July Patch Tuesday presents 127 fixes – Sophos Information

Microsoft on Tuesday launched 127 patches affecting 14 product households. 9 of the addressed points — 4 involving Home windows, two involving 365 and Workplace, and one every involving SharePoint, SQL, and Phrase — are thought of by Microsoft to be of Essential severity, and 34 have a CVSS base rating of 8.0 or larger. None are identified to be below energetic exploit within the wild, although one (CVE-2025-49719, an Necessary-severity SQL challenge permitting data disclosure) is already publicly disclosed.

At patch time, 17 CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. This doesn’t embrace the SQL challenge talked about above. Varied of this month’s points are amenable to direct detection by Sophos protections, and we embrace data on these in a desk under.

Along with these patches, 12 Adobe Reader fixes, 4 of them thought of to be of Essential severity, are included within the launch. These are listed in Appendix D under. The listing of advisories this month has not solely three already-patched Edge points however seven with MITRE-assigned CVEs (normally a sign that the bugs contain merchandise past Microsoft’s; on this case, GitK) regarding Visible Studio, plus two Essential-severity CVEs issued by AMD to cowl points in sure of their processors. The fixes for the 2 AMD information-disclosure points (CVE-2025-36350, CVE-2025-36357) are addressed by making use of a patch to Home windows; although we don’t embrace these in our numbers this month, they seem in Appendix E for the comfort of these coping with Home windows Server updates.

We’re as all the time together with on the finish of this publish further appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix masking the advisory-style updates; and a breakout of the patches affecting the varied Home windows Server platforms nonetheless in assist.

By the numbers

• Whole CVEs: 127
• Publicly disclosed: 1
• Exploit detected: 0
• Severity
  • Essential: 9
  • Necessary: 118
• Impression
  • Elevation of Privilege: 53
  • Distant Code Execution: 41
  • Info Disclosure: 16
  • Safety Characteristic Bypass: 8
  • Denial of Service: 5
  • Spoofing: 3
  • Tampering: 1
• CVSS Base rating 9.0 or better: 1
• CVSS Base rating 8.0 or better: 33

Determine 1: Loads of elevation of privilege addressed in July’s patch set, however as standard the lion’s share of Essential-severity vulnerabilities enable for distant code execution. In the meantime, tampering seems on the charts for the primary time since February

Merchandise

• Home windows: 100
• Workplace: 13 *
• 365: 12
• SharePoint: 3
• SQL: 3
• Phrase: 3
• Azure: 2
• Excel: 2
• PowerPoint: 2
• Groups: 2
• Visible Studio: 2 **
• Intune: 1
• Outlook: 1
• PC Supervisor: 1

* One patch (CVE-2025-49756) addresses an Necessary-severity Safety Characteristic Bypass within the Workplace Developer Platform; for the needs of this recap, we’re merely categorizing it as “Workplace” with out together with it in 365’s depend.

** Visible Studio additionally receives the 5 MITRE-supplied CVEs famous above.

As is our customized for this listing, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. We observe, by the way in which, that CVE names don’t all the time mirror affected product households carefully. Particularly, some CVEs names within the Workplace household might point out merchandise that don’t seem within the listing of merchandise affected by the CVE, and vice versa.

Determine 2: You eyes don’t deceive you – that’s a good 100 patches for Home windows this time round

Notable July updates

Along with the problems mentioned above, quite a lot of particular gadgets benefit consideration.

CVE-2025-47981 — SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism Distant Code Execution Vulnerability

Microsoft assigns this RCE flaw within the Prolonged Negotiation Safety Mechanism (NEGOEX) of the Easy and Protected GSS-API Negotiation Mechanism (SPNEGO) a Essential severity, and the CVSS Base rating of 9.8 additional signifies that this patch is that this month’s prime precedence. (And, to seal the deal, Microsoft assesses this vulnerability to be extra prone to endure energetic exploit inside the subsequent 30 days, so… the clock is ticking.) Some readers might not be acquainted with the SPENGO customary, and Microsoft has background data for the curious in addition to a possible mitigation, however the primary factor to know is that this performance is enabled by default in all consumer machines working Home windows 10 model 1607 and later. (It additionally impacts all server variations from 2008R2 onward.)

CVE-2025-49711, CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703, CVE-2025-49699, CVE-2025-49705 (eight CVEs)

The eight patches listed all have an effect on 365 and Workplace. Three of the eight moreover have an effect on Excel (CVE-2025-49711), Phrase (CVE-2025-49699), and PowerPoint (CVE-2025-49699, CVE-2025-49705). Sadly, all of them have an effect on Mac variations of these product households along with Home windows (and, in some instances, Android), and not one of the Mac patches can be found but. Microsoft recommends that probably affected customers monitor their CVE pages for eventual patch availability.

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703 (5 CVEs)

The 5 365 / Workplace CVEs on this set embrace Preview Pane as a vector. (And, to spare you the scrolling, all 5 are included within the no-Mac-patches-yet group above.

Determine 3: Distant Code Execution nonetheless leads the 2025 vulnerability pack, however Elevation of Privilege crosses the 200-patch mark this month

Sophos protections

As you possibly can each month, in the event you don’t wish to wait in your system to tug down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

It is a listing of July patches sorted by impression, then sub-sorted by severity. Every listing is additional organized by CVE.

Elevation of Privilege (53 CVEs)

Distant Code Execution (41 CVEs)

Info Disclosure (16 CVEs)

Safety Characteristic Bypass (8 CVEs)

Denial of Service (5 CVEs)

Spoofing (3 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

It is a listing of the July CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. (No CVE amongst this month’s patches is thought to be already exploited within the wild, in order that listing doesn’t seem this month.) The listing is additional organized by CVE. Two Workplace gadgets and one Phrase merchandise extra prone to be exploited within the subsequent 30 days (CVE-2025-49695, CVE-2025-49696, CVE-2025-49698) are exploitable through Preview Pane, and the SPNEGO challenge is, as mentioned above, susceptible in its default configuration.

It is a listing of July’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or larger. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our sequence on patch prioritization schema.

Appendix C: Merchandise Affected

It is a listing of July’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of instances, as soon as for every product household. Sure important points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made accessible by Microsoft; for additional data on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (100 CVEs)

Workplace (14 CVEs)

Workplace (12 CVEs)

SharePoint (3 CVEs)

SQL (3 CVEs)

Phrase (3 CVEs)

Azure (2 CVEs)

Excel (2 CVEs)

PowerPoint (2 CVEs)

Groups (2 CVEs)

Visible Studio (2 CVE)

Intune (1 CVE)

Outlook (1 CVE)

PC Supervisor (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 12 Adobe Reader advisories in July’s launch, APSB25-69. Since there’s some selection in severity ranges as soon as once more this month, we’re together with that data as effectively.

There are 12 further advisories and informational releases that deserve consideration, in addition to the most recent Servicing Stack updates. The MITRE points, as talked about above, are all Visible Studio patches.

Appendix E: Affected Home windows Server variations

It is a desk of the 101 CVEs within the July launch affecting 9 Home windows Server variations, 2008 via 2025. (The depend of Home windows CVEs above is 100; that depend contains one client-side-only patch and excludes the 2 CVEs from AMD, which seem right here.) The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Essential-severity points are marked in crimson; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream assist, will fluctuate. For particular Information Base numbers, please seek the advice of Microsoft.