Microsoft addressed 130 distinctive new CVEs this month — one of many bigger Patch Tuesday releases of late — however admins don’t have any urgent zero-day vulnerabilities to sort out.
Of the brand new vulnerabilities, there have been 14 CVEs rated vital, 115 rated vital and one labeled average. As common, most vulnerabilities are within the Home windows OS, with a mixture of flaws affecting Azure, Microsoft Workplace and Hyper-V. Microsoft additionally republished seven CVEs and included fixes for 10 non-Microsoft merchandise, together with ones that have an effect on libraries in Visible Studio. There’s one public disclosure in SQL Server (CVE-2025-49719).
Microsoft Workplace and RRAS vulnerabilities take priority
This month, admins must deal with releasing Home windows cumulative updates shortly, notably since a excessive focus of vulnerabilities have an effect on Home windows Routing and Distant Entry Service, with 16 whole. All of the RRAS CVEs have a most severity of vital and an exploitability evaluation of exploitation unlikely.
RRAS in Home windows Server handles community site visitors management and distant connectivity on private and non-private networks, offering compatibility with a number of VPN protocols and making certain safe distant entry.
A lot of the danger sorts are distant code execution, with two within the info disclosure menace class.
“The vulnerabilities are all remotely exploitable with out the necessity for authentication over the community,” mentioned Chris Goettl, vice chairman of product administration for safety merchandise at Ivanti.
He mentioned the next mitigations may curb assaults on RRAS:
- Restrict RRAS ports to trusted networks or VPN concentrators.
- Apply strict firewall guidelines to RRAS ports.
- Disable unused options in RRAS or decide whether or not the service could be eliminated completely.
Microsoft Workplace additionally had 16 whole CVEs, with six rated vital and the remainder vital. Six vulnerabilities have an effect on the core Microsoft Workplace platform, plus two in Excel, one in PowerPoint, three in SharePoint, three in Microsoft Phrase and one within the Microsoft Workplace Developer Platform.
Admins will wish to deal with the CVEs rated extra prone to be exploited:
- CVE-2025-49695: Microsoft Workplace distant code execution vulnerability, 8.4 CVSS, vital ranking.
- CVE-2025-49696: Microsoft Workplace distant code execution vulnerability, 8.4 CVSS, vital ranking.
- CVE-2025-49701: Microsoft Workplace SharePoint distant code execution vulnerability, 8.8 CVSS, vital ranking.
- CVE-2025-49704: Microsoft Workplace SharePoint distant code execution vulnerability, 8.8 CVSS, vital ranking.
The preview pane is a possible assault vector for CVE-2025-49695 and CVE-2025-49696, which means that customers solely have to preview a malicious file to set off the exploit.
Patches for 7 CVEs associated to Visible Studio launched
Admins who work with growth groups might want to be sure that seven vulnerabilities — CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385 and CVE-2025-48386 — associated to Git are addressed by updating to the newest model of Visible Studio.
Common updates to those third-party libraries are essential to stop the gradual accumulation of safety debt and preserve compliance with service-level agreements, in response to Goettl.
“Most growth organizations, in the event that they’re doing CI/CD pipeline evaluation, are going to see vulnerabilities within the third-party libraries and growth instruments they’re utilizing,” he mentioned.
Goettl mentioned the tactic to check fixes for developer instruments relies on the scale of the group. Smaller ones depend on regression testing with the brand new libraries put in to run validation checks. Bigger organizations sometimes use a staged rollout, beginning with the lower-risk environments earlier than updating the extra vital methods.
“It is fairly a bit completely different than simply an automatic patch administration technique of OS updates and third-party updates while you’re coping with the event facet. There is a bit extra of a heavy carry to validate that every little thing is nice,” Goettl mentioned.
Different safety updates of observe for July Patch Tuesday
- Two Azure-related CVEs will solely require admin intervention if auto-update performance will not be enabled. An Azure Service Cloth runtime elevation-of-privilege vulnerability (CVE-2025-21195) has a CVSS ranking of 6.0. An Azure Monitor Agent distant code execution vulnerability (CVE-2025-47988) has a 7.5 CVSS ranking.
- Microsoft corrected a difficulty stemming from its June Patch Tuesday safety updates that brought on Dynamic Host Configuration Protocol (DHCP) issues with Home windows Server. The affected Home windows Server methods and their Information Base articles are Home windows Server 2025 (KB5060842), Home windows Server 2022 (KB5060526), Home windows Server 2019 (KB5060531) and Home windows Server 2016 (KB5061010). DHCP robotically assigns IP addresses to gadgets on a community and manages IP tackle leases.
- Microsoft republished a June Patch Tuesday repair for a .NET and Visible Studio distant code execution vulnerability (CVE-2025-30399) that was expanded to incorporate PowerShell 7.4 and seven.5. “An attacker may exploit this vulnerability by inserting information specifically places, resulting in unintended code execution,” in response to Microsoft’s safety advisory. The vulnerability is especially important as a result of it impacts Home windows, macOS and Linux methods that run these exploitable PowerShell variations.
Subsequent section of Kerberos hardening course of takes impact
July Patch Tuesday additionally applied the subsequent stage within the three-phase course of to enhance safety for Kerberos authentication to forestall machine-in-the-middle assaults and native community spoofing.
On April Patch Tuesday, Microsoft first addressed a Home windows Kerberos elevation-of-privilege vulnerability (CVE-2025-26647) in Home windows Server methods and launched Audit mode to uncover noncompliant certificates. Admins had been anticipated to make use of Audit logs to search out these certificates, make corrections and verify for points.
July Patch Tuesday’s launch launched the second section, Enforced by Default, to area controllers. This replace makes checks to the NTAuth retailer — the repository on Home windows area controllers that comprises an inventory of trusted certificates authorities — obligatory, however admins can quickly revert to Audit mode for changes.
After the October Patch Tuesday updates, Microsoft will put area controllers in Enforcement mode and take away the flexibility to allow these registry bypasses.
Tom Walat is the positioning editor for Informa TechTarget’s SearchWindowsServer web site.
