It’s the second Tuesday of the month, and as expected, Adobe and Microsoft have released their latest security patches. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for July 2025
For July, Adobe (eventually) released 13 bulletins addressing 60 unique CVEs in Adobe ColdFusion, After Effects, Substance 3D Viewer, Audition, InCopy, InDesign, Connect, Dimension, Substance 3D Stager, Illustrator, FrameMaker, Experience Manager Forms, and Experience Manager Screens. The obvious place to start here is ColdFusion. It’s the only update listed as Priority 1 and addresses 13 CVEs, five of which are rated Critical. ColdFusion should probably be considered “legacy” at this point. If you’re still using it, you should think about migrating to something more modern. The patch for FrameMaker is also somewhat large. It fixes 15 CVEs – including 13 Critical bugs that could lead to code execution. The only other double-digit CVE bulletin is for Illustrator with 10 bugs. The most severe of these bugs could lead to code execution.
The remaining patches are much smaller. The After Effects patch fixes two Important severity bugs. The fix for Substance 3D Viewer addresses one Critical and two Important vulnerabilities. There’s a single denial-of-service (DoS) bug fixed in the Audition patch. The update for InCopy includes three Critical-rated bugs that could lead to code execution. The fixes for InDesign correct six similar Critical bugs. There’s just a single Critical bug in the patch for Connect. That’s the same for the Experience Manager Forms patch. The update for Substance 3D Stager corrects a single memory leak. The patch for Dimension also includes a memory leak fix and a Critical-rated code execution bug. Finally, the update for Experience Manager Screens addresses two cross-site scripting (XSS) bugs.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the patch for ColdFusion, all updates are listed as deployment priority 3.
Microsoft Patches for June 2025
This month, Microsoft released a whopping 130 new CVEs in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Azure, Teams, Hyper-V, Windows BitLocker, Microsoft Edge (Chromium-based), and the Windows Cryptographic Service. Eight of these bugs were reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 140 CVEs.
Of the patches released today, 10 are rated Critical, and the rest are rated Important in severity. July tends to be a heavier month for patches, though the reason is not clear. Perhaps Microsoft wants to patch as much as possible prior to the Black Hat and DEFECON conferences that take place in early August. Perhaps it’s related to their test cycles and is merely coincidental.
Microsoft lists one bug as being publicly known at the time of release, but nothing is noted as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug many will be talking about:
- CVE-2025-47981 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
This heap-based buffer overflow impacts the Windows SPNEGO Extended Negotiation component and allows remote, unauthenticated attackers to execute code simply by sending a malicious message to an affected system. Since there’s no user interaction, and since the code executes with elevated privileges, this bug falls into the wormable class of bugs. Microsoft also gives this its highest exploitability index rating, which means they expect attacks within 30 days. Definitely test and deploy these patches quickly.
- CVE-2025-49717 - Microsoft SQL Server Remote Code Execution Vulnerability
Speaking of heap-based buffer overflows, here’s one in SQL Server that could lead to code execution by an attacker executing a malicious query on an affected SQL Server system. They could also escape the context of the SQL Server and execute code on the host itself. Servicing this will not be easy. If you’re running your own application (or an affected third-party app) on an affected system, you will need to update your application to use Microsoft OLE DB Driver 18 or 19. The bulletin has full details, so be sure to read it carefully to ensure you have taken all steps needed to address this vulnerability fully.
- CVE-2025-49704 - Microsoft SharePoint Remote Code Execution Vulnerability
This bug originates from Pwn2Own Berlin and was used as a part of a chain by the Viettel Cyber Security team to exploit SharePoint and win $100,000. This particular bug allowed code injection over the network. On its own, it requires some level of authentication. However, at the contest, the team paired it with an authentication bypass bug to evade this requirement. Their demonstration shows how authentication alone cannot be trusted to protect from attacks.
- CVE-2025-49695 - Microsoft Office Remote Code Execution Vulnerability
This is one of four Critical-rated Office bugs in this release, and all of them have the Preview Pane listed as an attack vector. This is the third month in a row with Critical-rated Office bugs, which is a disturbing trend. There is either a wealth of these bugs to be found, or the patches can be easily bypassed. Either way, Mac users are out of luck since updates for Microsoft Office LTSC for Mac 2021 and 2024 are not available yet. Perhaps it’s time to consider disabling the Preview Pane until Microsoft sorts some of these problems out.
Here’s the full list of CVEs released by Microsoft for July 2025:
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2025-49719 † | Microsoft SQL Server Information Disclosure Vulnerability | Important | 7.5 | Yes | No | Info |
| CVE-2025-36350 * | AMD: CVE-2024-36350 Transient Scheduler Attack in Store Queue | Critical | 5.6 | No | No | RCE |
| CVE-2025-36357 * | AMD: CVE-2025-36357 Transient Scheduler Attack in L1 Data Queue | Critical | 5.6 | No | No | RCE |
| CVE-2025-49695 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-49696 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-49697 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-49702 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2025-49717 † | Microsoft SQL Server Remote Code Execution Vulnerability | Critical | 8.5 | No | No | RCE |
| CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2025-48822 | Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability | Critical | 8.6 | No | No | RCE |
| CVE-2025-47980 | Windows Imaging Component Information Disclosure Vulnerability | Critical | 6.2 | No | No | Info |
| CVE-2025-49735 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2025-47988 † | Azure Monitor Agent Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2025-21195 † | Azure Service Fabric Runtime Elevation of Privilege Vulnerability | Important | 6 | No | No | EoP |
| CVE-2025-48001 | BitLocker Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2025-48003 | BitLocker Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2025-48800 | BitLocker Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2025-48804 | BitLocker Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2025-48818 | BitLocker Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
| CVE-2025-49690 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability | Important | 7.4 | No | No | EoP |
| CVE-2025-47987 | Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-48816 | HID Class Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49675 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49677 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-49693 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49694 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49741 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Important | 7.4 | No | No | Info |
| CVE-2025-49713 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-48812 | Microsoft Excel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-49711 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-47178 | Microsoft Intune Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2025-48805 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-48806 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-47994 | Microsoft Office Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49699 | Microsoft Office Remote Code Execution Vulnerability | Important | 7 | No | No | RCE |
| CVE-2025-47993 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49738 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49705 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-49701 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49706 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 6.3 | No | No | Spoofing |
| CVE-2025-49718 † | Microsoft SQL Server Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
| CVE-2025-49731 | Microsoft Teams Elevation of Privilege Vulnerability | Important | 3.1 | No | No | EoP |
| CVE-2025-49737 | Microsoft Teams Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-47971 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-47973 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49689 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49683 | Microsoft Virtual Hard Disk Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-49730 | Microsoft Windows QoS Scheduler Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49698 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-49700 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-49703 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-27613 * | MITRE: CVE-2025-27613 Gitk Arguments Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-27614 * | MITRE: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-46334 * | MITRE: CVE-2025-46334 Git Malicious Shell Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-46835 * | MITRE: CVE-2025-46835 Git File Overwrite Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-48384 * | MITRE: CVE-2025-48384 Git Symlink Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-48385 * | MITRE: CVE-2025-48385 Git Protocol Injection Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-48386 * | MITRE: CVE-2025-48386 Git Credential Helper Vulnerability | Important | N/A | No | No | RCE |
| CVE-2025-49678 | NTFS Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-48817 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-48814 | Remote Desktop Licensing Service Security Feature Bypass Vulnerability | Important | 7.5 | No | No | SFB |
| CVE-2025-33054 | Remote Desktop Spoofing Vulnerability | Important | 8.1 | No | No | Spoofing |
| CVE-2025-47986 | Universal Print Management Service Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-49714 | Visual Studio Code Python Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-49739 | Visual Studio Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-49727 | Win32k Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-49733 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49661 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-48820 | Windows AppX Deployment Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-48000 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-48823 | Windows Cryptographic Services Information Disclosure Vulnerability | Important | 5.9 | No | No | Info |
| CVE-2025-47985 | Windows Event Tracing Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49660 | Windows Event Tracing Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49721 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-47984 | Windows GDI Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
| CVE-2025-49732 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49744 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-49742 | Windows Graphics Component Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-47999 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.8 | No | No | DoS |
| CVE-2025-48002 | Windows Hyper-V Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-47972 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | Important | 8 | No | No | EoP |
| CVE-2025-47991 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49687 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-47978 | Windows Kerberos Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2025-26636 | Windows Kernel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-48808 | Windows Kernel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-47996 | Windows MBT Transport Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49682 | Windows Media Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2025-49691 | Windows Miracast Wireless Display Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49716 | Windows Netlogon Denial of Service Vulnerability | Important | 5.9 | No | No | DoS |
| CVE-2025-49725 | Windows Notification Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49726 | Windows Notification Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49680 | Windows Performance Recorder (WPR) Denial of Service Vulnerability | Important | 7.3 | No | No | DoS |
| CVE-2025-49722 | Windows Print Spooler Denial of Service Vulnerability | Important | 5.7 | No | No | DoS |
| CVE-2025-49671 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-49681 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-47998 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-48824 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49657 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49663 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49668 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49669 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49670 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49672 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49673 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49674 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49676 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49688 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49729 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49753 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-49685 | Windows Search Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-48809 | Windows Secure Kernel Mode Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-48810 | Windows Secure Kernel Mode Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-49666 | Windows Server Setup and Boot Event Collection Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
| CVE-2025-49679 | Windows Shell Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-47975 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-47976 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-48815 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49740 | Windows SmartScreen Security Feature Bypass Vulnerability | Important | 8.8 | No | No | SFB |
| CVE-2025-48802 | Windows SMB Server Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
| CVE-2025-49723 | Windows StateRepository API Server file Tampering Vulnerability | Important | 8.8 | No | No | Tampering |
| CVE-2025-49684 | Windows Storage Port Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-47982 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49686 | Windows TCP/IP Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49659 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49658 | Windows Transport Driver Interface (TDI) Translation Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-48819 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability | Important | 7.1 | No | No | EoP |
| CVE-2025-48821 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability | Important | 7.1 | No | No | EoP |
| CVE-2025-48799 | Windows Update Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49664 | Windows User-Mode Driver Framework Host Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-47159 | Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-48803 | Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability | Important | 6.7 | No | No | EoP |
| CVE-2025-48811 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability | Important | 6.7 | No | No | EoP |
| CVE-2025-49667 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49665 | Workspace Broker Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-49756 | Office Developer Platform Security Feature Bypass Vulnerability | Important | 3.3 | No | No | SFB |
| CVE-2025-49760 | Windows Storage Spoofing Vulnerability | Important | 3.5 | No | No | Spoofing |
| CVE-2025-6554 * | Chromium: CVE-2025-6554 Type Confusion in V8 | High | N/A | No | Yes | RCE |
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
There are only three other Critical-rated bugs to discuss in this month’s release. The first in in Hyper-V and could allow an attacker to execute code on the local system if they can be tricked into importing an INF file. The bug in the Windows KDC Proxy Service could allow code execution if an attacker can leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service. While an enticing target, that’s a tall order for an attacker. Finally, there is a Critical-rated info disclosure bug in the Imaging Component, but it only leaks ream heap memory, so it’s not clear why it is listed as Critical.
Looking at the remaining code execution bugs, there are additional bugs in Office of the open-and-own variety where the Preview Pan is not an attack vector. There’s also our monthly dose of bugs in the RRAS service – 14 for July. There are a couple of bugs in MPEG2 that require authentication. That’s also a requirement for the SQL injection bug in Intune. The SharePoint bug also requires authentication, but anyone with the ability to create a site has the needed permissions. The bug in the Virtual Hard Drive requires a user to mount a specially crafted VHD, which seems unlikely. The bug in RDP Client requires connecting to a malicious RDP server – another unlikely scenario. The bug in Windows Server Setup and Boot Event Collection requires high privileges but could be used to maintain access after an initial intrusion. Speaking of unlikely, the vulnerability in Miracast requires a target user to connect to a malicious Miracast sink and have a non-default configuration. The bug in Windows Connected Devices Platform Service allows for code execution if an attacker sends specially crafted packets to TCP port 5040 on an affected system, but the user would need to restart the service to complete the attack. There’s a bug in the Python component of Visual Studio due to the Python extension allowing an unauthorized attacker to execute code locally. Finally, the bug in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network. Users who have disabled Automatic Extension Upgrades will need to perform a manual update of the agent.
There are more than 50 elevation of privilege (EoP) bugs in the July release. The vast majority of these bugs lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bugs in Virtual Hard Disk and Fast FAT require a target mount a virtual drive. There are a few bugs that allow local attackers to crash a system, which could be used as a part of a privilege escalation. Other bugs elevate to different levels depending on the product. The EoP is Office escapes the Protected View sandbox. Bugs in the Virtualization-Based Security allows attackers to gain Virtual Trust Level 1 (VTL1) privileges. The bugs in Input Method Editor (IME) allow attackers to go from low to medium integrity code execution. The bug in the Universal Print Management Service is a little bit different. In this case, an authenticated attacker could send a specially crafted file to a shared printer resulting in code execution on the system sharing that printer. Lastly, the bug in Azure Fabric Runtime leads to SYSTEM, but the attacker needs a few extra steps. You’ll also need to take additional action if you have disabled automatic updates. You will need to manually update your Server Fabric Cluster to be protected.
Moving on to the security feature bypass (SFB) patches in this month’s release, five are for BitLocker. The scenarios are different, but they all lead to an attacker being able to bypass BitLocker. The bug in SmartScreen allows attackers to bypass SmartScreen protections. While this bug is not under active attack, we’ve seen similar bugs used by ransomware in the wild. The bug in Remote Desktop Licensing requires a machine-in-the-middle (MitM) attack, but Microsoft doesn’t make it clear which specific security feature is being bypassed. The final SFB is in the Office Development Platform and allows attackers to bypass the Office Visual Basic for Applications (VBA) signature scheme.
The July release includes quite a few information disclosure patches. As usual, most of these are in the Windows Storage Management Provider and only result in info leaks consisting of unspecified memory contents. This is useful info to have when exploiting components on a system, but otherwise not quite riveting. That’s also true for the bugs in SQL Server. However, similar to the SQL RCE bug already mentioned, you may need to manually update to Microsoft OLE DB Driver 18 or 19. The bug in GDI could allow the leaking of the ever elusive “sensitive information”. That’s a bit more detailed than what is leaked by the Cryptographic Service. Microsoft simply states the bug allows an “attacker to disclose information over a network.” Neat.
There are five patches for Denial-of-Service (DoS) bugs in this release. However, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network to that component. The only exception is for the bug in Windows Performance Recorder. This vulnerability requires an authenticated attacker to create directories then have an administrator run wprui.exe for the first time. Somehow, I don’t see that one getting exploited in the wild.
Looking at the spoofing bugs receiving patches this month, the first that stands out is in SharePoint server. This is the bug that allowed Viettel to bypass authentication at Pwn2Own by spoofing an authenticated connection. The bug in Remote Desktop requires some social engineering, as it requires tricking a user into interacting with a spoofed WebAuthn prompt and entering their credentials. The spoofing bug in Storage could be used by an attacker to trick a user into connecting to an attacker-controlled network resource. Finally, the spoofing bug in SMB involves improper certificate validation, which implies certificates could be spoofed over the network.
The last patch for July is in the poorly defined “Tampering” category. It’s in the Windows StateRepository API Server and allows for an AppContaier escape to delete specific files on a system. I suppose that’s a good enough definition of tampering.
No new advisories are being released this month.
Looking Ahead
The next Patch Tuesday of 2025 will be on August 12, and, assuming I survive hacker summer camp, I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
