Microsoft's July Patch Tuesday includes 130 patches, with the only critical flaw being CVE-2025-47981, rated at 9.8 on the CVSS scale. This flaw affects Microsoft's Simple and Protected GSS-API Negotiation Mechanism security protocols, leading to potential remote code execution. There are nine other critical issues, four of which are related to Office software, allowing remote code execution. Key fixes also focus on specific flaws in AMD processors and address a previously exploited issue in the Chromium engine.
For the first time this year, Microsoft has released a Patch Tuesday bundle with no exploited security problems, although one has been made public. July's software flaw fix package includes 130 patches with one earning a CVSS score of over nine - CVE-2025-47981, which breaks SPNEGO security protocols with a heap-based buffer overflow that allows remote code execution. The other nine critical issues include four in Office, where four flaws allow for remote code execution.
CVE-2025-49696 is particularly worrisome, as it can be exploited via the Preview Pane in Office, requiring no serious user action. It allows a combination of an out-of-bounds read and heap-based buffer overflow for an attack that requires no authentication.
For AMD users, AMD processor updates should be prioritized, specifically for early EPYC and Ryzen chips, though the likelihood of exploitation is lower. Microsoft included a previously exploited flaw in the Chromium engine, CVE-2025-6554, also requiring attention.
Collection
[
|
...
]