Full Report
For the first time in 2025, Microsoft's Patch Tuesday updates did not bundle fixes for exploited security vulnerabilities, but the company acknowledged one of the addressed flaws had been publicly known. The patches resolve a whopping 130 vulnerabilities, along with 10 other non-Microsoft CVEs that affect Visual Studio, AMD, and its Chromium-based Edge browser. Of these 10 are rated Critical and
Analysis Summary
# Vulnerability: Critical RCE in Windows SPNEGO and Information Disclosure in SQL Server
## CVE Details
- CVE ID: CVE-2025-47981 (Critical RCE) and CVE-2025-49719 (Important Info Disclosure)
- CVSS Score: 9.8 (Critical) for CVE-2025-47981; 7.5 (Important) for CVE-2025-49719
- CWE: Heap-based buffer overflow (Implied for CVE-2025-47981); Improper Input Validation/Memory Access (Implied for CVE-2025-49719)
## Affected Systems
- Products: Microsoft Windows, Microsoft SQL Server, Microsoft Edge, Visual Studio, AMD components.
- Versions: Windows client machines running Windows 10, version 1607 and above (for CVE-2025-47981). SQL Server engine and applications using OLE DB drivers (for CVE-2025-49719).
- Configurations: CVE-2025-47981 is exploitable if the "Network security: Allow PKU2U authentication requests to this computer to use online identities" Group Policy Object (GPO) is enabled by default.
## Vulnerability Description
The summary highlights two major flaws:
1. **CVE-2025-47981 (RCE via SPNEGO):** A heap-based buffer overflow vulnerability within the Windows SPNEGO Extended Negotiation (NEGOEX) protocol. Exploitation allows an unauthenticated, remote attacker to execute arbitrary code on the target system by sending a specially crafted malicious message. There is concern this vulnerability may be "wormable."
2. **CVE-2025-49719 (SQL Server Info Disclosure):** An information disclosure flaw in Microsoft SQL Server, suspected to be due to improper input validation in memory management. This could allow an attacker to read uninitialized memory, potentially leaking sensitive data such as cryptographic key material or connection strings.
Other critical RCEs include flaws in Windows KDC Proxy Service (CVE-2025-47981, 8.1), Windows Hyper-V (CVE-2025-48822, 8.6), and Microsoft Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, all 8.4).
## Exploitation
- Status: CVE-2025-49719 is publicly known. CVE-2025-47981 has exploitation categorized as "More Likely" by Microsoft. No specific mention of widespread in-the-wild exploitation for the critical RCE as of the update period, though the potential is high.
- Complexity: Low (for CVE-2025-47981 as no authentication is required). Medium/High for CVE-2025-49735 (requires winning a race condition).
- Attack Vector: Network (both critical flaws appear network-exploitable).
## Impact
- Confidentiality: High (Information disclosure in SQL Server; potential sensitive data leakage from RCE).
- Integrity: High (Code execution allows for system modification).
- Availability: High (Remote Code Execution can lead to denial of service or complete system takeover).
## Remediation
### Patches
Microsoft July 2025 Patch Tuesday updates include fixes for all 130 vulnerabilities addressed, including those listed above. Specific patched versions are released via the standard update channels for affected products (Windows, SQL Server, Edge, etc.).
### Workarounds
- For CVE-2025-47981: Defenders are strongly advised to patch rapidly. Temporarily, administrators could potentially review or restrict the "Network security: Allow PKU2U authentication requests to this computer to use online identities" GPO if necessary, though rapid patching is the primary recommendation.
## Detection
- Indicators of Compromise: Malicious network traffic targeting the SPNEGO protocol negotiation phase (for CVE-2025-47981). Unusual memory access patterns or database query errors that might indicate memory reads targeting SQL Server.
- Detection methods and tools: Security teams should prioritize hunting for systems where the RCE conditions (enabled GPO, network exposure) are met while awaiting patch deployment. Endpoint Detection and Response solutions should be configured to look for abnormal process execution originating from network services handling authentication tokens.
## References
- Vendor advisories: msrc.microsoft.com/update-guide/releaseNote/2025-Jul
- Relevant links - defanged:
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49719
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47981
- learn.microsoft.com/en-us/openspecs/windows_protocols/ms-negoex/77c795cf-e522-4678-b0f1-2063c5c0561c
- learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/group-policy-objects