Op-Ed: July Patch Tuesday reveals 137 vulnerabilities

It has been a quiet few months on the SQL Server front, but today, Microsoft has published CVE-2025-49719, a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft ranks this vulnerability as important, but not critical. Older versions of SQL Server with remaining Extended Security Update (ESU) program viability are not listed as receiving patches; instead, the advisory rather bluntly tells us that assets running SQL Server where the version number is not represented in the table on the advisory means that SQL Server version is no longer supported. ESU updates are released only for vulnerabilities that Microsoft deems to be critical severity, so ESU subscribers must now be hoping that today’s SQL Server zero-day vulnerability was first introduced in the SQL Server 2016 codebase.

It’s somewhat noteworthy that Microsoft has marked CVE-2025-49719 as publicly disclosed, since the advisory credits a Microsoft researcher with reporting the vulnerability, so Microsoft must be aware of other public information about this exploit. As is tradition for SQL Server security advisories, the lengthy FAQ on the advisory is mostly concerned with helping administrators sort through the dizzying array of SQL Server variants, feature packs, GDR versus CU, etc., and it thoughtfully avoids overburdening the reader with insights into the nature of the vulnerability itself. We do learn that “the type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialised memory”; an attacker might well learn nothing of any value, but with luck, persistence, or some very crafty massaging of the exploit, the prize could be cryptographic key material or other crown jewels from the SQL Server.

Any vulnerability with a CVSSv3 base score of 9.8 is worth a look, so let’s consider CVE-2025-47981, which is an RCE vulnerability in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. The optimistically named Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) is a generic capability defined in RFC-4178; SPNEGO is implemented in Windows alongside a significant Microsoft-specific extension of its capabilities called NEGOX; the flaw is in NEGOX, and the advisory FAQ sets out that the vulnerability affects any Windows client machine running Windows 10 1607 or above.

Patches are also available for all current versions of Windows Server, although Windows Server assets might not be immediately exploitable, since the “Network security: Allow PKU2U authentication requests to this computer to use online identities” GPO is typically only enabled on Windows client assets. Domain-joined client assets might also possess a similar mitigation since the relevant GPO is typically disabled in that context. Nevertheless, patching is surely advisable for all Windows assets, since this is a pre-authentication RCE, and presumably in a privileged context. Unsurprisingly, Microsoft considers exploitation more likely.

Anyone who has been responsible for securing a Windows KDC Proxy server for more than a month can rely on their past experience today when addressing CVE-2025-49735, since this unauthenticated critical RCE appears to be very similar to last month’s CVE-2025-33071.

SharePoint admins will be familiar with a certain class of vulnerability where an attacker with some level of existing SharePoint privilege can overstep a security boundary and remotely execute code on the SharePoint server itself. Today’s edition is CVE-2025-49704, which has some unusual characteristics: the FAQ claims that there is no requirement for elevated privileges, but it also claims that the minimum privilege level required for exploitation is site owner. There’s probably a good explanation for this apparent discrepancy, but since attack complexity is low, it’s best to patch first and ask questions later.

VIEW ALL

In Microsoft product life cycle news, today is the end of the road for SQL Server 2012, since the ESU program is now completed, meaning that there will be no future security patches even for critical vulnerabilities, and even if you’re willing to pay for the privilege; although Microsoft does occasionally release free updates for obsolete products for the most serious vulnerabilities, that’s not a reliable foundation for a security program. The Visual Studio 2022 17.8 LTSC channel also draws to a close, although newer LTSC versions of Visual Studio 2022 remain available.

At the time of writing, Microsoft appears to have unpublished all security advisories that it initially published in June 2025; this is surely inadvertent, and those advisories will presumably be restored shortly.