Microsoft’s July Patch Tuesday fixes are a mix of good news and bad news for CSOs: Fourteen of the vulnerabilities are rated as critical, but on the other hand, there are no zero-days and only one vulnerability with a publicly available proof of concept.
CSOs need to immediately address a heap-based buffer overflow vulnerability in Windows systems that has a CVSS score of 9.8, the most serious of today’s releases.
The flaw, CVE-2025-47981, is in Windows SPNEGO Extended Negotiation, which, if exploited, allows an unauthorized attacker to execute code over a network.
This flaw affects Windows 10 1607 and above, due to a Group Policy Object (GPO) being enabled by default. This GPO is “Network security: Allow PKU2U authentication requests to this computer to use online identities“.
Tyler Reguly, Fortra’s associate director of security R&D, told CSO that, based on Microsoft’s presentation of the information, disabling this GPO will mitigate this vulnerability.
The second priority is a fix for CVE-2025-49704, a SharePoint Remote Code Execution vulnerability, because it presents a critical risk to a core enterprise collaboration platform. “With a CVSS score of 8.8 and a Microsoft assessment of ‘Exploitation More Likely,’ this vulnerability introduces significant organizational risk,” Mike Walters, president of Action 1, told CSO.
He noted that since SharePoint is widely deployed and stores high-value business data, the vulnerability is of particular concern because it requires only low-level permissions (any authenticated user with Site Owner rights), no user interaction is needed to exploit it, and many organizations expose SharePoint to external users, partners, or even the internet.
SQL Server vulnerabilities
Walters said CSOs should also evaluate two SQL Server vulnerabilities, CVE-2025-49717 and CVE-2025-49719. The first is a remote code execution vulnerability rated Critical, with a CVSS score of 8.5.
The second, CVE-2025-49719 is an information disclosure vulnerability with a CVSS score of 7.5 that has been publicly disclosed, raising the likelihood of exploitation. It is particularly concerning, Walters said, because it requires no authentication to exploit, it can be executed remotely over the network, it has low attack complexity, and it may expose sensitive data from uninitialized memory, including credentials or business information.
“While there are no reports of active exploitation yet, the combination of public disclosure and the zero-authentication requirement makes CVE-2025-49719 an attractive target for attackers,” he said.
Fortra’s Reguly also pointed out that Microsoft mentions in this vulnerability’s FAQ that organizations with applications that use the OLE DB driver should, “Update the drivers to the versions listed on this page, which provide protection against this vulnerability.” However, there are no OLE DB driver versions listed on the page, and no updates provided in the update section. Is the OLE DB Driver impacted, he wondered, or is this an FAQ copy and paste error? “If the driver is impacted,” he asked, “where are the updates?”
“Given the mismatched information in guidance for CVE-2025-49719, there’s a chance that Microsoft might update the FAQ and/or add additional updates,” he said. “This could be done out of band and, if it is, will your team know about the change? The first thing I would want to know after seeing this would be whether or not my team is monitoring for updates or subscribed to update notifications. Sometimes, we fall into a habit of only checking for new data when it is expected (the second Tuesday of the month), but are we catching data that drops outside that window?”
NOTLogon vulnerability
Microsoft also issued a patch for CVE-2025-47978, a denial-of-service (DoS) vulnerability in Microsoft’s Netlogon protocol, a core component of all Windows domain controllers. The hole has been dubbed NOTLogon by Dor Segal, senior security researcher at Silverfort, who discovered it. The vulnerability allows any domain-joined machine with minimal privileges to send a specially crafted authentication request that will crash a domain controller and cause a full reboot. It has a CVSS score of 6.5.
“Even low-privilege machines with basic network access can pose major risks if left unchecked,” Segal said in a blog. “This vulnerability shows how only a valid machine account and a crafted RPC message can bring down a domain controller — the backbone of Active Directory operations like authentication, authorization, policy enforcement, and more. If multiple domain controllers are affected, it can bring business to a halt. NOTLogon is a reminder that new protocol features — especially in privileged authentication services — can become attack surfaces overnight. Staying secure isn’t only about applying patches — it’s about examining the foundational systems we rely on every day.”
Finally, Tenable’s Satnam Narang, senior staff research engineer, said CSOs should be paying attention to fixing the recently revealed Citrix NetScaler vulnerabilities, specifically CVE-2025-5777, also known as CitrixBleed 2. “It is strikingly similar to the original CitrixBleed,” he said to CSO in an email, “where attackers are able to steal session tokens from NetScaler systems and use them to gain access to networks, even if patches have been applied. There are reports that exploitation of CitrixBleed 2 goes back to mid-June, so organizations that utilize NetScaler should be reviewing logs for rapid a succession of suspicious requests and known indicators of compromise, and most importantly, invalidate session tokens to prevent follow-on activity.”
SAP deserialization vulnerabilities
Separately, researchers at Onapsis said SAP issued a record number of patches, including one for CVE-2025-30012, which has a CVSS severity score of 10.
It’s a deserialization vulnerability that can be exploited remotely over HTTP(S) with no authentication, resulting in immediate full compromise of an unpatched version of SAP Supplier Relationship Management (SRM). Given its high severity score, this must be addressed immediately. Researchers at Nightwing note that this is an update to an update issued in May.
SAP SRM is a legacy solution that is being phased out in favor of SAP Ariba.
There are four additional deserialization vulnerabilities mitigated by SAP this month, said Onapsis, all of which have critical CVSS scores of 9.1.
“Exploitation of any of these deserialization vulnerabilities bypasses traditional SAP security controls such as Segregation of Duties and other GRC controls,” Onapsis noted. “If successful, an attacker gains full control over a vulnerable system, allowing them access to critical business processes and data, which could result in espionage, sabotage, or fraud. With full compromise, threat actors could also use this vulnerability to deploy ransomware on critical SAP systems.”