{"id":3901,"date":"2025-07-08T23:50:28","date_gmt":"2025-07-08T23:50:28","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3901"},"modified":"2025-07-08T23:50:28","modified_gmt":"2025-07-08T23:50:28","slug":"july-patch-tuesday-14-critical-microsoft-vulnerabilities-one-sap-hole-rated-at-10-in-severity","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3901","title":{"rendered":"July Patch Tuesday: 14 critical Microsoft vulnerabilities, one SAP hole rated at 10 in severity"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Microsoft\u2019s July Patch Tuesday fixes are a mix of good news and bad news for CSOs: Fourteen of the vulnerabilities are rated as critical, but on the other hand, there are no zero-days and only one vulnerability with a publicly available proof of concept.\u00a0<\/p>\n

CSOs need to immediately address a heap-based buffer overflow vulnerability in Windows systems that has a CVSS score of 9.8, the most serious of today\u2019s releases.<\/p>\n

The flaw, CVE-2025-47981<\/a>, is in Windows SPNEGO Extended Negotiation, which, if exploited, allows an unauthorized attacker to execute code over a network.<\/p>\n

This flaw affects Windows 10 1607 and above, due to a Group Policy Object (GPO) being enabled by default. This GPO is \u00a0\u201cNetwork security: Allow PKU2U authentication requests to this computer to use online identities<\/em>\u201c.<\/p>\n

Tyler Reguly, Fortra\u2019s associate director of security R&D, told CSO<\/em> that, based on Microsoft\u2019s presentation of the information, disabling this GPO will mitigate this vulnerability.<\/p>\n

The second priority is a fix for\u00a0CVE-2025-49704<\/a>,\u00a0a\u00a0SharePoint Remote Code Execution vulnerability, because it presents a critical risk to a core enterprise collaboration platform. \u201cWith a CVSS score of 8.8 and a Microsoft assessment of \u2018Exploitation More Likely,\u2019 this vulnerability introduces significant organizational risk,\u201d Mike Walters, president of Action 1, told CSO<\/em>.<\/p>\n

He noted that since SharePoint is widely deployed and stores high-value business data, the vulnerability is of particular concern because it requires only low-level permissions (any authenticated user with Site Owner rights), no user interaction is needed to exploit it, and many organizations expose SharePoint to external users, partners, or even the internet.<\/p>\n

SQL Server vulnerabilities<\/h2>\n

Walters said CSOs should also evaluate two\u00a0SQL Server vulnerabilities, CVE-2025-49717\u00a0<\/a>and\u00a0CVE-2025-49719<\/a>. The first is a remote code execution vulnerability rated Critical, with a CVSS score of 8.5.<\/p>\n

The second, CVE-2025-49719 is an information disclosure vulnerability with a CVSS score of 7.5 that has been publicly disclosed, raising the likelihood of exploitation. It is particularly concerning, Walters said, because it requires no authentication to exploit, it can be executed remotely over the network, it has low attack complexity, and it may expose sensitive data from uninitialized memory, including credentials or business information.<\/p>\n

\u201cWhile there are no reports of active exploitation yet, the combination of public disclosure and the zero-authentication requirement makes CVE-2025-49719 an attractive target for attackers,\u201d he said. <\/p>\n

Fortra\u2019s Reguly also pointed out that Microsoft mentions in this vulnerability\u2019s FAQ that organizations with applications that use the OLE DB driver should, \u201cUpdate the drivers to the versions listed on this page, which provide protection against this vulnerability.\u201d However, there are no OLE DB driver versions listed on the page, and no updates provided in the update section. Is the OLE DB Driver impacted, he wondered, or is this an FAQ copy and paste error? \u201cIf the driver is impacted,\u201d he asked, \u201cwhere are the updates?\u201d<\/p>\n

\u201cGiven the mismatched information in guidance for CVE-2025-49719, there\u2019s a chance that Microsoft might update the FAQ and\/or add additional updates,\u201d he said. \u201cThis could be done out of band and, if it is, will your team know about the change? The first thing I would want to know after seeing this would be whether or not my team is monitoring for updates or subscribed to update notifications. Sometimes, we fall into a habit of only checking for new data when it is expected (the second Tuesday of the month), but are we catching data that drops outside that window?\u201d<\/p>\n

NOTLogon vulnerability<\/h2>\n

Microsoft also issued a patch for CVE-2025-47978<\/a>, \u00a0a denial-of-service (DoS) vulnerability in Microsoft\u2019s Netlogon protocol, a core component of all Windows domain controllers.\u00a0The hole has been dubbed NOTLogon by Dor Segal, senior security researcher at Silverfort, who discovered it. The vulnerability allows any domain-joined machine with minimal privileges to send a specially crafted authentication request that will crash a domain controller and cause a full reboot. It has a CVSS score of 6.5.<\/p>\n

\u201cEven low-privilege machines with basic network access can pose major risks if left unchecked,\u201d Segal said in a blog<\/a>. \u201cThis vulnerability shows how only a valid machine account and a crafted RPC message can bring down a domain controller \u2014 the backbone of Active Directory operations like authentication, authorization, policy enforcement, and more. If multiple domain controllers are affected, it can bring business to a halt. NOTLogon is a reminder that new protocol features \u2014 especially in privileged authentication services \u2014 can become attack surfaces overnight. Staying secure isn\u2019t only about applying patches \u2014 it\u2019s about examining the foundational systems we rely on every day.\u201d<\/p>\n

Finally, Tenable\u2019s Satnam Narang, senior staff research engineer, said CSOs should be paying attention to fixing the recently revealed Citrix NetScaler vulnerabilities, specifically CVE-2025-5777<\/a>, also known as CitrixBleed 2. \u201cIt is strikingly similar to the original CitrixBleed,\u201d he said to CSO in an email, \u201cwhere attackers are able to steal session tokens from NetScaler systems and use them to gain access to networks, even if patches have been applied. There are reports that exploitation of CitrixBleed 2 goes back to mid-June, so organizations that utilize NetScaler should be reviewing logs for rapid a succession of suspicious requests and known indicators of compromise, and most importantly, invalidate session tokens to prevent follow-on activity.\u201d<\/p>\n

SAP deserialization vulnerabilities<\/h2>\n

Separately, researchers at Onapsis<\/a> said SAP issued a record number of patches, including one for CVE-2025-30012, which has a CVSS severity score of 10.<\/p>\n

It\u2019s a deserialization\u00a0vulnerability that can be exploited remotely over HTTP(S) with no authentication, resulting in immediate full compromise of an unpatched version of SAP Supplier Relationship Management (SRM). Given its high severity score, this must be addressed immediately. Researchers at Nightwing note that this is an update to an update issued in May.<\/p>\n

SAP SRM is a legacy solution that is being phased out in favor of SAP Ariba.\u00a0<\/p>\n

There are four additional deserialization vulnerabilities mitigated by SAP this month, said Onapsis, all of which have critical CVSS scores of 9.1.\u00a0<\/p>\n

\u201cExploitation of\u00a0any<\/em>\u00a0of these deserialization vulnerabilities bypasses traditional SAP security controls such as Segregation of Duties and other GRC controls,\u201d Onapsis noted. \u201cIf successful, an attacker gains full control over a vulnerable system, allowing them access to critical business processes and data, which could result in espionage, sabotage, or fraud. With full compromise, threat actors could also use this vulnerability to deploy ransomware on critical SAP systems.\u201d<\/p>\n

Previous Patch Tuesday posts:<\/p>\n

June Patch Tuesday advice for CSOs: Defense-in-depth needed to stop RCEs<\/a><\/p>\n

Patch Tuesday for May: Five zero day vulnerabilities CISOs should focus on<\/a><\/p>\n

April Patch Tuesday news: Windows zero day being exploited, \u2018big vulnerability\u2019 in 2 SAP apps<\/a><\/p>\n

March Patch Tuesday warnings: Act fast to plug zero day holes in Windows, VMware<\/a><\/p>\n

February Patch Tuesday: CISOs should act now on two actively exploited Windows Server vulnerabilities
<\/a><\/p>\n

><\/p><\/div>\n\n

><\/p><\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Microsoft\u2019s July Patch Tuesday fixes are a mix of good news and bad news for CSOs: Fourteen of the vulnerabilities are rated as critical, but on the other hand, there are no zero-days and only one vulnerability with a publicly available proof of concept.\u00a0 CSOs need to immediately address a heap-based buffer overflow vulnerability in […]<\/p>\n","protected":false},"author":0,"featured_media":3879,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3901","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3901"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3901"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3901\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3879"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}