Microsoft’s July 2025 Patch Tuesday rollout delivered fixes for 137 vulnerabilities, including a pre-patch SQL Server bug and several other high-impact security issues affecting domain controllers, Office applications, and the .NET Framework.
- Two SQL Server vulnerabilities raise concerns for data exposure and remote code execution
- Netlogon bug exposes domain controllers to remote crash risk
- SPNEGO vulnerability allows RCE over the network
- Office flaws could trigger code execution through preview pane
- .NET Framework updates fix RCE and privilege escalation bugs
Two SQL Server vulnerabilities raise concerns for data exposure and remote code execution
Microsoft patched two separate vulnerabilities in SQL Server this month, one involving memory exposure and another allowing remote code execution (RCE).
CVE-2025-49719, which was publicly disclosed ahead of the update, can allow unauthenticated attackers to extract uninitialized memory by submitting crafted queries. While no active exploitation has been confirmed, the disclosure status significantly increases its risk profile. In addition, a proof-of-concept exploit has been shared for CVE-2025-49719.
“When a proof-of-concept exploit gets shared it’s usually a pretty short window of time before some threat actors takes that proof-of-concept and starts abusing it, so organizations should address CVE-2025-49719 pretty quickly,” said Nick Carroll, cyber incident response manager at intelligence solutions company Nightwing, in an email to TechRepublic.
“This vulnerability likely stems from improper input validation in SQL Server’s memory management, allowing access to uninitialized memory,” said Mike Walters, president and co-founder of Action1, in an email to TechRepublic. “As a result, attackers could retrieve remnants of sensitive data, such as credentials or connection strings. It affects both the SQL Server engine and applications using OLE DB drivers.
Attackers could use the leaked data to launch further attacks, refining SQL injection, bypassing authentication, or moving laterally, Walters said. A second vulnerability, CVE-2025-49717, is an RCE flaw with a CVSS score of 8.5. Caused by a heap-based buffer overflow, it enables an authenticated attacker to execute arbitrary code over the network with the privileges of the SQL Server service account. Despite the absence of prior disclosure, its severity means it requires immediate attention and patching to protect affected systems.
“While Microsoft has rated exploitation as unlikely, the critical severity, remote attack vector, lack of user interaction, and scope change capability make this a serious concern,” said Walters.
Organizations running Microsoft SQL Server should treat both issues as high-priority and ensure patches are applied promptly to mitigate potential compromise.
Netlogon bug exposes domain controllers to remote crash risk
A high-risk vulnerability in the Netlogon protocol has also been addressed. CVE-2025-47978 allows any low-privileged device on a network to remotely crash a Windows domain controller. Successful exploitation could disable Active Directory services and authentication processes, resulting in widespread service disruption.
This is a high-impact threat for enterprise environments and should be patched right away on all affected domain controllers.
Dor Segal, senior security researcher at identity security firm Silverfort, discovered CVE-2025-47978 and named it NOTLogon.
“This vulnerability shows how only a valid machine account and a crafted RPC message can bring down a domain controller—the backbone of Active Directory operations like authentication, authorization, policy enforcement, and more,” Segal wrote in an email to TechRepublic. “If multiple domain controllers are affected, it can bring business to a halt. NOTLogon is a reminder that new protocol features—especially in privileged authentication services—can become attack surfaces overnight.”
More Microsoft news
- Inside Microsoft’s Real-Time War Against Cybersecurity Threats
- Project Ire: Microsoft Tests AI That Autonomously Detects Malware
- Microsoft Targets ‘Critical AI Talent’ from Meta to Dominate Next AI Breakthroughs
- Windows 10 Support Ends Soon, Though Extended Security Updates Offers Are Available
SPNEGO vulnerability allows RCE over the network
Another critical vulnerability fixed this month is CVE-2025-47981, an RCE flaw in the SPNEGO Extended Negotiation component of Windows. With a severity score of 9.8 on the CVSS scale, it ranks among the most serious issues in this update cycle. Microsoft notes that an attacker could exploit the bug via network access without user interaction, potentially leading to a full system takeover on affected devices.
“This is a peculiar bug because, while it is considered more likely to be exploited, it only affects Windows 10 version 1607 and above due to a specific group policy object being enabled by default,” noted Satnam Narang, senior staff research engineer at cybersecurity company Tenable, in an email to TechRepublic.
Office flaws could trigger code execution through preview pane
The update fixed several RCE bugs in Microsoft Office that allow attackers to run malicious code simply by having a user open or preview an infected document, including within Outlook’s Preview Pane.
These flaws, while not individually listed by CVE in public documentation, are included in this month’s cumulative updates for Windows. Given the ease of exploitation via phishing emails or web-delivered Office files, organizations should treat these as serious risk factors for end-user compromise.
“The ease with which this can be delivered—through malicious attachments or shared documents—makes this a high-risk vulnerability despite being classified with a local attack vector,” said Ben McCarthy, lead cybersecurity engineer at cyber resilience firm Immersive, in an email to TechRepublic.
.NET Framework updates fix RCE and privilege escalation bugs
A cumulative update for .NET Framework 3.5, 4.7.2, and 4.8 was issued under KB5062152 for Windows 10 version 1809 and Windows Server 2019, as part of Microsoft’s monthly Patch Tuesday schedule. The update includes previously released internal security issues that could lead to RCE or elevation of privilege in enterprise applications built on ASP.NET and Windows Forms.
No specific CVEs were listed, but the update includes meaningful protections for enterprise applications built on older or custom .NET implementations.
Although no exploitation has been observed this month, the presence of a publicly disclosed flaw and several high-risk vulnerabilities makes this a patch cycle worth acting on quickly. It’s a good idea to test updates before rolling them out widely, especially in environments running SQL Server or domain controllers.
Read TechRepublic’s guide on how to protect against cyber threats before they hit.
TechnologyAdvice writer Megan Crouse contributed to this article, particularly the cybersecurity experts’ analysis.