© 2025 Alcaeus Services

EN

Microsoft Patches 130 Security Flaws—Critical Issues Found in SQL Server and SPNEGO

Latest Comments

No comments to show.
Last updated on 10 July 2025 | Comments 0

🔒 Microsoft Patches 130 Security Flaws—Critical Issues Found in SQL Server and SPNEGO

In July 2025, Microsoft released security updates addressing 130 vulnerabilities, including 10 critical issues impacting key products like SQL Server, Windows, Edge, and Visual Studio.

This month marks a shift—no zero-days were exploited in the wild, ending an 11-month streak. However, one flaw was publicly disclosed prior to the patch:

  • CVE-2025-49719 – An information disclosure vulnerability in SQL Server (CVSS 7.5) that may leak sensitive memory, including cryptographic keys or credentials.

“This is likely due to improper input validation and could expose credentials or connection strings,” noted Action1’s Mike Walters.

⚠️ Most Critical: SPNEGO Remote Code Execution

The most severe fix addresses CVE-2025-47981 (CVSS 9.8), a heap-based buffer overflow in SPNEGO Extended Negotiation (NEGOEX), potentially allowing attackers to execute code over the network without authentication.

“This one could be wormable,” warned Benjamin Harris of watchTowr, comparing its threat level to WannaCry. Microsoft has flagged the flaw as ‘More Likely’ to be exploited.

🔧 Other High-Risk Vulnerabilities

  • Windows KDC Proxy – CVE-2025-49735 (CVSS 8.1)
  • Windows Hyper-V – CVE-2025-48822 (CVSS 8.6)
  • Microsoft Office – Multiple RCE flaws (CVSS 8.4)

“These are high-value targets for APTs,” said Ben McCarthy (Immersive), highlighting that while attack complexity is high, exploitation is feasible through advanced techniques.

🛡️ BitLocker at Risk: Physical Access Flaws

Five security bypass issues were patched in BitLocker (CVEs range CVSS 6.8), which could allow an attacker with physical access to bypass encryption protections. The issue stems from improper handling of the WinRE.wim file.

“If lost or stolen, affected devices could be fully decrypted,” warned Jacob Ashdown of Immersive.

⏳ End of an Era: SQL Server 2012 Support Ends

July 8, 2025, also marks the official end of security updates for SQL Server 2012, as Microsoft’s Extended Security Updates (ESU) program concludes.

🔍 Summary: What You Should Do

Organizations should prioritize patching, especially if they run:

  • SQL Server
  • Windows 10/11 client systems
  • BitLocker-enabled laptops
  • Azure-integrated or on-prem AD/NEGOEX infrastructure

💡 Microsoft emphasizes the urgency of these updates, especially where network-based unauthenticated access could lead to rapid compromise.

CATEGORIES:

EN|Microsoft|News|Security

Tags:

No tags
Next

Comments are closed

© 2025 Alcaeus Services. All rights reserved.