Windows Event Tracing (CVE-2025-47985) - High [404]

Description: Windows Event Tracing Elevation of Privilege Vulnerability

53. Elevation of Privilege - Windows Event Tracing (CVE-2025-49660) - High [404]

Description: Windows Event Tracing Elevation of Privilege Vulnerability

54. Elevation of Privilege - Windows Fast FAT File System Driver (CVE-2025-49721) - High [404]

Description: Windows Fast FAT File System Driver Elevation of Privilege Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

55. Elevation of Privilege - Windows Graphics Component (CVE-2025-49732) - High [404]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

56. Elevation of Privilege - Windows Input Method Editor (IME) (CVE-2025-47972) - High [404]

Description: Windows Input Method Editor (IME) Elevation of Privilege Vulnerability

57. Elevation of Privilege - Windows MBT Transport Driver (CVE-2025-47996) - High [404]

Description: Windows MBT Transport Driver Elevation of Privilege Vulnerability

58. Elevation of Privilege - Windows Notification (CVE-2025-49725) - High [404]

Description: Windows Notification Elevation of Privilege Vulnerability

59. Elevation of Privilege - Windows Notification (CVE-2025-49726) - High [404]

Description: Windows Notification Elevation of Privilege Vulnerability

60. Elevation of Privilege - Windows Simple Search and Discovery Protocol (SSDP) Service (CVE-2025-47976) - High [404]

Description: Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

61. Elevation of Privilege - Windows Storage VSP Driver (CVE-2025-47982) - High [404]

Description: Windows Storage VSP Driver Elevation of Privilege Vulnerability

62. Elevation of Privilege - Windows Transport Driver Interface (TDI) Translation Driver (CVE-2025-49659) - High [404]

Description: Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability

63. Elevation of Privilege - Windows Virtualization-Based Security (VBS) (CVE-2025-47159) - High [404]

Description: Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability

64. Elevation of Privilege - Windows Win32 Kernel Subsystem (CVE-2025-49667) - High [404]

Description: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

65. Security Feature Bypass - BitLocker (CVE-2025-48001) - High [401]

Description: BitLocker Security Feature Bypass Vulnerability

66. Security Feature Bypass - BitLocker (CVE-2025-48818) - High [401]

Description: BitLocker Security Feature Bypass Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

67. Information Disclosure - Microsoft Edge (CVE-2025-49741) - High [400]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2025-49741 was published before July 2025 Patch Tuesday from 2025-06-11 to 2025-07-07

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Medium (85)

68. Information Disclosure - Microsoft SQL Server (CVE-2025-49718) - Medium [398]

Description: Microsoft SQL Server Information Disclosure Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

69. Elevation of Privilege - Windows Win32k (CVE-2025-49727) - Medium [397]

Description: Win32k Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

70. Remote Code Execution - Microsoft Excel (CVE-2025-49711) - Medium [397]

Description: Microsoft Excel Remote Code Execution Vulnerability

71. Remote Code Execution - Microsoft PowerPoint (CVE-2025-49705) - Medium [397]

Description: Microsoft PowerPoint Remote Code Execution Vulnerability

72. Remote Code Execution - Microsoft Word (CVE-2025-49698) - Medium [397]

Description: Microsoft Word Remote Code Execution Vulnerability

Qualys: CVE-2025-49698 & CVE-2025-49703: Microsoft Word Remote Code Execution Vulnerability The use-after-free vulnerability in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution.

73. Remote Code Execution - Microsoft Word (CVE-2025-49700) - Medium [397]

Description: Microsoft Word Remote Code Execution Vulnerability

74. Remote Code Execution - Microsoft Word (CVE-2025-49703) - Medium [397]

Description: Microsoft Word Remote Code Execution Vulnerability

Qualys: CVE-2025-49698 & CVE-2025-49703: Microsoft Word Remote Code Execution Vulnerability The use-after-free vulnerability in Microsoft Office Word may allow an unauthenticated attacker to achieve remote code execution.

75. Information Disclosure - Windows Kernel (CVE-2025-48808) - Medium [393]

Description: Windows Kernel Information Disclosure Vulnerability

76. Elevation of Privilege - Microsoft Windows QoS Scheduler Driver (CVE-2025-49730) - Medium [392]

Description: Microsoft Windows QoS Scheduler Driver Elevation of Privilege Vulnerability

77. Elevation of Privilege - Windows Connected Devices Platform Service (CVE-2025-48000) - Medium [392]

Description: Windows Connected Devices Platform Service Elevation of Privilege Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

78. Elevation of Privilege - Windows Graphics Component (CVE-2025-49744) - Medium [392]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

79. Elevation of Privilege - Windows Input Method Editor (IME) (CVE-2025-47991) - Medium [392]

Description: Windows Input Method Editor (IME) Elevation of Privilege Vulnerability

80. Elevation of Privilege - Windows Media (CVE-2025-49682) - Medium [392]

Description: Windows Media Elevation of Privilege Vulnerability

81. Remote Code Execution - Azure Monitor Agent (CVE-2025-47988) - Medium [392]

Description: Azure Monitor Agent Remote Code Execution Vulnerability

82. Remote Code Execution - Visual Studio Code Python Extension (CVE-2025-49714) - Medium [392]

Description: Visual Studio Code Python Extension Remote Code Execution Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

83. Denial of Service - Windows Print Spooler (CVE-2025-49722) - Medium [389]

Description: Windows Print Spooler Denial of Service Vulnerability

84. Security Feature Bypass - BitLocker (CVE-2025-48804) - Medium [389]

Description: BitLocker Security Feature Bypass Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-47987 is an elevation of privilege vulnerability in the Credential Security Support Provider Protocol (CredSSP). Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-47978 is a security feature bypass vulnerability in Windows Kerberos. An out-of-bounds read flaw could allow an authenticated attacker to deny service over a network. CVE-2025-48799 is an elevation of privilege vulnerability in the Windows Update Service. Improper link resolution before file access may allow an authenticated attacker to elevate privileges locally. CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818 are security feature bypass vulnerabilities in BitLocker. Upon successful exploitation, an attacker could bypass the BitLocker Device Encryption feature on the system storage device. CVE-2025-49701 is a remote code execution vulnerability in Microsoft SharePoint. An improper authorization flaw could allow an authenticated attacker to execute code over a network. CVE-2025-49718 is an information disclosure vulnerability in Microsoft SQL Server. An unauthenticated attacker may exploit the vulnerability to disclose information over a network. CVE-2025-49724 is a remote code execution vulnerability in the Windows Connected Devices Platform Service. An unauthenticated attacker may exploit the vulnerability to achieve remote code execution. CVE-2025-49727 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-49744 is an elevation of privilege vulnerability in the Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

85. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49671) - Medium [388]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

86. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-49681) - Medium [388]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

87. Remote Code Execution - Git (CVE-2025-48385) - Medium [388]

Description: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

88. Remote Code Execution - Python (CVE-2025-27614) - Medium [385]

Description: Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.

89. Remote Code Execution - Chromium (CVE-2025-6557) - Medium [383]

Description: Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2025-6557 was published before July 2025 Patch Tuesday from 2025-06-11 to 2025-07-07

90. Information Disclosure - Windows Kernel (CVE-2025-26636) - Medium [381]

Description: Windows Kernel Information Disclosure Vulnerability

91. Elevation of Privilege - Microsoft Edge (CVE-2025-47182) - Medium [380]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-47182 was published before July 2025 Patch Tuesday from 2025-06-11 to 2025-07-07

92. Elevation of Privilege - Windows NTFS (CVE-2025-49678) - Medium [380]

Description: NTFS Elevation of Privilege Vulnerability

93. Elevation of Privilege - Windows Search Service (CVE-2025-49685) - Medium [380]

Description: Windows Search Service Elevation of Privilege Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

94. Elevation of Privilege - Windows Simple Search and Discovery Protocol (SSDP) Service (CVE-2025-47975) - Medium [380]

Description: Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Qualys: Microsoft July 2025 Patch Tuesday Mitigations As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 18 vulnerabilities: CVE-2025-49693, CVE-2025-49694, CVE-2025-49677, CVE-2025-48799, CVE-2025-49685, CVE-2025-49724, CVE-2025-48000, CVE-2025-48002, CVE-2025-48822, CVE-2025-47999, CVE-2025-49714, CVE-2025-49721, CVE-2025-49713, CVE-2025-49741, CVE-2025-47975, CVE-2025-47976, CVE-2025-48815, and  CVE-2025-47986. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, our mitigants modify configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for Microsoft Office applications such as MS Outlook, Word, Excel, PowerPoint, etc. Additionally, this mitigant set mitigates vulnerabilities that affect the Microsoft Brokering File System, Universal Plug and Play (UPnP) service, Visual Studio, Remote Desktop Client, and Windows Hyper-V. Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set. The next Patch Tuesday falls on August 12, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

95. Elevation of Privilege - Windows Virtualization-Based Security (VBS) (CVE-2025-48803) - Medium [380]

Description: Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability

96. Elevation of Privilege - Windows Virtualization-Based Security (VBS) Enclave (CVE-2025-48811) - Medium [380]

Description: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability

97. Remote Code Execution - Microsoft SQL Server (CVE-2025-49717) - Medium [380]

Description: Microsoft SQL Server Remote Code Execution Vulnerability

Qualys: CVE-2025-49717: Microsoft SQL Server Remote Code Execution Vulnerability A heap-based buffer overflow flaw in SQL Server may allow an authenticated attacker to achieve remote code execution.

ZDI: CVE-2025-49717 - Microsoft SQL Server Remote Code Execution Vulnerability. Speaking of heap-based buffer overflows, here’s one in SQL Server that could lead to code execution by an attacker executing a malicious query on an affected SQL Server system. They could also escape the context of the SQL Server and execute code on the host itself. Servicing this will not be easy. If you’re running your own application (or an affected third-party app) on an affected system, you will need to update your application to use Microsoft OLE DB Driver 18 or 19. The bulletin has full details, so be sure to read it carefully to ensure you have taken all steps needed to address this vulnerability fully.

98. Remote Code Execution - Microsoft Virtual Hard Disk (CVE-2025-49683) - Medium [380]

Description: Microsoft Virtual Hard Disk Remote Code Execution Vulnerability

99. Denial of Service - Windows Kerberos (CVE-2025-47978) - Medium [377]

Description: Windows Kerberos Denial of Service Vulnerability