Patch Newsday July 2025 - Critical Microsoft Security Patches Released for Remote Code and Privilege Escalation Vulnerabilities

Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.

CVE-2025-47987 - 7.8  - Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability

CredSSP is a key component in secure authentication flows, particularly in Remote Desktop Protocol (RDP) and other network authentication scenarios, which makes any vulnerability in it highly sensitive. Although exploitation requires local access with low privileges, no user interaction is needed, and the exploitation complexity is low. These factors, combined with confirmed potential for full SYSTEM access, mark it as a serious threat even in its current "unproven" exploitation state.

What makes this vulnerability particularly interesting is the pairing of Heap-based Buffer Overflow with Integer Overflow or Wraparound — a combination often seen in complex parsing or memory allocation bugs. Integer overflows can manipulate the size calculation of memory buffers, leading to undersized or oversized allocations. When the system then writes more data than expected, this can overflow into adjacent memory—corrupting data, hijacking control flow, or setting up future exploitation paths.

CVE-2025-49735 - 8.1  - Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

KPSSVC is used in specific deployments where Windows Servers are configured to relay Kerberos authentication over HTTPS—particularly useful in environments where direct access to the domain controller is restricted. Importantly, domain controllers themselves are not affected, limiting the scope to servers acting as Kerberos proxies. However, in hybrid cloud and perimeter-authenticated architectures, such proxies may be internet-accessible, exposing them to greater risk.

The underlying flaw is a Use After Free, a common memory safety issue where a program continues to use a pointer after the memory it references has been freed. This typically occurs due to incorrect memory management and can allow attackers to corrupt memory, redirect control flow, or execute arbitrary shellcode. 

What makes CVE-2025-49735 significant is the network exposure combined with no required privileges or user interaction. Despite its high attack complexity, the vulnerability opens the door to pre-auth remote compromise, particularly attractive to APTs and nation-state actors. The attacker must win a race condition—a timing flaw where memory is freed and reallocated in a specific window—meaning reliability is low for now. Still, such issues can be weaponized with techniques like heap grooming, making eventual exploitation feasible.

Administrators should immediately apply the official fix provided by Microsoft, especially on exposed KPSSVC-enabled servers. Additionally, any unnecessary Kerberos proxy configurations should be reviewed and disabled if not strictly required. This vulnerability reinforces a broader trend: cryptographic service wrappers and protocol proxies—especially those bridging internal and external trust boundaries—are becoming key targets due to their privileged positioning in authentication flows.

CVE-2025-48822 - 8.6 - Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability

This vulnerability can be triggered if a user is tricked into importing a malicious INF file, typically as part of a custom device setup or driver deployment in a virtualized context. While the CVSS vector classifies the attack vector as local, the fact that no privileges are required and that exploitation crosses security boundaries (as indicated by Scope: Changed) makes this a powerful exploitation path, particularly in multi-tenant or cloud-hosted Hyper-V environments.

Discrete Device Assignment (DDA) is used in Hyper-V to give virtual machines direct access to physical hardware—especially valuable for GPUs, NICs, or high-performance I/O devices. But this same power introduces risk: improper bounds checking in memory-mapped hardware interaction layers or parser logic (such as INF processing) can allow attackers to read or corrupt memory across isolation boundaries. Similar issues have been exploited in the past, such as CVE-2021-28476 (another Hyper-V RCE via improper input validation), or even CVE-2019-0708 (BlueKeep), where bounds-related flaws led to serious hypervisor and kernel compromise.

Microsoft’s advisory confirms no public exploitation or disclosure as of publication, and marks the vulnerability as "Exploitation Less Likely," but history shows that even low-likelihood Hyper-V bugs can become high-value targets for attackers seeking guest-to-host escapes or cross-tenant access in cloud environments. The involvement of an INF file suggests the attack likely exploits vulnerabilities in configuration parsing or device initialization routines—an area where memory safety bugs can be subtle but devastating.

Admins and cloud providers using Hyper-V DDA should immediately deploy the official fix, review any policies around dynamic hardware passthrough or manual INF imports, and consider limiting user access to virtual hardware configuration. Given the scope change, this vulnerability enables compromise of components outside the normal boundary of the vulnerable component—raising the possibility of escalation beyond the virtual machine itself.

This also shows how there are hardware-assisted virtualization vulnerabilities, where system boundaries become blurred through performance optimization features, and complex Windows subsystems handling low-level operations or bridging trust boundaries are grounds for memory safety bugs with critical consequences.

CVE-2025-49695 - 8.4 - Microsoft Office Remote Code Execution Vulnerability 

CVE-2025-49696 - 8.4 - Microsoft Office Remote Code Execution Vulnerability

CVE-2025-49696 stems from a combination of Out-of-Bounds Read and Heap-based Buffer Overflow, a dangerous pairing commonly seen in complex memory corruption exploits. This vulnerability is triggered when Microsoft Office processes a specially crafted file, which can result in a read operation extending beyond the intended memory buffer, followed by a heap overflow that allows for memory manipulation and potential code execution. Notably, the vulnerability can be exploited without any user interaction—even passively through the Preview Pane—making it particularly suited to email-based delivery and drive-by exploitation.

This attack pattern is not unprecedented. Microsoft Office has a history of similar memory corruption issues, including CVE-2017-11882 and CVE-2023-21716, both of which were exploited in the wild. In the case of CVE-2025-49696, the exploit chain likely involves using the out-of-bounds read to gather sensitive memory information (e.g., heap layout or security cookie values) before triggering the heap overflow to overwrite critical data structures and execute arbitrary code. The ease with which this can be delivered—through malicious attachments or shared documents—makes this a high-risk vulnerability despite being classified with a local attack vector.

CVE-2025-49695 is a Use-After-Free (UAF) vulnerability in Microsoft Office that enables remote code execution (RCE) under similar conditions to CVE-2025-49696. Use-after-free vulnerabilities occur when a memory object is accessed after it has been freed, allowing attackers to reclaim and repurpose the associated memory space. This can lead to predictable and controllable memory corruption, particularly when the freed memory is reallocated for known structures such as function pointers or scripting objects.

As with CVE-2025-49696, this vulnerability can be exploited via the Preview Pane, meaning it requires no user interaction—a rare and dangerous property for Office vulnerabilities. An attacker could deliver a malicious Office file that triggers code execution when simply previewed or indexed by the system. The vulnerability is rated critical due to its low complexity, lack of required privileges, and high potential impact on confidentiality, integrity, and availability.

Though there are currently no public exploits for either issue, Microsoft’s advisory classifies them as “Exploitation More Likely,” indicating that these bugs are realistic candidates for attacker adoption in the near term. Given the prevalence of Office in enterprise environments and the common use of Preview Panes in Outlook and File Explorer, both vulnerabilities present a significant risk.

CVE-2025-47981 - 9.8 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

CVE-2025-47981 is one of the most critical vulnerabilities disclosed in the July 2025 Patch Tuesday release. It highlights the persistent risk posed by memory corruption in foundational protocol layers. With NEGOEX increasingly used in identity federation and cloud-connected authentication flows, this flaw reinforces the need for rigorous patch management and defensive monitoring around core Windows authentication services.

The vulnerability results from a heap-based buffer overflow and affects Windows systems where the Group Policy setting “Allow PKU2U authentication requests to this computer to use online identities” is enabled—which is default behavior in many versions of Windows 10. This vulnerability enables unauthenticated, pre-authentication RCE with no user interaction and low attack complexity, making it a high-value target for adversaries seeking lateral movement or initial access in enterprise networks.

NEGOEX is an extension of SPNEGO, and underpins many authentication processes in Windows, including support for Kerberos, NTLM, and PKU2U. Because NEGOEX is invoked early in the authentication process—before credential validation—any memory corruption issue at this layer can be exploited before traditional security boundaries are enforced. In the case of CVE-2025-47981, an attacker can send a specially crafted authentication message over the network to trigger a heap overflow in the authentication service, potentially resulting in arbitrary code execution with SYSTEM-level privileges.

This vulnerability shares characteristics with previous high-profile pre-auth RCE flaws such as CVE-2020-1472 (Zerologon) and CVE-2022-21907 (HTTP.sys RCE), which also required no credentials for successful exploitation. While Microsoft has not confirmed exploitation in the wild, they have assessed this vulnerability as “Exploitation More Likely,” indicating that threat actors may soon attempt to weaponize it. Attack vectors could include common services like SMB, RPC, or any GSSAPI-enabled endpoint exposed to network traffic.

Organizations are strongly advised to apply the official security patch without delay. As a temporary mitigation, environments that do not rely on PKU2U should consider disabling the relevant Group Policy setting to reduce exposure. Security teams should also audit external-facing systems for authentication surface area, and monitor for anomalous NEGOEX or SPNEGO traffic indicative of probing or exploitation attempts.

CVE-2025-49740 - 8.8 - Windows SmartScreen Security Feature Bypass Vulnerability

A high severity vulnerability has been identified in Microsoft Defender SmartScreen. Microsoft Defender SmartScreen is a security feature in Windows that helps protect users from malicious websites, phishing scams, and untrusted downloads. It works by checking files and websites against a Microsoft database to warn or block users if something is suspicious or potentially harmful. When you try to run unknown or unsafe programs, or visit dangerous sites, SmartScreen displays a warning to help prevent malware infections and other security threats.

The specific element of SmartScreen that is vulnerable is mark of the web (MoTW), a feature that tags programs and files downloaded from the internet by adding special metadata. If MoTW identifies any suspicious files, the user will be alerted via a pop-up box. For this vulnerability to work, the user needs to be tricked into running a malicious file capable of bypassing MoTW detections. We’ve seen some serious, critical vulnerabilities in the past abusing a similar misconfiguration, notably CVE-2025-0411 which allowed attackers to bypass MotW protections through affected installations of the 7Zip tool.

With a reliable way to bypass MoTW defenses, attackers can install malware onto the victims machine without them knowing, in turn allowing them to steal data and perform further, more impactful attacks.

CVE-2025-47178 - 8.0 - Microsoft Configuration Manager Remote Code Execution Vulnerability

Another high-severity remote code execution vulnerability has been identified in this round of Patch Tuesday, notably in the Microsoft Configuration Manager, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. It allows IT admins to automate software deployments, patch updates, operating system installs, inventory collection, compliance enforcement, and device configuration from a central location.

This vulnerability requires very low privileges to exploit, it simply requires the attacker or a targeted user to leverage a Microsoft Access application to automatically talk to a SQL server while utilizing a remote SQL server address they already control. An authenticated attacker with system administrator (sysadmin) privileges can run arbitrary SQl queries as the SMS service. Since the injection happens during a user permission check, technically a user or attacker with a read-only access role can exploit it.

Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager. This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.

CVE-2025-48799 - Windows Update Service Elevation of Privilege Vulnerability

A high-severity local privilege escalation vulnerability, tracked as CVE-2025-48799, has been identified in the Windows Update Service and patched as part of Microsoft’s July 2025 Patch Tuesday release.

The flaw stems from improper link resolution before file access (CWE-59), commonly known as “link following.” This type of vulnerability occurs when the system fails to properly verify symbolic links or junctions before accessing files. In practice, an attacker could exploit this behavior to trick the Windows Update Service into overwriting or executing files in protected system directories — potentially planting malicious executables, modifying configuration files, or hijacking privileged processes to achieve full SYSTEM-level access.

According to Microsoft, a local attacker with low privileges could carry out the exploit without requiring any user interaction. The attack has low complexity, meaning it could be relatively easy to pull off in the right environment.

The vulnerability has been assigned a CVSS v3.1 base score of 7.8, reflecting its significant impact. While no public exploit code is currently available, the issue has been confirmed and fully patched by Microsoft.

Organizations and end users are strongly urged to apply the official fix immediately, as successful exploitation could allow attackers to fully compromise affected systems.

CVE-2025-48001, CVE-2025-48800, CVE-2025-48804, CVE-2025-48818 - BitLocker Security Feature Bypass Vulnerability

Microsoft’s July 2025 Patch Tuesday addresses four newly disclosed vulnerabilities in Windows BitLocker, the system’s built-in disk encryption tool. Tracked as CVE-2025-48804, CVE-2025-48001, CVE-2025-48800, and CVE-2025-48818, all are rated Important with a CVSS v3.1 score of 6.8, and could allow attackers to bypass BitLocker protections through physical access to a device.

Each flaw allows an attacker to gain unauthorized access to encrypted data on the system drive — no user interaction or prior privileges are required. Microsoft notes that exploitation is considered “more likely,” although no public exploit code currently exists.

CVE-2025-48804 (CWE-349) involves improper handling of WinRE.wim recovery images, which can be abused to access unlocked volumes.

CVE-2025-48001 and CVE-2025-48818 exploit TOCTOU race conditions (CWE-367), enabling attackers to interfere with timing checks during device boot.

CVE-2025-48800 (CWE-693) stems from a protection mechanism failure, potentially allowing bypass of encryption enforcement.

If exploited, these flaws could expose sensitive files, credentials, or allow tampering with system integrity. This poses a particular risk, especially for organizations where devices may be lost or stolen, as attackers with hands-on access could potentially bypass encryption and extract sensitive data.

Patches are available, and organizations are strongly urged to update immediately to prevent potential data breaches or unauthorized system access.

‍