Post-Patch Tuesday Roundup: July 2025
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: July 2025

Welcome to the Softcat Patch Tuesday roundup for July 2025, where we offer insight into the major patches released this month. In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, SAP, and Veeam.

Post patch tuesday image 1

Josh Bates

Technologist - Microsoft Security

This month’s Patch Tuesday delivers critical security updates for Microsoft, Veeam, Adobe, and SAP, fixing multiple serious vulnerabilities—including several zero-days and actively exploited flaws.

In their July Patch Tuesday release, Microsoft has addressed 137 vulnerabilities, with 14 of those rated as Critical and 1 being zero-day vulnerabilities with no official fix available.  

The July 2025 Microsoft Patch Tuesday update addresses vulnerabilities across a wide range of applications and services, including Windows, .NET, Office, Azure, SQL Server, and more, with several Edge/Chromium-based vulnerabilities also resolved earlier in the month but without new advisory notes issued.

This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure. Outlined below is the Zero-Day vulnerability alongside some of the more critical vulnerabilities detailed in this month’s Patch Tuesday: 

Zero Day Vulnerability 

1. CVE-2025-49719 – This is an Information Disclosure vulnerability in Microsoft SQL Server that can allow an attacker to remotely access uninitialised memory without authentication, potentially exposing sensitive information. It is rated as Important, with a CVSS score of 7.5. The vulnerability stems from improper input validation, and it can be exploited over the network without user interaction or privileges. While the issue has been publicly disclosed, it has not been exploited in the wild. The vulnerability can be triggered by specially crafted network requests, allowing an attacker to read memory contents from the SQL Server process. 

Critical 

1.  CVE-2025-47981 – This is a Remote Code Execution vulnerability in the SPNEGO Extended Negotiation (NEGOEX) security mechanism that can allow an attacker to execute arbitrary code on a targeted system over the network without requiring authentication or user interaction. It is rated as Critical, with a CVSS score of 9.8. The vulnerability is caused by a heap-based buffer overflow in the NEGOEX protocol implementation. Although it has not been publicly disclosed or exploited, exploitation is considered more likely, and users should apply the security update promptly. An attacker could exploit this by sending a specially crafted message to a vulnerable system, leading to full remote code execution. 

2. CVE-2025-48822 – This is a Remote Code Execution vulnerability in Windows Hyper-V Discrete Device Assignment (DDA) that can allow an attacker to execute arbitrary code locally by leveraging an out-of-bounds read condition. It is rated as Critical, with a CVSS score of 8.6. Although the vulnerability requires user interaction, such as being tricked into importing a malicious INF file, it does not require any privileges to exploit. Exploitation could result in a scope change, meaning the attacker may gain control beyond the security boundary of the vulnerable component. While this vulnerability has not been publicly disclosed or exploited, users should apply the security update promptly to mitigate risk. 

3. CVE-2025-49695 – This is a Remote Code Execution vulnerability in Microsoft Office that can allow an attacker to execute arbitrary code on a local system due to a use-after-free condition. It is rated as Critical, with a CVSS score of 8.4. Although the attack is carried out locally, it requires no user interaction or privileges, and the attacker may exploit the issue through vectors such as the Preview Pane. While the vulnerability has not been publicly disclosed or exploited, exploitation is considered more likely, and users should apply the relevant updates without delay to prevent potential compromise. 

4. CVE-2025-49704 – This is a Remote Code Execution vulnerability in Microsoft SharePoint that can allow an attacker to inject and execute arbitrary code on the server via a network-based attack. It is rated as Critical, with a CVSS score of 8.8. The vulnerability arises from improper control over the generation of code (code injection) and can be exploited by any authenticated user with Site Owner permissions. Although it has not been publicly disclosed or exploited, exploitation is considered more likely, and organizations should apply the update promptly. An attacker could exploit this by writing malicious code to a vulnerable SharePoint instance, enabling remote code execution on the server. 

 

Adobe 

Adobe has released 13 security updates this month, addressing 64 vulnerabilities, 38 critical and 26 Important. The applications in question are: 

Adobe After Effects - 2 Important 

Adobe Substance 3D Viewer - 1 Critical and 2 Important 

Adobe Audition - 1 Important 

Adobe InCopy - 1 Critical 

Adobe InDesign - 6 Critical 

Adobe Connect - 1 Critical 

Adobe Dimension - 1 Critical and 1 Important 

Adobe Substance 3D Stager - 1 Important 

Adobe Illustrator - 7 Critical and 3 Important 

Adobe FrameMaker 13 Critical and 2 Important 

Adobe AEM Forms  - 1 Critical 

Adobe AEM Screens - 2 Important 

Adobe ColdFusion - 7 Critical and 12 Important 

All these vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers. 

 

Cisco 

Cisco has so far released 4 advisories for 4 vulnerabilities in July with the impact ratings ranging from Medium to Critical. The Critical vulnerabilities relate to Cisco Unified Communications Manager and Unified CM SME Engineering Special. 

 

Citrix 

Citrix has released three security bulletins this month, two being medium severity and one high. The first medium is relating to an issue has been identified in XenServer 8.4 that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. The second medium vulnerability is relating to AMD CPUs potentially allowing code in a guest VM to infer some active memory content of another VM that is running on the same host.  

Finally, the high severity vulnerability relates to a vulnerability being identified that impacts Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS.  

 

Fortinet 

Fortinet has published/updated 5 vulnerabilities in July for multiple products, including FortiOS, FortiManager, FortiSandbox, FortiIsolator, and FortiProxy. They include 4 Medium, and 1 Low severity vulnerabilities. 

One Medium severity vulnerability is CVE-2025-24474. A SQL Injection vulnerability (CWE-89) in FortiManager and FortiAnalyzer may let a high-privilege authenticated attacker extract database data with crafted requests. 

 

Ivanti 

Ivanti have addressed three products in their July security update: Ivanti Connect Secure and Policy Secure, Ivanti EPM and Ivanti EPMM. The severities range from medium to high. Additionally, it’s important to note that there is no evidence of any of these vulnerabilities being exploited and they do not impact any other Ivanti solutions.

 

SAP 

SAP has released 27 new security notes and 4 updates to previous security notes. 11 of these CVEs are rated High or Critical. The products affected by the High or Critical rated CVEs are: 

· SAP Supplier Relationship Management 

· SAP S/4HANA and SAP SCM 

· SAP NetWeaver Enterprise Portal Federated Portal Network 

· SAP NetWeaver Enterprise Portal Administration 

· SAP NetWeaver (XML Data Archiving Service) 

· SAP NetWeaver Application Server for Java (Log Viewer ) 

· SAP NetWeaver ABAP Server and ABAP Platform 

· SAP NetWeaver Application Server for ABAP 

· SAP Business Objects Business Intelligence Platform (CMC) 

· SAP Business Warehouse and SAP Plug-In Basis 

· SAP NetWeaver Visual Composer 

 

Veeam 

Veeam has issued a comprehensive security update for two products, resolving a singular critical, high and medium vulnerability. The bulletin covers: 

· Veeam Backup & Replication 

· Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds  

Notable vulnerabilities include one critical vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user, with a CVSS score of 9.9. The high vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code with a CVSS score of 7.2.  

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.