Microsoft has rolled out this month’s Patch Tuesday updates, addressing a total of 137 security flaws, including one publicly disclosed zero-day vulnerability in Microsoft SQL Server. This month’s release also includes 14 critical issues, ten of which are remote code execution (RCE) vulnerabilities, some of the most severe types of security risks.
Here’s a breakdown of the key vulnerability types:
53 Elevation of Privilege
41 Remote Code Execution
18 Information Disclosure
8 Security Feature Bypass
6 Denial of Service
4 Spoofing
This count excludes separate issues addressed earlier in July related to Microsoft Edge and Mariner.
The standout issue in this month's update is CVE-2025-49719, a zero-day affecting Microsoft SQL Server. This flaw could allow unauthorised users to remotely access uninitialised memory, potentially exposing sensitive data over the network. The vulnerability stems from improper input validation. Microsoft recommends updating SQL Server and applying the latest OLE DB Driver 18 or 19 to close the gap.
In addition to the zero-day, several critical RCE vulnerabilities in Microsoft Office were patched. These could be exploited simply by opening a malicious document or even just previewing it. While most platforms are covered in this release, fixes for Office LTSC for Mac 2021 and 2024 are still pending.
A separate critical vulnerability in SharePoint (CVE-2025-49704) was also addressed. Attackers with a user account could potentially exploit it remotely via the internet.
It’s not just Microsoft issuing updates. July has seen a wave of patches from other major vendors:
AMD disclosed a new class of side-channel vulnerabilities (Transient Scheduler Attacks).
Cisco addressed several serious flaws, including hardcoded root SSH credentials.
Fortinet released updates for a range of products including FortiOS and FortiManager.
Google fixed an actively exploited Chrome zero-day (CVE-2025-6554), although Android patches are still pending.
Ivanti, Grafana, and SAP also issued critical updates—SAP notably reclassified an earlier vulnerability to a maximum severity score of 10/10.
The July 2025 Patch Tuesday serves as a clear reminder of the scale and pace of vulnerabilities facing IT environments today. Organisations should prioritise patching critical systems, especially SQL Server, Microsoft Office, and SharePoint instances. For IT teams managing hybrid or complex estates, consider rolling these updates into your patch management workflow as soon as possible.
If you need help managing vulnerabilities or want to better understand the impact of these threats on your organisation, our team is here to support you. Get in touch or explore how our platform can streamline patching and strengthen your cyber defences.