Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server

For the first time in 2025, Microsoft’s Patch Tuesday updates did not bundle fixes for exploited security vulnerabilities, but acknowledged one of the addressed flaws had been publicly known.

The patches resolve a whopping 130 vulnerabilities, along with 10 other non-Microsoft CVEs that affect Visual Studio, AMD, and its Chromium-based Edge browser. Of these 10 are rated Critical and the remaining are all rated Important in severity.

“The 11-month streak of patching at least one zero-day that was exploited in the wild ended this month,” Satnam Narang, Senior Staff Research Engineer at Tenable, said.

Fifty-three of these shortcomings are classified as privilege escalation bugs followed by 42 as remote code execution, 17 as information disclosure, and 8 as security feature bypasses. These patches are in addition to two other flaws addressed by the company in the Edge browser since the release of last month’s Patch Tuesday update.

The vulnerability that’s listed as publicly known is an information disclosure flaw in Microsoft SQL Server (CVE-2025-49719, CVSS score: 7.5) that could permit an unauthorized attacker to leak uninitialized memory.

“An attacker might well learn nothing of any value, but with luck, persistence, or some very crafty massaging of the exploit, the prize could be cryptographic key material or other crown jewels from the SQL Server,” Adam Barnett, Lead Software Engineer at Rapid7, said in a statement.

Mike Walters, President and Co-Founder of Action1, said the flaw likely is the result of improper input validation in SQL Server’s memory management, allowing access to uninitialized memory.

“As a result, attackers could retrieve remnants of sensitive data, such as credentials or connection strings,” Walters added. “It affects both the SQL Server engine and applications using OLE DB drivers.”

The most critical flaw patched by Microsoft as part of this month’s updates concerns a case of remote code execution impacting SPNEGO Extended Negotiation (NEGOEX). Tracked as CVE-2025-47981, it carries a CVSS score of 9.8 out of 10.0.

“Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory. “An attacker could exploit this vulnerability by sending a malicious message to the server, potentially leading to remote code execution.”

An anonymous researcher and Yuki Chen have been credited with discovering and repairing the flaw. Microsoft noted that the issue only impacts Windows client machines running Windows 10, version 1607 and above due to the “Network security: Allow PKU2U authentication requests to this computer to use online identities” Group Policy Object (GPO) being enabled by default.

“As always, Remote Code Execution is bad, but early analysis is suggesting that this vulnerability may be ‘wormable’ – the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident,” watchTowr founder and CEO Benjamin Harris said.

“Microsoft is clear on pre-requisites here: no authentication required, just network access, and Microsoft themselves believe exploitation is ‘More Likely.’ We shouldn’t fool ourselves – if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice. Defenders need to drop everything, patch rapidly, and hunt down exposed systems.”

Other vulnerabilities of importance include remote code execution flaws impacting Windows KDC Proxy Service (CVE-2025-49735, CVSS score: 8.1), Windows Hyper-V (CVE-2025-48822, CVSS score: 8.6), and Microsoft Office (CVE-2025-49695, CVE-2025-496966, and CVE-2025-49697, CVSS scores: 8.4).

“What makes CVE-2025-49735 significant is the network exposure combined with no required privileges or user interaction. Despite its high attack complexity, the vulnerability opens the door to pre-auth remote compromise, particularly attractive to APTs and nation-state actors,” Ben McCarthy, Lead Cyber Security Engineer at Immersive, said.

“The attacker must win a race condition – a timing flaw where memory is freed and reallocated in a specific window – meaning reliability is low for now. Still, such issues can be weaponized with techniques like heap grooming, making eventual exploitation feasible.”

Elsewhere, the update closes out five security feature bypasses in Bitlocker (CVE-2025-48001, CVE-2025-48003, CVE-2025-48800, CVE-2025-48804, and CVE-2025-48818, CVSS scores: 6.8) that could allow an attacker with physical access the device to get hold of encrypted data.

“An attacker could exploit this vulnerability by loading a WinRE.wim file while the OS volume is unlocked, granting access to BitLocker encrypted data,” Microsoft said about CVE-2025-48804.

Researchers Netanel Ben Simon and Alon Leviev with Microsoft Offensive Research and Security Engineering (MORSE) have been acknowledged for reporting the five issues in the built-in disk encryption tool.

“If exploited, these flaws could expose sensitive files, credentials, or allow tampering with system integrity,” Jacob Ashdown, Cyber Security Engineer at Immersive, said. “This poses a particular risk, especially for organizations where devices may be lost or stolen, as attackers with hands-on access could potentially bypass encryption and extract sensitive data.”

It’s also worth noting that July 8, 2025, officially marks the end of the road for SQL Server 2012, which will no longer receive any future security patches in the list of the Extended Security Update (ESU) program coming to a close.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past couple of weeks to rectify several vulnerabilities, including —