Sample Page Title

Microsoft on Tuesday launched 127 patches affecting 14 product households. 9 of the addressed points — 4 involving Home windows, two involving 365 and Workplace, and one every involving SharePoint, SQL, and Phrase — are thought of by Microsoft to be of Essential severity, and 34 have a CVSS base rating of 8.0 or larger. None are identified to be underneath energetic exploit within the wild, although one (CVE-2025-49719, an Vital-severity SQL difficulty permitting data disclosure) is already publicly disclosed.

At patch time, 17 CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. This doesn’t embody the SQL difficulty talked about above. Varied of this month’s points are amenable to direct detection by Sophos protections, and we embody data on these in a desk under.

Along with these patches, 12 Adobe Reader fixes, 4 of them thought of to be of Essential severity, are included within the launch. These are listed in Appendix D under. The listing of advisories this month has not solely three already-patched Edge points however seven with MITRE-assigned CVEs (normally a sign that the bugs contain merchandise past Microsoft’s; on this case, GitK) regarding Visible Studio, plus two Essential-severity CVEs issued by AMD to cowl points in sure of their processors. The fixes for the 2 AMD information-disclosure points (CVE-2025-36350, CVE-2025-36357) are addressed by making use of a patch to Home windows; although we don’t embody these in our numbers this month, they seem in Appendix E for the comfort of these coping with Home windows Server updates.

We’re as at all times together with on the finish of this submit further appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix overlaying the advisory-style updates; and a breakout of the patches affecting the varied Home windows Server platforms nonetheless in assist.

By the numbers

• Whole CVEs: 127
• Publicly disclosed: 1
• Exploit detected: 0
• Severity
  • Essential: 9
  • Vital: 118
• Affect
  • Elevation of Privilege: 53
  • Distant Code Execution: 41
  • Info Disclosure: 16
  • Safety Function Bypass: 8
  • Denial of Service: 5
  • Spoofing: 3
  • Tampering: 1
• CVSS Base rating 9.0 or better: 1
• CVSS Base rating 8.0 or better: 33

Determine 1: Loads of elevation of privilege addressed in July’s patch set, however as traditional the lion’s share of Essential-severity vulnerabilities permit for distant code execution. In the meantime, tampering seems on the charts for the primary time since February

Merchandise

• Home windows: 100
• Workplace: 13 *
• 365: 12
• SharePoint: 3
• SQL: 3
• Phrase: 3
• Azure: 2
• Excel: 2
• PowerPoint: 2
• Groups: 2
• Visible Studio: 2 **
• Intune: 1
• Outlook: 1
• PC Supervisor: 1

* One patch (CVE-2025-49756) addresses an Vital-severity Safety Function Bypass within the Workplace Developer Platform; for the needs of this recap, we’re merely categorizing it as “Workplace” with out together with it in 365’s rely.

** Visible Studio additionally receives the 5 MITRE-supplied CVEs famous above.

As is our customized for this listing, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. We be aware, by the best way, that CVE names don’t at all times mirror affected product households carefully. Particularly, some CVEs names within the Workplace household could point out merchandise that don’t seem within the listing of merchandise affected by the CVE, and vice versa.

Determine 2: You eyes don’t deceive you – that’s a good 100 patches for Home windows this time round

Notable July updates

Along with the problems mentioned above, a wide range of particular gadgets benefit consideration.

CVE-2025-47981 — SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism Distant Code Execution Vulnerability

Microsoft assigns this RCE flaw within the Prolonged Negotiation Safety Mechanism (NEGOEX) of the Easy and Protected GSS-API Negotiation Mechanism (SPNEGO) a Essential severity, and the CVSS Base rating of 9.8 additional signifies that this patch is that this month’s high precedence. (And, to seal the deal, Microsoft assesses this vulnerability to be extra prone to endure energetic exploit inside the subsequent 30 days, so… the clock is ticking.) Some readers is probably not accustomed to the SPENGO customary, and Microsoft has background data for the curious in addition to a possible mitigation, however the primary factor to know is that this performance is enabled by default in all consumer machines operating Home windows 10 model 1607 and later. (It additionally impacts all server variations from 2008R2 onward.)

CVE-2025-49711, CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703, CVE-2025-49699, CVE-2025-49705 (eight CVEs)

The eight patches listed all have an effect on 365 and Workplace. Three of the eight moreover have an effect on Excel (CVE-2025-49711), Phrase (CVE-2025-49699), and PowerPoint (CVE-2025-49699, CVE-2025-49705). Sadly, all of them have an effect on Mac variations of these product households along with Home windows (and, in some instances, Android), and not one of the Mac patches can be found but. Microsoft recommends that doubtlessly affected customers monitor their CVE pages for eventual patch availability.

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703 (5 CVEs)

The 5 365 / Workplace CVEs on this set embody Preview Pane as a vector. (And, to spare you the scrolling, all 5 are included within the no-Mac-patches-yet group above.

Determine 3: Distant Code Execution nonetheless leads the 2025 vulnerability pack, however Elevation of Privilege crosses the 200-patch mark this month

Sophos protections

As you’ll be able to each month, when you don’t wish to wait to your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace package deal to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Affect and Severity

It is a listing of July patches sorted by impression, then sub-sorted by severity. Every listing is additional organized by CVE.

Elevation of Privilege (53 CVEs)

Distant Code Execution (41 CVEs)

Info Disclosure (16 CVEs)

Safety Function Bypass (8 CVEs)

Denial of Service (5 CVEs)

Spoofing (3 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

It is a listing of the July CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. (No CVE amongst this month’s patches is thought to be already exploited within the wild, in order that listing doesn’t seem this month.) The listing is additional organized by CVE. Two Workplace gadgets and one Phrase merchandise extra prone to be exploited within the subsequent 30 days (CVE-2025-49695, CVE-2025-49696, CVE-2025-49698) are exploitable through Preview Pane, and the SPNEGO difficulty is, as mentioned above, susceptible in its default configuration.

It is a listing of July’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or larger. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our collection on patch prioritization schema.

Appendix C: Merchandise Affected

It is a listing of July’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of instances, as soon as for every product household. Sure important points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made out there by Microsoft; for additional data on why sure merchandise could seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (100 CVEs)

Workplace (14 CVEs)

Workplace (12 CVEs)

SharePoint (3 CVEs)

SQL (3 CVEs)

Phrase (3 CVEs)

Azure (2 CVEs)

Excel (2 CVEs)

PowerPoint (2 CVEs)

Groups (2 CVEs)

Visible Studio (2 CVE)

Intune (1 CVE)

Outlook (1 CVE)

PC Supervisor (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 12 Adobe Reader advisories in July’s launch, APSB25-69. Since there may be some selection in severity ranges as soon as once more this month, we’re together with that data as nicely.

There are 12 further advisories and informational releases that deserve consideration, in addition to the most recent Servicing Stack updates. The MITRE points, as talked about above, are all Visible Studio patches.

Appendix E: Affected Home windows Server variations

It is a desk of the 101 CVEs within the July launch affecting 9 Home windows Server variations, 2008 by 2025. (The rely of Home windows CVEs above is 100; that rely consists of one client-side-only patch and excludes the 2 CVEs from AMD, which seem right here.) The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Essential-severity points are marked in pink; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity, as every reader’s scenario, particularly because it considerations merchandise out of mainstream assist, will fluctuate. For particular Data Base numbers, please seek the advice of Microsoft.