July 2025 Microsoft Patch Tuesday: 137 Vulnerabilities Fixed, One Zero-Day in SQL Server, Critical Office and AMD Flaws

Microsoft has released its July 2025 Patch Tuesday security updates, addressing a sweeping total of 137 vulnerabilities across its product portfolio. This month’s Microsoft Patch Tuesday cycle is headlined by a publicly disclosed zero-day vulnerability in Microsoft SQL Server, alongside a host of critical flaws in Microsoft Office, SharePoint, and AMD processors.

Microsoft Patch Tuesday July 2025 Highlights

Total vulnerabilities fixed: 137
Zero-days resolved: 1 (publicly disclosed)
Critical vulnerabilities: 14 (including 10 remote code execution, 1 information disclosure, 2 AMD side channel attacks)
Major products affected: SQL Server, Office, SharePoint, Windows, AMD CPUs

Vulnerability Breakdown

Category	Number Fixed
Elevation of Privilege	53
Security Feature Bypass	8
Remote Code Execution (RCE)	41
Information Disclosure	18
Denial of Service	6
Spoofing	4

Note: These counts do not include four Mariner and three Microsoft Edge issues patched earlier this month.

Zero-Day: Microsoft SQL Server Information Disclosure (CVE-2025-49719)

The most urgent update this month is for a publicly disclosed zero-day in Microsoft SQL Server. Tracked as CVE-2025-49719, this vulnerability allows a remote, unauthenticated attacker to access data from uninitialized memory due to improper input validation. Exploiting this flaw could let attackers extract sensitive information over a network.

“Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network,” Microsoft explains.

Mitigation

Admins are urged to install the latest version of Microsoft SQL Server and update the Microsoft OLE DB Driver to version 18 or 19. The flaw was discovered by Vladimir Aleksic of Microsoft; further disclosure details remain undisclosed.

Critical Microsoft Office and SharePoint Vulnerabilities

While only one zero-day was addressed, Microsoft also patched numerous critical remote code execution (RCE) vulnerabilities in Microsoft Office. These flaws can be triggered simply by opening a malicious document or previewing it, making them especially dangerous for end users and enterprises.

1. Affected Products: Microsoft Office (Word, Excel, PowerPoint), SharePoint
2. Notable CVEs: CVE-2025-49697, CVE-2025-49695, CVE-2025-49696, CVE-2025-49702, CVE-2025-49703, CVE-2025-49698, CVE-2025-49704 (SharePoint), among others.
3. Attack Vector: Documents crafted to exploit these vulnerabilities can execute code with the user’s privileges.

Important Note: Security updates for these Office flaws are not yet available for Microsoft Office LTSC for Mac 2021 and 2024. Microsoft states these updates will be released soon.

AMD Side Channel Attack Flaws

Two of this month’s critical vulnerabilities relate to AMD side channel attacks. These are based on new research into transient scheduler attacks, which can potentially leak sensitive data from affected CPUs under specific microarchitectural conditions.

Mitigation

AMD and Microsoft recommend applying all available firmware and OS updates, and following secure coding and deployment best practices.

Other Notable Vulnerabilities

1. Remote Code Execution (RCE): 41 vulnerabilities, including critical issues in Office, SharePoint, Hyper-V, and the Windows kernel.
2. Elevation of Privilege: 53 vulnerabilities, impacting components like the Windows kernel, drivers, and system services.
3. Information Disclosure: 18 vulnerabilities, including the SQL Server zero-day and flaws in Windows components.
4. Denial of Service & Spoofing: 10 vulnerabilities combined, affecting various Windows services and protocols.

Full List of Resolved CVEs

Microsoft published a comprehensive list of all 137 vulnerabilities addressed in July 2025. Some of the most critical and widely impactful CVEs include:

• CVE-2025-49719: SQL Server Information Disclosure (Zero-Day)
• CVE-2025-49697, CVE-2025-49695, CVE-2025-49696, CVE-2025-49702,
• CVE-2025-49703, CVE-2025-49698: Various Microsoft Office RCEs
• CVE-2025-49704: SharePoint RCE
• CVE-2025-36357, CVE-2025-36350: AMD Transient Scheduler Attacks
• CVE-2025-49735: Windows KDC Proxy Service RCE
• CVE-2025-49717: SQL Server RCE
• CVE-2025-47981: Windows SPNEGO Extended Negotiation RCE
• CVE-2025-47980: Windows Imaging Component Information Disclosure

For the full list and technical details, refer to Microsoft’s official documentation and advisories.

Patch Tuesday Management Recommendations

Immediate Actions for IT Admins

• Review and deploy the July 2025 security updates as soon as possible, prioritizing critical and zero-day fixes.
• Ensure SQL Server instances are updated and OLE DB drivers are current.
• Apply Office and SharePoint patches, and monitor for Mac LTSC update availability.
• Deploy cumulative updates for Windows 10/11 endpoints.
• Monitor vendor advisories for firmware and software updates, especially for AMD CPUs and third-party applications.

Best Practices

• Test updates in staging environments before broad deployment.
• Review vulnerability details for potential impact on your environment.
• Educate users about the risks of opening unsolicited Office documents.
• Maintain regular backup and incident response plans.

The July 2025 Patch Tuesday shows the ongoing importance of timely patch management, with a heavy focus on Office, SQL Server, and CPU-level vulnerabilities. With 137 flaws addressed—including a publicly disclosed zero-day—this update cycle is critical for organizations aiming to protect their infrastructure from evolving threats. Stay vigilant, patch promptly, and follow Microsoft and vendor guidance for a secure environment.

If you want more details on specific vulnerabilities or need help with patch deployment, check Microsoft’s official Patch Tuesday portal and your vendor’s security advisories.