July Patch Tuesday offers 127 fixes

Microsoft on Tuesday released 127 patches affecting 14 product families. Nine of the addressed issues — four involving Windows, two involving 365 and Office, and one each involving SharePoint, SQL, and Word — are considered by Microsoft to be of Critical severity, and 34 have a CVSS base score of 8.0 or higher. None are known to be under active exploit in the wild, though one (CVE-2025-49719, an Important-severity SQL issue allowing information disclosure) is already publicly disclosed.

At patch time, 17 CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation. This does not include the SQL issue mentioned above. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below.

In addition to these patches, 12 Adobe Reader fixes, four of them considered to be of Critical severity, are included in the release. Those are listed in Appendix D below. The list of advisories this month has not only three already-patched Edge issues but seven with MITRE-assigned CVEs (usually an indication that the bugs involve products beyond Microsoft’s; in this case, GitK) concerning Visual Studio, plus two Critical-severity CVEs issued by AMD to cover issues in certain of their processors. The fixes for the two AMD information-disclosure issues (CVE-2025-36350, CVE-2025-36357) are addressed by applying a patch to Windows; though we don’t include those in our numbers this month, they appear in Appendix E for the convenience of those dealing with Windows Server updates.

We are as always including at the end of this post additional appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family; an appendix covering the advisory-style updates; and a breakout of the patches affecting the various Windows Server platforms still in support.

By the numbers

• Total CVEs: 127
• Publicly disclosed: 1
• Exploit detected: 0
• Severity
  • Critical: 9
  • Important: 118
• Impact
  • Elevation of Privilege: 53
  • Remote Code Execution: 41
  • Information Disclosure: 16
  • Security Feature Bypass: 8
  • Denial of Service: 5
  • Spoofing: 3
  • Tampering: 1
• CVSS Base score 9.0 or greater: 1
• CVSS Base score 8.0 or greater: 33

Figure 1: Plenty of elevation of privilege addressed in July’s patch set, but as usual the lion’s share of Critical-severity vulnerabilities allow for remote code execution. Meanwhile, tampering appears on the charts for the first time since February

Products

• Windows: 100
• Office: 13 *
• 365: 12
• SharePoint: 3
• SQL: 3
• Word: 3
• Azure: 2
• Excel: 2
• PowerPoint: 2
• Teams: 2
• Visual Studio: 2 **
• Intune: 1
• Outlook: 1
• PC Manager: 1

* One patch (CVE-2025-49756) addresses an Important-severity Security Feature Bypass in the Office Developer Platform; for the purposes of this recap, we’re simply categorizing it as “Office” without including it in 365’s count.

** Visual Studio also receives the five MITRE-supplied CVEs noted above.

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: You eyes do not deceive you – that’s an even 100 patches for Windows this time around

Notable July updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-47981 — SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

Microsoft assigns this RCE flaw in the Extended Negotiation Security Mechanism (NEGOEX) of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) a Critical severity, and the CVSS Base score of 9.8 further indicates that this patch is this month’s top priority. (And, to seal the deal, Microsoft assesses this vulnerability to be more likely to undergo active exploit within the next 30 days, so… the clock is ticking.) Some readers may not be familiar with the SPENGO standard, and Microsoft has background information for the curious as well as a potential mitigation, but the main thing to know is that this functionality is enabled by default in all client machines running Windows 10 version 1607 and later. (It also affects all server versions from 2008R2 onward.)

CVE-2025-49711, CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703, CVE-2025-49699, CVE-2025-49705 (eight CVEs)

The eight patches listed all affect 365 and Office. Three of the eight additionally affect Excel (CVE-2025-49711), Word (CVE-2025-49699), and PowerPoint (CVE-2025-49699, CVE-2025-49705). Unfortunately, all of them affect Mac versions of those product families in addition to Windows (and, in some cases, Android), and none of the Mac patches are available yet. Microsoft recommends that potentially affected users monitor their CVE pages for eventual patch availability.

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702, CVE-2025-49703 (five CVEs)

The five 365 / Office CVEs in this set include Preview Pane as a vector. (And, to spare you the scrolling, all five are included in the no-Mac-patches-yet group above.

Figure 3: Remote Code Execution still leads the 2025 vulnerability pack, but Elevation of Privilege crosses the 200-patch mark this month

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of July patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (53 CVEs)

Remote Code Execution (41 CVEs)

Information Disclosure (16 CVEs)

Security Feature Bypass (8 CVEs)

Denial of Service (5 CVEs)

Spoofing (3 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

This is a list of the July CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. (No CVE among this month’s patches is known to be already exploited in the wild, so that list doesn’t appear this month.) The list is further arranged by CVE. Two Office items and one Word item more likely to be exploited in the next 30 days (CVE-2025-49695, CVE-2025-49696, CVE-2025-49698) are exploitable via Preview Pane, and the SPNEGO issue is, as discussed above, vulnerable in its default configuration.

This is a list of July’s CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of July’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain significant issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (100 CVEs)

Office (14 CVEs)

Office (12 CVEs)

SharePoint (3 CVEs)

SQL (3 CVEs)

Word (3 CVEs)

Azure (2 CVEs)

Excel (2 CVEs)

PowerPoint (2 CVEs)

Teams (2 CVEs)

Visual Studio (2 CVE)

Intune (1 CVE)

Outlook (1 CVE)

PC Manager (1 CVE)

Appendix D: Advisories and Other Products

There are 12 Adobe Reader advisories in July’s release, APSB25-69. Since there is some variety in severity levels once again this month, we’re including that information as well.

There are 12 additional advisories and informational releases that deserve attention, as well as the latest Servicing Stack updates. The MITRE issues, as mentioned above, are all Visual Studio patches.

Appendix E: Affected Windows Server versions

This is a table of the 101 CVEs in the July release affecting nine Windows Server versions, 2008 through 2025. (The count of Windows CVEs above is 100; that count includes one client-side-only patch and excludes the two CVEs from AMD, which appear here.) The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.