Microsoft Patches Critical Wormable Windows Vulnerability (CVE-2025-47981)
▼ Summary
– Microsoft’s July 2025 Patch Tuesday addressed 130 vulnerabilities, including a publicly disclosed SQL Server flaw (CVE-2025-49719) and a critical wormable RCE bug (CVE-2025-47981) affecting Windows and Windows Server.
– CVE-2025-47981, a high-risk buffer overflow in Windows’ SPNEGO mechanism, is wormable and requires urgent patching due to its potential for rapid exploitation without user interaction.
– SQL Server vulnerabilities CVE-2025-49719 (memory disclosure) and CVE-2025-49717 (buffer overflow) require updates to Microsoft OLE DB Driver or SQL Server versions 18/19 to mitigate risks.
– High-priority vulnerabilities include BitLocker bypass flaws (physical access required), Office RCE bugs (Preview Pane attack vector), and SharePoint code injection (CVE-2025-49704), which was exploited in Pwn2Own Berlin.
– Additional critical updates include patches for Windows Server RRAS vulnerabilities (network-based RCE risks) and Microsoft Edge (CVE-2025-6554), which has been actively exploited in attacks targeting Chrome users.
Microsoft’s July 2025 security updates address 130 vulnerabilities, including a critical wormable Windows flaw and multiple high-risk exploits. The patches cover a range of products, from SQL Server to Microsoft Office, with several bugs posing immediate threats if left unpatched.
One of the most severe issues, CVE-2025-47981, is a buffer overflow vulnerability in Windows’ SPNEGO Extended Negotiation security mechanism. Attackers can exploit it remotely without user interaction, making it wormable, capable of spreading automatically across networks. Microsoft has assigned it the highest exploitability rating, warning that attacks could emerge within 30 days. Security experts strongly recommend prioritizing this patch, especially for internet-facing systems and Active Directory-connected assets.
Another notable flaw, CVE-2025-49719, affects Microsoft SQL Server, allowing unauthorized attackers to access uninitialized memory. While Microsoft considers exploitation unlikely due to the lack of public proof-of-concept code, users are urged to update to the latest SQL Server versions or ensure compatibility with OLE DB Driver versions 18 or 19. The same update also resolves CVE-2025-49717, a buffer overflow issue that could let authenticated attackers execute code on the host system via malicious SQL queries.
Several high-risk vulnerabilities demand urgent attention:
- Four BitLocker bypass flaws, though exploitable only with physical access to devices.
- Four Microsoft Office RCE bugs, three of which require no user interaction, Preview Pane serves as an attack vector. Patches are available for Windows and Android, but Mac users remain vulnerable for now.
- CVE-2025-49704, a SharePoint code injection flaw used in the Pwn2Own Berlin competition to win $100,000. While it normally requires authentication, attackers could chain it with other exploits for full system compromise.
Windows Server administrators should also prioritize updates addressing 16 CVEs in Routing and Remote Access Service (RRAS). These could allow attackers to trick users into connecting to malicious servers, leading to arbitrary code execution. Mitigations include restricting RRAS ports to trusted networks and disabling unused features.
Finally, Microsoft Edge users must patch CVE-2025-6554, an actively exploited vulnerability originally targeting Chrome. Keeping browsers updated is critical to prevent real-world attacks.
For organizations, the key takeaway is clear: test and deploy these patches immediately, focusing on internet-exposed systems first. Delaying updates could leave networks open to automated attacks or targeted exploits.
(Source: HelpNet Security)
