July Patch Tuesday provides 127 fixes – Sophos Information

Microsoft on Tuesday launched 127 patches affecting 14 product households. 9 of the addressed points — 4 involving Home windows, two involving 365 and Workplace, and one every involving SharePoint, SQL, and Phrase — are thought-about by Microsoft to be of Crucial severity, and 34 have a CVSS base rating of 8.0 or larger. None are identified to be beneath energetic exploit within the wild, although one (CVE-2025-49719, an Vital-severity SQL concern permitting info disclosure) is already publicly disclosed.

At patch time, 17 CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. This doesn’t embrace the SQL concern talked about above. Numerous of this month’s points are amenable to direct detection by Sophos protections, and we embrace info on these in a desk under.

Along with these patches, 12 Adobe Reader fixes, 4 of them thought-about to be of Crucial severity, are included within the launch. These are listed in Appendix D under. The record of advisories this month has not solely three already-patched Edge points however seven with MITRE-assigned CVEs (normally a sign that the bugs contain merchandise past Microsoft’s; on this case, GitK) regarding Visible Studio, plus two Crucial-severity CVEs issued by AMD to cowl points in sure of their processors. The fixes for the 2 AMD information-disclosure points (CVE-2025-36350, CVE-2025-36357) are addressed by making use of a patch to Home windows; although we don’t embrace these in our numbers this month, they seem in Appendix E for the comfort of these coping with Home windows Server updates.

We’re as at all times together with on the finish of this publish further appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix masking the advisory-style updates; and a breakout of the patches affecting the assorted Home windows Server platforms nonetheless in help.

By the numbers

• Whole CVEs: 127
• Publicly disclosed: 1
• Exploit detected: 0
• Severity
  • Crucial: 9
  • Vital: 118
• Impression
  • Elevation of Privilege: 53
  • Distant Code Execution: 41
  • Data Disclosure: 16
  • Safety Characteristic Bypass: 8
  • Denial of Service: 5
  • Spoofing: 3
  • Tampering: 1
• CVSS Base rating 9.0 or higher: 1
• CVSS Base rating 8.0 or higher: 33

Determine 1: Loads of elevation of privilege addressed in July’s patch set, however as standard the lion’s share of Crucial-severity vulnerabilities enable for distant code execution. In the meantime, tampering seems on the charts for the primary time since February

Merchandise

• Home windows: 100
• Workplace: 13 *
• 365: 12
• SharePoint: 3
• SQL: 3
• Phrase: 3
• Azure: 2
• Excel: 2
• PowerPoint: 2
• Groups: 2
• Visible Studio: 2 **
• Intune: 1
• Outlook: 1
• PC Supervisor: 1

* One patch (CVE-2025-49756) addresses an Vital-severity Safety Characteristic Bypass within the Workplace Developer Platform; for the needs of this recap, we’re merely categorizing it as “Workplace” with out together with it in 365’s depend.

** Visible Studio additionally receives the 5 MITRE-supplied CVEs famous above.

As is our customized for this record, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. We observe, by the way in which, that CVE names don’t at all times mirror affected product households carefully. Particularly, some CVEs names within the Workplace household might point out merchandise that don’t seem within the record of merchandise affected by the CVE, and vice versa.

Determine 2: You eyes don’t deceive you – that’s an excellent 100 patches for Home windows this time round

Notable July updates

Along with the problems mentioned above, quite a lot of particular objects benefit consideration.

CVE-2025-47981 — SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism Distant Code Execution Vulnerability

Microsoft assigns this RCE flaw within the Prolonged Negotiation Safety Mechanism (NEGOEX) of the Easy and Protected GSS-API Negotiation Mechanism (SPNEGO) a Crucial severity, and the CVSS Base rating of 9.8 additional signifies that this patch is that this month’s high precedence. (And, to seal the deal, Microsoft assesses this vulnerability to be extra prone to endure energetic exploit inside the subsequent 30 days, so… the clock is ticking.) Some readers is probably not aware of the SPENGO customary, and Microsoft has background info for the curious in addition to a possible mitigation, however the primary factor to know is that this performance is enabled by default in all consumer machines operating Home windows 10 model 1607 and later. (It additionally impacts all server variations from 2008R2 onward.)

CVE-2025-49711, CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703, CVE-2025-49699, CVE-2025-49705 (eight CVEs)

The eight patches listed all have an effect on 365 and Workplace. Three of the eight moreover have an effect on Excel (CVE-2025-49711), Phrase (CVE-2025-49699), and PowerPoint (CVE-2025-49699, CVE-2025-49705). Sadly, all of them have an effect on Mac variations of these product households along with Home windows (and, in some circumstances, Android), and not one of the Mac patches can be found but. Microsoft recommends that doubtlessly affected customers monitor their CVE pages for eventual patch availability.

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703 (5 CVEs)

The 5 365 / Workplace CVEs on this set embrace Preview Pane as a vector. (And, to spare you the scrolling, all 5 are included within the no-Mac-patches-yet group above.

Determine 3: Distant Code Execution nonetheless leads the 2025 vulnerability pack, however Elevation of Privilege crosses the 200-patch mark this month

Sophos protections

As you may each month, when you don’t wish to wait in your system to drag down Microsoft’s updates itself, you may obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace package deal in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

It is a record of July patches sorted by affect, then sub-sorted by severity. Every record is additional organized by CVE.

Elevation of Privilege (53 CVEs)

Distant Code Execution (41 CVEs)

Data Disclosure (16 CVEs)

Safety Characteristic Bypass (8 CVEs)

Denial of Service (5 CVEs)

Spoofing (3 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

It is a record of the July CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. (No CVE amongst this month’s patches is thought to be already exploited within the wild, in order that record doesn’t seem this month.) The record is additional organized by CVE. Two Workplace objects and one Phrase merchandise extra prone to be exploited within the subsequent 30 days (CVE-2025-49695, CVE-2025-49696, CVE-2025-49698) are exploitable by way of Preview Pane, and the SPNEGO concern is, as mentioned above, susceptible in its default configuration.

It is a record of July’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or larger. They’re organized by rating and additional sorted by CVE. For extra info on how CVSS works, please see our collection on patch prioritization schema.

Appendix C: Merchandise Affected

It is a record of July’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of instances, as soon as for every product household. Sure vital points for which advisories have been issued are lined in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made accessible by Microsoft; for additional info on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (100 CVEs)

Workplace (14 CVEs)

Workplace (12 CVEs)

SharePoint (3 CVEs)

SQL (3 CVEs)

Phrase (3 CVEs)

Azure (2 CVEs)

Excel (2 CVEs)

PowerPoint (2 CVEs)

Groups (2 CVEs)

Visible Studio (2 CVE)

Intune (1 CVE)

Outlook (1 CVE)

PC Supervisor (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 12 Adobe Reader advisories in July’s launch, APSB25-69. Since there’s some selection in severity ranges as soon as once more this month, we’re together with that info as effectively.

There are 12 further advisories and informational releases that deserve consideration, in addition to the newest Servicing Stack updates. The MITRE points, as talked about above, are all Visible Studio patches.

Appendix E: Affected Home windows Server variations

It is a desk of the 101 CVEs within the July launch affecting 9 Home windows Server variations, 2008 by 2025. (The depend of Home windows CVEs above is 100; that depend consists of one client-side-only patch and excludes the 2 CVEs from AMD, which seem right here.) The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Crucial-severity points are marked in pink; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream help, will fluctuate. For particular Data Base numbers, please seek the advice of Microsoft.