Ethical Hacking News
Microsoft has released its latest Patch Tuesday update, addressing an astonishing 130 vulnerabilities, including several critical flaws in popular applications like SPNEGO and SQL Server. The update is the first of its kind for the year 2025, marking an end to a streak of at least one zero-day that was exploited in the wild over the past eleven months.
Microsoft has released its latest Patch Tuesday update, addressing 130 vulnerabilities. The update includes patches for critical flaws in popular applications like SPNEGO and SQL Server. The most critical flaw patched by Microsoft concerns remote code execution impacting SPNEGO Extended Negotiation (NEGOEX) with a CVSS score of 9.8 out of 10.0. Windows Edge browser has two critical flaws, including a heap-based buffer overflow and an information disclosure issue. A vulnerability in Microsoft SQL Server could permit an attacker to leak uninitialized memory. Patches are also available for vulnerabilities in Windows KDC Proxy Service, Windows Hyper-V, and Microsoft Office. The most significant vulnerability patched by Microsoft is CVE-2025-49735, which carries a CVSS score of 8.1.
In a move that is being closely watched by cybersecurity experts and enthusiasts alike, Microsoft has released its latest Patch Tuesday update, which addresses an astonishing 130 vulnerabilities, including several critical flaws in popular applications like SPNEGO and SQL Server. The update is the first of its kind for the year 2025, marking an end to a streak of at least one zero-day that was exploited in the wild over the past eleven months.
The update includes patches for a wide range of vulnerabilities, with fifty-three classified as privilege escalation bugs followed by forty-two remote code execution flaws, seventeen information disclosure issues, and eight security feature bypasses. The most critical flaw patched by Microsoft concerns a case of remote code execution impacting SPNEGO Extended Negotiation (NEGOEX), which carries a CVSS score of 9.8 out of 10.0.
According to Satnam Narang, Senior Staff Research Engineer at Tenable, "The 11-month streak of patching at least one zero-day that was exploited in the wild ended this month." Narang's statement highlights the significance of Microsoft's latest update and serves as a reminder to organizations of the importance of keeping their systems up-to-date with the latest security patches.
Among the critical flaws patched by Microsoft are two issues related to its Edge browser. The first issue, CVE-2025-47981, is a heap-based buffer overflow in Windows SPNEGO Extended Negotiation that allows an unauthorized attacker to execute code over a network. This vulnerability can be exploited by sending a malicious message to the server, potentially leading to remote code execution.
The second critical flaw patched by Microsoft concerns a case of information disclosure in Microsoft SQL Server (CVE-2025-49719), which could permit an unauthorized attacker to leak uninitialized memory. According to Adam Barnett, Lead Software Engineer at Rapid7, "An attacker might well learn nothing of any value, but with luck, persistence, or some very crafty massaging of the exploit, the prize could be cryptographic key material or other crown jewels from the SQL Server."
The update also includes patches for several vulnerabilities in Windows KDC Proxy Service (CVE-2025-49735), Windows Hyper-V (CVE-2025-48822), and Microsoft Office (CVE-2025-49695, CVE-2025-496966, and CVE-2025-49697). The most significant of these vulnerabilities is CVE-2025-49735, which carries a CVSS score of 8.1.
According to Ben McCarthy, Lead Cyber Security Engineer at Immersive, "What makes CVE-2025-49735 significant is the network exposure combined with no required privileges or user interaction. Despite its high attack complexity, the vulnerability opens the door to pre-auth remote compromise, particularly attractive to APTs and nation-state actors." McCarthy's statement highlights the potential risks associated with this vulnerability and emphasizes the importance of patching it as soon as possible.
In addition to Microsoft's update, other vendors have also released security patches for several vulnerabilities in recent weeks. These updates demonstrate the ongoing effort by cybersecurity experts and companies to identify and address new vulnerabilities before they can be exploited by malicious actors.
The latest Patch Tuesday update serves as a reminder of the importance of keeping systems up-to-date with the latest security patches and highlights the need for organizations to take proactive steps to protect themselves against emerging threats. As cybersecurity expert Benjamin Harris noted, "As always, Remote Code Execution is bad, but early analysis is suggesting that this vulnerability may be 'wormable' - the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident."
In conclusion, Microsoft's latest Patch Tuesday update addresses an astonishing 130 vulnerabilities, including several critical flaws in popular applications like SPNEGO and SQL Server. The update highlights the ongoing effort by cybersecurity experts and companies to identify and address new vulnerabilities before they can be exploited by malicious actors. Organizations are urged to take proactive steps to patch these vulnerabilities as soon as possible to protect themselves against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Addresses-130-Vulnerabilities-in-Latest-Patch-Tuesday-Update-ehn.shtml
https://thehackernews.com/2025/07/microsoft-patches-130-vulnerabilities.html
https://nvd.nist.gov/vuln/detail/CVE-2025-47981
https://www.cvedetails.com/cve/CVE-2025-47981/
https://nvd.nist.gov/vuln/detail/CVE-2025-49719
https://www.cvedetails.com/cve/CVE-2025-49719/
https://nvd.nist.gov/vuln/detail/CVE-2025-48822
https://www.cvedetails.com/cve/CVE-2025-48822/
https://nvd.nist.gov/vuln/detail/CVE-2025-49695
https://www.cvedetails.com/cve/CVE-2025-49695/
https://nvd.nist.gov/vuln/detail/CVE-2025-496966
https://www.cvedetails.com/cve/CVE-2025-496966/
https://nvd.nist.gov/vuln/detail/CVE-2025-49697
https://www.cvedetails.com/cve/CVE-2025-49697/
https://nvd.nist.gov/vuln/detail/CVE-2025-49735
https://www.cvedetails.com/cve/CVE-2025-49735/
Published: Wed Jul 9 03:58:13 2025 by llama3.2 3B Q4_K_M
