[ad_1]
Microsoft at present launched updates to repair a minimum of 137 safety vulnerabilities in its Windows working programs and supported software program. None of the weaknesses addressed this month are recognized to be actively exploited, however 14 of the issues earned Microsoft’s most-dire “critical” score, which means they could possibly be exploited to grab management over weak Windows PCs with little or no assist from customers.
While not listed as vital, CVE-2025-49719 is a publicly disclosed info disclosure vulnerability, with all variations way back to SQL Server 2016 receiving patches. Microsoft charges CVE-2025-49719 as much less prone to be exploited, however the availability of proof-of-concept code for this flaw means its patch ought to in all probability be a precedence for affected enterprises.
Mike Walters, co-founder of Action1, mentioned CVE-2025-49719 could be exploited with out authentication, and that many third-party purposes rely on SQL server and the affected drivers — probably introducing a supply-chain threat that extends past direct SQL Server customers.
“The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters mentioned. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.”
Adam Barnett at Rapid7 notes that at present is the tip of the highway for SQL Server 2012, which means there will likely be no future safety patches even for vital vulnerabilities, even for those who’re prepared to pay Microsoft for the privilege.
Barnett additionally referred to as consideration to CVE-2025-47981, a vulnerability with a CVSS rating of 9.8 (10 being the worst), a distant code execution bug in the best way Windows servers and purchasers negotiate to find mutually supported authentication mechanisms. This pre-authentication vulnerability impacts any Windows shopper machine operating Windows 10 1607 or above, and all present variations of Windows Server. Microsoft considers it extra possible that attackers will exploit this flaw.
Microsoft additionally patched a minimum of 4 vital, distant code execution flaws in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are each rated by Microsoft as having a better probability of exploitation, don’t require person interplay, and could be triggered by the Preview Pane.
Two extra excessive severity bugs embody CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the previous is a weak point that would enable malicious recordsdata to bypass screening by Microsoft Defender SmartScreen, a built-in characteristic of Windows that tries to dam untrusted downloads and malicious websites.
CVE-2025-47178 includes a distant code execution flaw in Microsoft Configuration Manager, an enterprise software for managing, deploying, and securing computer systems, servers, and units throughout a community. Ben Hopkins at Immersive Labs mentioned this bug requires very low privileges to use, and that it’s potential for a person or attacker with a read-only entry function to use it.
“Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins mentioned. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.”
Separately, Adobe has launched safety updates for a broad vary of software program, together with After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.
The SANS Internet Storm Center has a breakdown of every particular person patch, listed by severity. If you’re liable for administering quite a few Windows programs, it could be value maintaining a tally of AskWoody for the lowdown on any probably wonky updates (contemplating the big variety of vulnerabilities and Windows elements addressed this month).
If you’re a Windows house person, please think about backing up your information and/or drive earlier than putting in any patches, and drop a observe within the feedback for those who encounter any issues with these updates.