Microsoft at the moment launched updates to repair no less than 137 safety vulnerabilities in its Home windows working techniques and supported software program. Not one of the weaknesses addressed this month are identified to be actively exploited, however 14 of the issues earned Microsoft’s most-dire “crucial” score, which means they could possibly be exploited to grab management over weak Home windows PCs with little or no assist from customers.
Whereas not listed as crucial, CVE-2025-49719 is a publicly disclosed data disclosure vulnerability, with all variations way back to SQL Server 2016 receiving patches. Microsoft charges CVE-2025-49719 as much less prone to be exploited, however the availability of proof-of-concept code for this flaw means its patch ought to most likely be a precedence for affected enterprises.
Mike Walters, co-founder of Action1, mentioned CVE-2025-49719 may be exploited with out authentication, and that many third-party purposes depend upon SQL server and the affected drivers — probably introducing a supply-chain threat that extends past direct SQL Server customers.
“The potential publicity of delicate data makes this a high-priority concern for organizations dealing with priceless or regulated knowledge,” Walters mentioned. “The great nature of the affected variations, spanning a number of SQL Server releases from 2016 by means of 2022, signifies a basic challenge in how SQL Server handles reminiscence administration and enter validation.”
Adam Barnett at Rapid7 notes that at the moment is the tip of the street for SQL Server 2012, which means there will probably be no future safety patches even for crucial vulnerabilities, even in the event you’re keen to pay Microsoft for the privilege.
Barnett additionally referred to as consideration to CVE-2025-47981, a vulnerability with a CVSS rating of 9.8 (10 being the worst), a distant code execution bug in the way in which Home windows servers and purchasers negotiate to find mutually supported authentication mechanisms. This pre-authentication vulnerability impacts any Home windows consumer machine working Home windows 10 1607 or above, and all present variations of Home windows Server. Microsoft considers it extra possible that attackers will exploit this flaw.
Microsoft additionally patched no less than 4 crucial, distant code execution flaws in Workplace (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The primary two are each rated by Microsoft as having a better chance of exploitation, don’t require consumer interplay, and may be triggered by means of the Preview Pane.
Two extra excessive severity bugs embody CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the previous is a weak point that might permit malicious recordsdata to bypass screening by Microsoft Defender SmartScreen, a built-in function of Home windows that tries to dam untrusted downloads and malicious websites.
CVE-2025-47178 includes a distant code execution flaw in Microsoft Configuration Supervisor, an enterprise device for managing, deploying, and securing computer systems, servers, and units throughout a community. Ben Hopkins at Immersive Labs mentioned this bug requires very low privileges to use, and that it’s potential for a consumer or attacker with a read-only entry position to use it.
“Exploiting this vulnerability permits an attacker to execute arbitrary SQL queries because the privileged SMS service account in Microsoft Configuration Supervisor,” Hopkins mentioned. “This entry can be utilized to govern deployments, push malicious software program or scripts to all managed units, alter configurations, steal delicate knowledge, and probably escalate to full working system code execution throughout the enterprise, giving the attacker broad management over the complete IT setting.”
Individually, Adobe has launched safety updates for a broad vary of software program, together with After Results, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.
The SANS Web Storm Heart has a breakdown of every particular person patch, listed by severity. If you happen to’re accountable for administering quite a lot of Home windows techniques, it might be value maintaining a tally of AskWoody for the lowdown on any probably wonky updates (contemplating the massive variety of vulnerabilities and Home windows parts addressed this month).
If you happen to’re a Home windows house consumer, please contemplate backing up your knowledge and/or drive earlier than putting in any patches, and drop a word within the feedback in the event you encounter any issues with these updates.
