Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Microsoft Patch Tuesday July 2025 patches 128 vulnerabilities (12 Critical, 115 Important, 1 Moderate), patch Immediately!
Image
Gepubliceerd : 09/07/2025
- Last update: 09/07/2025
- Affected Microsoft product families:
‣ Windows Server
‣ Windows Workstation
‣ Microsoft Office
‣ Extended Security Updates (ESU) program
‣ SQL Server
‣ Developer Tools
‣ Azure
‣ System Center
‣ Applications- Type: Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
- CVE/CVSS:
Microsoft patched 128 vulnerabilities in its July 2025 Patch Tuesday release, 12 rated as critical, 115 rated important. It Includes 1 0-day vulnerability and 0 vulnerabilities that are actively exploited.
Number of CVE by type:
53 Elevation of Privilege vulnerabilities
40 Remote Code Execution vulnerabilities
16 Information Disclosure vulnerabilities
8 Security Feature Bypass vulnerabilities
6 Denial of Service vulnerabilities
4 Spoofing vulnerability
1 tampering vulnerability
Sources
Microsoft: July 2025 Security Updates
Microsoft: Protections for CVE-2025-26647 (Kerberos Authentication)
Risks
Microsoft’s July 2025 Patch Tuesday includes 128 vulnerabilities (12 critical, 115 important, 1 moderate and 0 low), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes no actively exploited vulnerabilities and 1 0-Day. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.
Description
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2025-49719: Microsoft SQL Server (publicly disclosed)
Server Information Disclosure Vulnerability Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.
Since this vulnerability was publicly disclosed prior to Patch Tuesday, Microsoft marked it as a 0day. Microsoft did not observe any exploitation in the wild and considers exploitation less likely. Since Microsoft ranks this vulnerability as important, but not critical. Older versions of SQL Server with remaining Extended Security Update (ESU) program viability are not listed as receiving patches
CVE-2025-47981: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
Remote Code Execution Vulnerability This vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the following GPO being enabled by default on these operating systems: "Network security: Allow PKU2U authentication requests to this computer to use online identities".
To exploit this CVE, an attacker must send a malicious message to the server. Successful exploitation allows an unauthorized attacker to execute code over a network.
CVE-2025-49701/CVE-2025-49704: SharePoint
Remote Code Execution Vulnerabilities An attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server. Since both vulnerabilities are remotely exploitable and attack complexity is considered low, Microsoft assesses that exploitation is more likely to occur.
CVE-2025-49735: Windows KDC Proxy Service (KPSSVC)
Remote Code Execution Vulnerability This vulnerability only affects Windows Servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected.
An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Successful exploitation of this vulnerability requires an attacker to win a race condition. Despite a high attack complexity Microsoft assesses that exploitation is more likely to occur.
CVE-2025-49724: Windows Connected Devices Platform Service
Remote Code Execution Vulnerability To exploit this vulnerability, a remote unauthenticated attacker would need to send specially crafted traffic to a system with the "Nearby Sharing" feature enabled and convince a user to take specifc actions. This feature is not enabled by default. To protect from this vulnerability, you should disable the Nearby Sharing feature if it is not already. Microsoft assesses that exploitation is more likely to occur.
CVE-2025-49695/ CVE-2025-49696/ CVE-2025-49697: Microsoft Office
Remote Code Execution Vulnerabilities An attacker who successfully exploits one of these vulnerabilities could achieve remote code execution without user interaction. The word Remote in the previous sentence refers to the location of the attacker.
This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Microsoft confirmed possible attack vectors include the Outlook Preview Pane.
In addition, Microsoft indicates the security update for Microsoft Office LTSC for Mac 2021 and 2024 is not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information. Microsoft assesses that exploitation is more likely to occur.
CVE-2025-26647: Windows Kerberos
Elevation of Privilege Vulnerability This vulnerability was part of Microsoft Patch Tuesday April 2025. The April 2025 update changed the behavior that detects the elevation of privilege vulnerability described in CVE-2025-26647 but does not initially enforce it.
Updates released in or after July 2025 will enforce the NTAuth Store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, updates released in or after October 2025 will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws/
Rapid7 - https://www.rapid7.com/blog/post/patch-tuesday-july-2025/
SANS ISC - https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%2C%20July%202025/32088
Tenable - https://www.tenable.com/blog/microsofts-july-2025-patch-tuesday-addresses-128-cves-cve-2025-49719
Zero Day Initiative - https://www.zerodayinitiative.com/blog/2025/7/8/the-july-2025-security-update-review