Microsoft's July 2025 Patch Tuesday update addresses 130 vulnerabilities across its software ecosystem, including a critical zero-click remote code execution flaw in the SPNEGO Extended Negotiation (NEGOEX) protocol used by Windows authentication.
The update affects both Windows 10 and Windows 11 systems and is considered urgent due to its potential for wormable exploitation.
The most severe flaw fixed this month is CVE-2025-47981, a heap-based buffer overflow vulnerability in the NEGOEX mechanism, which allows unauthenticated attackers to execute arbitrary code remotely without user interaction or elevated privileges. Microsoft assigned it a CVSS score of 9.8, rating it Critical, and marked exploitation as “More Likely.”
The vulnerability was discovered by a security researcher using the pseudonym Yuki Chen. According to Microsoft's bulletin, exploitation requires only that the target system accepts NEGOEX authentication messages, which is the default configuration for Windows 10 (version 1607 and later) and Windows 11 via the PKU2U Group Policy setting. This makes many enterprise environments especially vulnerable to automated exploitation.
Security researcher Saeed Abbasi from Qualys Threat Research Unit has warned that the bug “can drop attacker-controlled code straight into LSASS, running as SYSTEM,” and described it as a “loaded gun pointed at your organization,” urging patching within 48 hours, especially for internet-facing, VPN-accessible, and domain-connected systems.
Beyond CVE-2025-47981, Microsoft's update resolves dozens of other notable vulnerabilities, including:
- CVE-2025-49713: A critical flaw in the Chromium-based Microsoft Edge browser with a CVSS score of 8.8.
- CVE-2025-47978: A privilege escalation issue in Windows Kerberos, also rated “More Likely” to be exploited.
- CVE-2025-47987 and CVE-2025-48800: Multiple BitLocker vulnerabilities that could lead to data compromise if a device is physically accessed.
- CVE-2025-49701: An RCE vulnerability in Microsoft SharePoint, posing a threat to internal collaboration platforms.
This month's update, released under KB5062553 (OS Build 26100.4652), also includes non-security fixes such as audio issue resolution for notification sounds, and display synchronization fixes for certain fullscreen games. Microsoft additionally reminded users that Secure Boot certificates will start expiring in June 2026, urging organizations to begin updating certificates ahead of time.
To apply the latest update, head to Settings → Windows Update, and click on ‘Check for Updates.' The process will start automatically, and a system reboot will be required for the security patches to apply. Before starting the process, take backups of your most important data to be safe in case of a catastrophic error that may render the filesystem irrecoverable.
Microsoft confirms there are no known active exploits for the vulnerabilities addressed in this release, but given the severity and exploitability rating of CVE-2025-47981, defenders should assume attackers will move quickly and apply the update as soon as possible.
Leave a Reply