Microsoft’s July Patch Tuesday: 137 Fixes & a Publicly Disclosed SQL Server Zero-Day
On the second Tuesday of July, Microsoft released its customary Patch Tuesday update package, addressing 137 vulnerabilities across a range of the company’s products. Among them, a particularly notable zero-day vulnerability in Microsoft SQL Server stands out, having been disclosed publicly prior to the release of an official fix.
This month’s update includes patches for 14 critical vulnerabilities, ten of which enable remote code execution. Microsoft also resolved two side-channel attack vulnerabilities in AMD processors, one information disclosure flaw, and one security feature bypass issue.
Categorically, the breakdown of the patched issues is as follows: 53 privilege escalation vulnerabilities, 8 security feature bypasses, 41 remote code execution flaws, 18 instances of information disclosure, 6 denial-of-service vulnerabilities, and 4 spoofing issues. Notably, this tally excludes seven vulnerabilities previously addressed earlier in July—four in the Mariner OS and three in the Microsoft Edge browser.
Special attention is warranted for CVE-2025-49719 in Microsoft SQL Server, classified as a zero-day due to its public disclosure before a patch was made available. The vulnerability stems from insufficient input validation, which allows a remote, unauthenticated attacker to access uninitialized memory and potentially extract sensitive information.
Microsoft advises updating SQL Server to the latest version and installing the Microsoft OLE DB driver version 18 or 19 to mitigate the flaw. The discovery of this issue is credited to Microsoft employee Vladimir Aleksić, though the circumstances surrounding its public disclosure remain unspecified.
Additionally, critical vulnerabilities in Microsoft Office were addressed, allowing malicious code execution through specially crafted documents—including through the preview pane. However, updates for Office LTSC 2021 and 2024 on macOS have yet to be released and are expected at a later date.
A severe flaw was also identified in Microsoft SharePoint (CVE-2025-49704), which permits remote code execution for users with platform credentials. The vulnerability affects all versions of SharePoint accessible via the internet.
Even the most sophisticated systems remain vulnerable in the absence of vigilance. Without continuous oversight and transparent incident response, cybersecurity becomes little more than an illusion—especially when the threat has already found its way inside.