Arctic Wolf Security Bulletin
Arctic Wolf Security Bulletin

Microsoft Patch Tuesday: July 2025

On July 8, 2025, Microsoft released its July 2025 security update, addressing 130 newly disclosed vulnerabilities. Arctic Wolf is highlighting five vulnerabilities in this bulletin.
Arctic Wolf Security Bulletin
6 min read

On July 8, 2025, Microsoft released its July 2025 security update, addressing 130 newly disclosed vulnerabilities. Arctic Wolf is highlighting five vulnerabilities in this bulletin based on their potential impact; these vulnerabilities were also rated as critical by Microsoft. At the time of disclosure, none of the vulnerabilities had been reported as exploited, and no proof-of-concept exploits were publicly available. 

Vulnerabilities 

Vulnerability  CVSS  Description 
CVE-2025-47981  9.8  SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability – A heap-based buffer overflow vulnerability in Windows SPNEGO Extended Negotiation, a protocol used for secure authentication between systems. A remote threat actor could use this exploit to execute arbitrary code over the network without authorization. 
CVE-2025-49695  8.4  Microsoft Office Remote Code Execution Vulnerability – A use-after-free vulnerability in Microsoft Office that an unauthorized threat actor could exploit to execute code locally. 

Although the threat actor may be remote, exploitation requires code execution on the local machine, and successful exploitation could enable remote code execution without user interaction. 

CVE-2025-49696  8.4  Microsoft Office Remote Code Execution Vulnerability – An out-of-bounds read vulnerability in Microsoft Office that an unauthorized threat actor can exploit to execute code locally. 

Although the threat actor may be remote, exploitation requires code execution on the local machine, and a successful exploit could lead to remote code execution without user interaction. 

CVE-2025-49704  8.8  Microsoft SharePoint Remote Code Execution Vulnerability – A remote authenticated threat actor with at least Site Owner privileges can exploit improper control of code generation (‘code injection’) in Microsoft Office SharePoint to inject and execute arbitrary code on the SharePoint server over the network. 
CVE-2025-49735  8.1  Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability – An unauthenticated remote threat actor can exploit this use-after-free vulnerability in Windows KDC Proxy Service (KPSSVC) to execute code over the network. 

This vulnerability affects only Windows Servers configured as Kerberos Key Distribution Center Proxy Protocol servers, and exploitation requires winning a race condition. 

Recommendation

Upgrade to Latest Fixed Versions

Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions. 

Product  CVE  Update Article 
Windows Server 2025  CVE-2025-47981  5062553 
Windows Server 2025  CVE-2025-49735  5060842 
Windows Server 2022, 23H2 Edition   CVE-2025-47981, CVE-2025-49735  5062570, 5060999 
Windows Server 2022  CVE-2025-47981, CVE-2025-49735  5062572, 5060526 
Windows Server 2019  CVE-2025-47981, CVE-2025-49735  5062557, 5060998 
Windows Server 2016  CVE-2025-47981, CVE-2025-49735  5062560, 5061010 
Windows Server 2012 R2  CVE-2025-47981, CVE-2025-49735  5062597, 5061018 
Windows Server 2012  CVE-2025-47981, CVE-2025-49735  5062592, 5061059 
Windows Server 2008 R2 for x64-based Systems Service Pack 1  CVE-2025-47981  5062632, 5062619 
Windows 11 Version 24H2 for x64-based, and ARM64-based Systems  CVE-2025-47981  5062553 
Windows 11 Version 23H2 for x64-based, and ARM64-based Systems  CVE-2025-47981  5062552 
Windows 11 Version 22H2 for x64-based, and ARM64-based Systems  CVE-2025-47981  5062552 
Windows 10 Version 22H2 for 32-bit, x64-based, and ARM64-based Systems  CVE-2025-47981  5062554 
Windows 10 Version 21H2 for 32-bit, x64-based, and ARM64-based Systems  CVE-2025-47981  5062554 
Windows 10 Version 1809 for 32-bit, and x64-based Systems  CVE-2025-47981  5062557 
Windows 10 Version 1607 for 32-bit, and x64-based Systems  CVE-2025-47981  5062560 
Windows 10 for 32-bit, and x64-based Systems  CVE-2025-47981  5062561 
Microsoft SharePoint Server 2019  CVE-2025-49704  5002741 
Microsoft SharePoint Enterprise Server 2016  CVE-2025-49704  5002744 
Microsoft Office LTSC for Mac 2024  CVE-2025-49695, CVE-2025-49696  Not available at the time of writing. Microsoft states that updates will be available soon and advises checking the vulnerability page for updates. 
Microsoft Office LTSC for Mac 2021  CVE-2025-49695, CVE-2025-49696  Not available at the time of writing. Microsoft states that updates will be available soon and advises checking the vulnerability page for updates. 
Microsoft Office LTSC 2024 for 32-bit, and 64-bit editions  CVE-2025-49695, CVE-2025-49696  Click to Run 
Microsoft Office LTSC 2021 for 32-bit, and 64-bit editions  CVE-2025-49695, CVE-2025-49696  Click to Run 
Microsoft Office for Android  CVE-2025-49695, CVE-2025-49696  Release Notes 
Microsoft Office 2019 for 32-bit, and 64-bit editions  CVE-2025-49695, CVE-2025-49696  Click to Run 
Microsoft Office 2016 (32-bit, and 64-bit editions)  CVE-2025-49695, CVE-2025-49696  5002742 
Microsoft 365 Apps for Enterprise for 32-bit, and 64-bit Systems  CVE-2025-49695, CVE-2025-49696  Click to Run 

 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

References 

Learn more about the Arctic Wolf Cyber Resilience Assessment.

Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within Your Security Program.

Share this post: