Microsoft has released its Patch Tuesday updates for July 2025, tackling a total of 137 vulnerabilities across various products. Among these fixes, one zero-day vulnerability and fourteen critical issues have been addressed, including ten vulnerabilities with critical severity. Notably, nine of these could lead to remote code execution, while one involves information disclosure.
Key vulnerabilities include several in Microsoft Office that could allow unauthorized code execution through the Preview Pane, and a serious heap-based buffer overflow flaw in Windows SPNEGO Extended Negotiation with a CVSS score of 9.8. Additionally, a zero-day vulnerability in SQL Server, which had seen active exploitation attempts, has been patched to prevent information disclosure.
In total, Microsoft has resolved 119 other important vulnerabilities, covering a range of issues such as denial of service, privilege escalation, information disclosure, remote code execution, security feature bypass, spoofing, and tampering. Some of these vulnerabilities achieve a high CVSS score of 8.8, particularly those affecting the Windows Routing and Remote Access Service (RRAS) with potential for remote code execution.
Users are urged to ensure their systems are updated, as Microsoft automatically rolls out these security updates to eligible devices. However, manual checks are recommended to confirm all updates are installed, especially for enterprise users to protect against potential threats from unpatched vulnerabilities.
