Microsoft’s monthly security update for July has delivered patches for 137 newly disclosed vulnerabilities, including 14 rated as critical — but, in a break from recent months, no zero-day flaws were included.
The tech giant confirmed that while none of the vulnerabilities had been exploited in the wild at the time of the update, one had already been publicly disclosed. Security analysts, however, warned that a number of the flaws were likely to be targeted by attackers in the near future.
Critical remote code execution flaw draws urgent warnings
Top of the list is CVE-2025-47981, a remote code execution (RCE) vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. With a CVSS score of 9.8, the bug allows unauthenticated attackers to execute code on vulnerable systems via specially crafted packets — with no user interaction required.
“This isn’t just a bug. It’s a loaded gun pointed at your organisation,” said Saeed Abbasi, senior manager of security research at Qualys. He warned that the flaw could be exploited within days and allow attackers to move laterally across networks, particularly in environments with PKU2U, a peer-to-peer authentication setting, still enabled.
Ben McCarthy, lead cybersecurity engineer at Immersive, advised organisations to apply the patch immediately. He also recommended disabling PKU2U where not required, and monitoring for unusual NEGOEX or SPNEGO network activity.
SharePoint & Office vulnerabilities persist
Two further RCE vulnerabilities likely to be exploited — CVE-2025-49701 and CVE-2025-49704 (both with CVSS scores of 8.8) — affect Microsoft SharePoint. Attackers would require site owner privileges to exploit the flaws, according to Tenable’s Satnam Narang.
These bugs bring the number of SharePoint vulnerabilities disclosed this year to 16, underlining its continued appeal to threat actors. Microsoft disclosed 20 SharePoint flaws last year, 25 in 2023, and 20 in 2022.
Microsoft Office also features prominently in the critical RCE list, with five notable vulnerabilities — CVE-2025-49695 through CVE-2025-49702. Of these, CVE-2025-49695 and CVE-2025-49696 are considered the most dangerous due to their ability to be triggered through the Preview Pane, requiring no user interaction.
“These types of flaws are often used in email attacks or drive-by downloads from compromised websites,” said Alex Vovk, CEO of Action1.
Elevation of privilege & BitLocker flaws
Not all high-priority flaws were RCE-related. Microsoft also flagged a privilege escalation vulnerability in the Windows Update Service — CVE-2025-48799, with a CVSS score of 7.8. According to Immersive’s Jacob Ashdown, the bug relates to improper link resolution and could allow an attacker to manipulate the update process to overwrite protected files.
Four BitLocker-related security bypass flaws were also listed among the vulnerabilities more likely to be exploited:
CVE-2025-48001
CVE-2025-48800
CVE-2025-48804
CVE-2025-48818
The most severe among them, CVE-2025-48818, carries a CVSS score of 8.8.
Microsoft SQL Server bug remains unclear
One vulnerability, CVE-2025-49719, involves information disclosure in Microsoft SQL Server, and has already been publicly disclosed. Abbasi said the flaw could result in leaks of uninitialised memory.
However, confusion remains over Microsoft’s guidance on patching. While the official documentation advises users to update OLE DB drivers, no driver updates were listed, prompting questions around whether this was an oversight or a broader issue.
Microsoft has not yet responded to requests for clarification.
