On July 8, 2025, Microsoft released its July 2025 security update, addressing 130 newly disclosed vulnerabilities. Arctic Wolf is highlighting five vulnerabilities in this bulletin based on their potential impact; these vulnerabilities were also rated as critical by Microsoft. At the time of disclosure, none of the vulnerabilities had been reported as exploited, and no proof-of-concept exploits were publicly available.
Vulnerabilities
| Vulnerability | CVSS | Description |
| CVE-2025-47981 | 9.8 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability – A heap-based buffer overflow vulnerability in Windows SPNEGO Extended Negotiation, a protocol used for secure authentication between systems. A remote threat actor could use this exploit to execute arbitrary code over the network without authorization. |
| CVE-2025-49695 | 8.4 | Microsoft Office Remote Code Execution Vulnerability – A use-after-free vulnerability in Microsoft Office that an unauthorized threat actor could exploit to execute code locally.
Although the threat actor may be remote, exploitation requires code execution on the local machine, and successful exploitation could enable remote code execution without user interaction. |
| CVE-2025-49696 | 8.4 | Microsoft Office Remote Code Execution Vulnerability – An out-of-bounds read vulnerability in Microsoft Office that an unauthorized threat actor can exploit to execute code locally.
Although the threat actor may be remote, exploitation requires code execution on the local machine, and a successful exploit could lead to remote code execution without user interaction. |
| CVE-2025-49704 | 8.8 | Microsoft SharePoint Remote Code Execution Vulnerability – A remote authenticated threat actor with at least Site Owner privileges can exploit improper control of code generation (‘code injection’) in Microsoft Office SharePoint to inject and execute arbitrary code on the SharePoint server over the network. |
| CVE-2025-49735 | 8.1 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability – An unauthenticated remote threat actor can exploit this use-after-free vulnerability in Windows KDC Proxy Service (KPSSVC) to execute code over the network.
This vulnerability affects only Windows Servers configured as Kerberos Key Distribution Center Proxy Protocol servers, and exploitation requires winning a race condition. |
Recommendation
Upgrade to Latest Fixed Versions
Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions.
| Product | CVE | Update Article |
| Windows Server 2025 | CVE-2025-47981 | 5062553 |
| Windows Server 2025 | CVE-2025-49735 | 5060842 |
| Windows Server 2022, 23H2 Edition | CVE-2025-47981, CVE-2025-49735 | 5062570, 5060999 |
| Windows Server 2022 | CVE-2025-47981, CVE-2025-49735 | 5062572, 5060526 |
| Windows Server 2019 | CVE-2025-47981, CVE-2025-49735 | 5062557, 5060998 |
| Windows Server 2016 | CVE-2025-47981, CVE-2025-49735 | 5062560, 5061010 |
| Windows Server 2012 R2 | CVE-2025-47981, CVE-2025-49735 | 5062597, 5061018 |
| Windows Server 2012 | CVE-2025-47981, CVE-2025-49735 | 5062592, 5061059 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2025-47981 | 5062632, 5062619 |
| Windows 11 Version 24H2 for x64-based, and ARM64-based Systems | CVE-2025-47981 | 5062553 |
| Windows 11 Version 23H2 for x64-based, and ARM64-based Systems | CVE-2025-47981 | 5062552 |
| Windows 11 Version 22H2 for x64-based, and ARM64-based Systems | CVE-2025-47981 | 5062552 |
| Windows 10 Version 22H2 for 32-bit, x64-based, and ARM64-based Systems | CVE-2025-47981 | 5062554 |
| Windows 10 Version 21H2 for 32-bit, x64-based, and ARM64-based Systems | CVE-2025-47981 | 5062554 |
| Windows 10 Version 1809 for 32-bit, and x64-based Systems | CVE-2025-47981 | 5062557 |
| Windows 10 Version 1607 for 32-bit, and x64-based Systems | CVE-2025-47981 | 5062560 |
| Windows 10 for 32-bit, and x64-based Systems | CVE-2025-47981 | 5062561 |
| Microsoft SharePoint Server 2019 | CVE-2025-49704 | 5002741 |
| Microsoft SharePoint Enterprise Server 2016 | CVE-2025-49704 | 5002744 |
| Microsoft Office LTSC for Mac 2024 | CVE-2025-49695, CVE-2025-49696 | Not available at the time of writing. Microsoft states that updates will be available soon and advises checking the vulnerability page for updates. |
| Microsoft Office LTSC for Mac 2021 | CVE-2025-49695, CVE-2025-49696 | Not available at the time of writing. Microsoft states that updates will be available soon and advises checking the vulnerability page for updates. |
| Microsoft Office LTSC 2024 for 32-bit, and 64-bit editions | CVE-2025-49695, CVE-2025-49696 | Click to Run |
| Microsoft Office LTSC 2021 for 32-bit, and 64-bit editions | CVE-2025-49695, CVE-2025-49696 | Click to Run |
| Microsoft Office for Android | CVE-2025-49695, CVE-2025-49696 | Release Notes |
| Microsoft Office 2019 for 32-bit, and 64-bit editions | CVE-2025-49695, CVE-2025-49696 | Click to Run |
| Microsoft Office 2016 (32-bit, and 64-bit editions) | CVE-2025-49695, CVE-2025-49696 | 5002742 |
| Microsoft 365 Apps for Enterprise for 32-bit, and 64-bit Systems | CVE-2025-49695, CVE-2025-49696 | Click to Run |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Learn more about the Arctic Wolf Cyber Resilience Assessment.
Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within Your Security Program.
