Microsoft on Tuesday announced security fixes for 130 vulnerabilities across its products, including a previously disclosed SQL Server bug.
Tracked as CVE-2025-49719 (CVSS score of 7.5), the already disclosed SQL Server flaw is described as an improper input validation issue that could allow unauthenticated attackers to leak information over the network.
According to Microsoft, the security defect has not been exploited as a zero-day, but it was publicly disclosed before patches were released.
“Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. Update your application to use Microsoft OLE DB Driver 18 or 19. Update the drivers to the versions listed on this page, which provide protection against this vulnerability,” the company notes in its advisory.
Despite the inclusion of this SQL Server bug, this month’s set of patches breaks an 11-month streak of zero-day mitigations from Redmond.
The July 2025 Patch Tuesday list also includes roughly a dozen patches rated critical severity, including 10 addressing vulnerabilities that could lead to remote code execution (RCE).
Critical patches targeting RCE flaws were released for the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, SharePoint (CVE-2025-49701 and CVE-2025-49704), and Kerberos Key Distribution Center proxy service (KPSSVC) (CVE-2025-49735).
Redmond’s Office suite also received its share of patches for code execution flaws that could be exploited by convincing users to open malicious documents.
Two Office bugs addressed this month that could lead to local code execution are CVE-2025-49695 (a use-after-free) and CVE-2025-49696 (an out-of-bounds read).
Another noteworthy bug resolved on Tuesday is CVE-2025-49724, a use-after-free in Windows Connected Devices Platform Service that could be exploited by remote, unauthenticated attackers for code execution.
According to Microsoft, however, successful exploitation requires for the attacker to send crafted traffic to a device that has the Nearby Sharing feature enabled, and for the user to take specific actions.
Of the total 130 flaws that Redmond resolved this month, 53 could lead to privilege escalation, 41 to RCE, 18 to information disclosure, 8 to security bypasses, 6 to denial-of-service, and 4 to spoofing.
The fixes should roll out to systems with the automatic updates enabled shortly. Users who do not have the feature enabled are advised to apply the available patches as soon as possible.
Related: Microsoft Patch Tuesday Covers WebDAV Flaw Marked as ‘Already Exploited’
Related: Zero-Day Attacks Highlight Another Busy Microsoft Patch Tuesday
Related: Microsoft Patches 125 Windows Vulns, Including Exploited CLFS Zero-Day
