Zero Day Initiative | Blog
Follow
The July 2025 Security Update Review
Adobe has not yet released its scheduled patches for July, but Microsoft has released 130 new CVEs in various products, including Windows, Office, and Azure. Eight of these bugs were reported through the Trend ZDI program, bringing the total to 140 CVEs. Ten of the patches are rated Critical, and the rest are rated Important in severity. One bug is publicly known, but none are currently under active attack. A notable bug is CVE-2025-47981, a heap-based buffer overflow in the Windows SPNEGO Extended Negotiation component that allows remote, unauthenticated attackers to execute code. Another critical bug is CVE-2025-49717, a heap-based buffer overflow in Microsoft SQL Server that could lead to code execution. A third critical bug is CVE-2025-49704, a remote code execution vulnerability in Microsoft SharePoint that was used in a Pwn2Own Berlin demonstration. There are also four Critical-rated Office bugs, all of which have the Preview Pane listed as an attack vector. Microsoft has not yet released updates for Microsoft Office LTSC for Mac 2021 and 2024. The full list of CVEs released by Microsoft for July 2025 is provided.