Microsoft targets 130 vulnerabilities on July Patch Tuesday

Microsoft Office and RRAS vulnerabilities take precedence

This month, admins will have to focus on releasing Windows cumulative updates quickly, particularly since a high concentration of vulnerabilities affect Windows Routing and Remote Access Service (RRAS) with 16 total. All the RRAS CVEs have a maximum severity of important and an exploitability assessment of exploitation unlikely.

RRAS in Windows Server handles network traffic control and remote connectivity on public and private networks, providing compatibility with several VPN protocols and ensuring secure remote access.

Most of the risk types are remote code execution with two in the information disclosure threat category.

"The vulnerabilities are all remotely exploitable without the need for authentication over the network," said Chris Goettl, vice president of product management for security products at Ivanti.

He said the following mitigations could curb attacks on RRAS:

• Limit RRAS ports to trusted networks or VPN concentrators.
• Apply strict firewall rules to RRAS ports.
• Disable unused features in RRAS or determine whether the service can be removed entirely.

Microsoft Office also had 16 total CVEs with six rated critical and the rest important. Six vulnerabilities affect the core Microsoft Office platform, two in Excel, one in PowerPoint, three in SharePoint, three in Microsoft Word and one in the Microsoft Office Developer Platform.

Admins will want to focus on the CVEs rated more likely to be exploited:

• CVE-2025-49695: Microsoft Office remote code execution vulnerability, 8.4 CVSS, critical rating;
• CVE-2025-49696: Microsoft Office remote code execution vulnerability, 8.4 CVSS, critical rating;
• CVE-2025-49701: Microsoft Office SharePoint remote code execution vulnerability, 8.8 CVSS, important rating; and
• CVE-2025-49704: Microsoft Office SharePoint remote code execution vulnerability, 8.8 CVSS, critical rating.

The preview pane is a potential attack vector for CVE-2025-49695 and CVE-2025-49696, meaning users only need to preview a malicious file to trigger the exploit.

Patches for seven CVEs related to Visual Studio released

Admins who work with development teams will need to ensure seven vulnerabilities -- CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385 and CVE-2025-48386 -- related to Git are addressed by updating to the latest version of Visual Studio.

Goettl said regular updates to these third-party libraries are crucial to prevent the slow accumulation of security debt and maintain compliance with service-level agreements.

"Most development organizations, if they're doing a good CI/CD pipeline assessment, are going to see vulnerabilities in the third-party libraries and development tools they're using," he said.

Goettl said the method to test fixes for developer tools depends on the size of the organization. Smaller ones rely on regression testing with the new libraries installed to run validation checks. Larger organizations typically use a staged rollout, starting with the lower-risk environments before updating the more critical systems.

"It's quite a bit different than just an automated patch management process of OS updates and third-party updates when you're dealing with the development side. There's a bit more of a heavy lift to validate that everything is good," Goettl said.

Other security updates of note for July Patch Tuesday

• Two Azure-related CVEs will only require admin intervention if auto-update functionality is not enabled. An Azure Service Fabric Runtime elevation-of-privilege vulnerability (CVE-2025-21195) has a CVSS rating of 6.0. An Azure Monitor Agent remote-code execution vulnerability (CVE-2025-47988) has a 7.5 CVSS rating.
• Microsoft corrected an issue stemming from its June Patch Tuesday security updates that caused Dynamic Host Configuration Protocol (DHCP) problems with Windows Server. The affected Windows Server systems and their Knowledge Base articles are: Windows Server 2025 (KB5060842), Windows Server 2022 (KB5060526), Windows Server 2019 (KB5060531) and Windows Server 2016 (KB5061010). DHCP automatically assigns IP addresses to devices on a network and manages IP address leases.
• Microsoft republished a June Patch Tuesday fix for a .NET and Visual Studio remote-code execution vulnerability (CVE-2025-30399) that was expanded to include PowerShell 7.4 and 7.5. "An attacker could exploit this vulnerability by placing files in particular locations, leading to unintended code execution," according to Microsoft's security advisory. The vulnerability is particularly significant because it affects Windows, macOS and Linux systems that run those exploitable PowerShell versions.

Next phase of Kerberos hardening process takes effect

July Patch Tuesday also implemented the next stage in the three-phase process to improve security for Kerberos authentication to prevent machine-in-the-middle (MITM) attacks and local network spoofing.

On April Patch Tuesday, Microsoft first addressed a Windows Kerberos elevation-of-privilege vulnerability (CVE-2025-26647) in Windows Server systems, which introduced Audit Mode to uncover noncompliant certificates. Admins were expected to use audit logs to find these certificates, make corrections and check for issues.

July Patch Tuesday release introduced the second phase, Enforced by Default, to domain controllers. This update makes checks to the NTAuth store -- the repository on Windows domain controllers that contains a list of trusted certificate authorities -- mandatory, but admins can temporarily revert to Audit Mode for adjustments.

After installing the October Patch Tuesday updates, Microsoft will put domain controllers in Enforcement Mode and remove the ability for these registry bypasses.