Microsoft patches 130 security flaws in July update, including a critical zero-day 🔒

Cliquez ici pour lire en français

Microsoft has just rolled out one of its biggest security updates of the year as part of the July 2025 Patch Tuesday. A total of 130 vulnerabilities have been addressed, including a critical zero-day flaw in SQL Server. The patch also includes major fixes across Office, SharePoint, Hyper-V, and several core Windows components, aimed at mitigating the risk of remote attacks.

Critical bugs hit Office, SharePoint, and Hyper-V ⚠️

Among the most concerning flaws is CVE-2025-49719, which was publicly disclosed before a patch was available. This vulnerability could have allowed an attacker to access uninitialized memory data without any authentication, exposing sensitive information like credentials or internal data fragments. The issue stemmed from improper query validation and was discovered internally by Microsoft. Fixes involve updates to both the SQL Server engine and the OLE DB driver.

In addition to SQL Server, critical vulnerabilities were found in Office apps and Microsoft’s collaboration platforms. Attackers could exploit these flaws to execute malicious code remotely, simply by tricking users into opening a booby-trapped document. In some cases, just previewing the file in the preview pane would be enough to trigger the exploit. These bugs affect Word, Excel, and SharePoint, with CVSS severity scores reaching as high as 8.8/10.

A massive patch with a preventative focus 🛡️

The update also addresses threats targeting Windows’ virtualization platform, particularly Hyper-V. One bug, tracked as CVE-2025-48822, stems from how devices assigned to virtual machines are managed. If exploited, it could allow a malicious actor to run code on the host machine, potentially compromising the entire system. Although Microsoft says none of these vulnerabilities have been actively exploited so far, their severity calls for immediate patching.

With 130 flaws addressed this month—and 137 total if you count fixes released earlier in July—this Patch Tuesday is among the most extensive of 2025. The vulnerabilities span a wide range of threats: 53 privilege escalation flaws, 41 remote code execution bugs, 18 information disclosure vulnerabilities, and others related to spoofing, denial of service, and security feature bypass.

Stay alert and update 🚨

While remote code execution flaws often grab headlines, privilege escalation vulnerabilities represent the majority of this month’s fixes. These could allow attackers to gain elevated access and gradually take over a system.

Even though there’s no evidence of active exploitation at the time of publishing, Microsoft warns that public disclosure significantly raises the risk of attacks. Users and admins alike are strongly encouraged to install updates as soon as possible to guard against increasingly sophisticated and fast-moving threats.

👉🏾 Do you regularly update your devices to stay protected? Let us know in the comments. 😊