Threat intelligence
Microsoft Security Bulletin Coverage for July 2025
Overview
Microsoft’s July 2025 Patch Tuesday has 127 vulnerabilities, 53 of which are Elevation of Privilege. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2025 and has produced coverage for 12 of the reported vulnerabilities.
Vulnerabilities with Detections
| CVE | CVE Title | Signature | |
| CVE-2025-47978 | Windows Kerberos Denial of Service Vulnerability | IPS 21234 Windows Kerberos Denial of Service (CVE-2025-47978) | |
| CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability | IPS 21233 NEGOEX Security Mechanism Remote Code Execution (CVE-2025-47981) | |
| CVE-2025-47987 | Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability | ASPY 7094 Exploit-exe exe.MP_456 | |
| CVE-2025-48799 | Windows Update Service Elevation of Privilege Vulnerability | ASPY 7097 Exploit-exe exe.MP_457 | |
| CVE-2025-49695 | Microsoft Office Remote Code Execution Vulnerability | ASPY 7095 Malformed-pptx pptx.MP_2 | |
| CVE-2025-49696 | Microsoft Office Remote Code Execution Vulnerability | ASPY 7096 Malformed-xls xls.MP_22 | |
| CVE-2025-49701 | Microsoft SharePoint Remote Code Execution Vulnerability | ASPY 646 Exploit-exe exe.MP_455 | |
CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability |
| |
CVE-2025-49706 | Microsoft SharePoint Server Spoofing Vulnerability | IPS 4583 Microsoft SharePoint Server Authentication Bypass (CVE-2025-49706) IPS 4584 Microsoft SharePoint Server Authentication Bypass (CVE-2025-49706) 2 | |
| CVE-2025-49718 | Microsoft SQL Server Information Disclosure Vulnerability | IPS 4533 Microsoft SQL Server Information Disclosure (CVE-2025-49718) | |
| CVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution Vulnerability | IPS 4517 Windows Connected Devices Platform Service RCE (CVE-2025-49724) | |
| CVE-2025-49727 | Win32k Elevation of Privilege Vulnerability | ASPY 645 Exploit-exe exe.MP_454 | |
| CVE-2025-49744 | Windows Graphics Component Elevation of Privilege Vulnerability | ASPY 644 Exploit-exe exe.MP_453 |
Release Breakdown
The vulnerabilities can be classified into the following categories:
For July, there are 8 critical and 119 important vulnerabilities.
Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the Patch Tuesday release for each month. The above chart displays these metrics as seen each month.
Release Detailed Breakdown
Denial of Service Vulnerabilities
| CVE | CVE Title |
| CVE-2025-47978 | Windows Kerberos Denial of Service Vulnerability |
| CVE-2025-47999 | Windows Hyper-V Denial of Service Vulnerability |
| CVE-2025-49680 | Windows Performance Recorder (WPR) Denial of Service Vulnerability |
| CVE-2025-49716 | Windows Netlogon Denial of Service Vulnerability |
| CVE-2025-49722 | Windows Print Spooler Denial of Service Vulnerability |
Elevation of Privilege Vulnerabilities
| CVE | CVE Title |
| CVE-2025-21195 | Azure Service Fabric Runtime Elevation of Privilege Vulnerability |
| CVE-2025-47159 | Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability |
| CVE-2025-47971 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability |
| CVE-2025-47972 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability |
| CVE-2025-47973 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability |
| CVE-2025-47975 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability |
| CVE-2025-47976 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability |
| CVE-2025-47982 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-47985 | Windows Event Tracing Elevation of Privilege Vulnerability |
| CVE-2025-47986 | Universal Print Management Service Elevation of Privilege Vulnerability |
| CVE-2025-47987 | Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability |
| CVE-2025-47991 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability |
| CVE-2025-47993 | Microsoft PC Manager Elevation of Privilege Vulnerability |
| CVE-2025-47994 | Microsoft Office Elevation of Privilege Vulnerability |
| CVE-2025-47996 | Windows MBT Transport Driver Elevation of Privilege Vulnerability |
| CVE-2025-48000 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| CVE-2025-48799 | Windows Update Service Elevation of Privilege Vulnerability |
| CVE-2025-48803 | Windows Virtualization-Based Security (VBS) Elevation of Privilege Vulnerability |
| CVE-2025-48811 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| CVE-2025-48815 | Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability |
| CVE-2025-48816 | HID Class Driver Elevation of Privilege Vulnerability |
| CVE-2025-48819 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability |
| CVE-2025-48820 | Windows AppX Deployment Service Elevation of Privilege Vulnerability |
| CVE-2025-48821 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability |
| CVE-2025-49659 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability |
| CVE-2025-49660 | Windows Event Tracing Elevation of Privilege Vulnerability |
| CVE-2025-49661 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2025-49665 | Workspace Broker Elevation of Privilege Vulnerability |
| CVE-2025-49667 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2025-49675 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
| CVE-2025-49677 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-49678 | NTFS Elevation of Privilege Vulnerability |
| CVE-2025-49679 | Windows Shell Elevation of Privilege Vulnerability |
| CVE-2025-49682 | Windows Media Elevation of Privilege Vulnerability |
| CVE-2025-49685 | Windows Search Service Elevation of Privilege Vulnerability |
| CVE-2025-49686 | Windows TCP/IP Driver Elevation of Privilege Vulnerability |
| CVE-2025-49687 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability |
| CVE-2025-49689 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability |
| CVE-2025-49690 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| CVE-2025-49693 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-49694 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-49721 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability |
| CVE-2025-49725 | Windows Notification Elevation of Privilege Vulnerability |
| CVE-2025-49726 | Windows Notification Elevation of Privilege Vulnerability |
| CVE-2025-49727 | Win32k Elevation of Privilege Vulnerability |
| CVE-2025-49730 | Microsoft Windows QoS Scheduler Driver Elevation of Privilege Vulnerability |
| CVE-2025-49731 | Microsoft Teams Elevation of Privilege Vulnerability |
| CVE-2025-49732 | Windows Graphics Component Elevation of Privilege Vulnerability |
| CVE-2025-49733 | Win32k Elevation of Privilege Vulnerability |
| CVE-2025-49737 | Microsoft Teams Elevation of Privilege Vulnerability |
| CVE-2025-49738 | Microsoft PC Manager Elevation of Privilege Vulnerability |
| CVE-2025-49739 | Visual Studio Elevation of Privilege Vulnerability |
| CVE-2025-49744 | Windows Graphics Component Elevation of Privilege Vulnerability |
Information Disclosure
| CVE | CVE Title |
| CVE-2025-26636 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2025-47980 | Windows Imaging Component Information Disclosure Vulnerability |
| CVE-2025-47984 | Windows GDI Information Disclosure Vulnerability |
| CVE-2025-48002 | Windows Hyper-V Information Disclosure Vulnerability |
| CVE-2025-48808 | Windows Kernel Information Disclosure Vulnerability |
| CVE-2025-48809 | Windows Secure Kernel Mode Information Disclosure Vulnerability |
| CVE-2025-48810 | Windows Secure Kernel Mode Information Disclosure Vulnerability |
| CVE-2025-48812 | Microsoft Excel Information Disclosure Vulnerability |
| CVE-2025-48823 | Windows Cryptographic Services Information Disclosure Vulnerability |
| CVE-2025-49658 | Windows Transport Driver Interface (TDI) Translation Driver Information Disclosure Vulnerability |
| CVE-2025-49664 | Windows User-Mode Driver Framework Host Information Disclosure Vulnerability |
| CVE-2025-49671 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability |
| CVE-2025-49681 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability |
| CVE-2025-49684 | Windows Storage Port Driver Information Disclosure Vulnerability |
| CVE-2025-49718 | Microsoft SQL Server Information Disclosure Vulnerability |
| CVE-2025-49719 | Microsoft SQL Server Information Disclosure Vulnerability |
Remote Code Execution Vulnerabilities
| CVE | CVE Title |
| CVE-2025-47178 | Microsoft Intune Remote Code Execution Vulnerability |
| CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability |
| CVE-2025-47988 | Azure Monitor Agent Remote Code Execution Vulnerability |
| CVE-2025-47998 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-48805 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability |
| CVE-2025-48806 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability |
| CVE-2025-48817 | Remote Desktop Client Remote Code Execution Vulnerability |
| CVE-2025-48822 | Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability |
| CVE-2025-48824 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49657 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49663 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49666 | Windows Server Setup and Boot Event Collection Remote Code Execution Vulnerability |
| CVE-2025-49668 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49669 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49670 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49672 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49673 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49674 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49676 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49683 | Microsoft Virtual Hard Disk Remote Code Execution Vulnerability |
| CVE-2025-49688 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49691 | Windows Miracast Wireless Display Remote Code Execution Vulnerability |
| CVE-2025-49695 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-49696 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-49697 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-49698 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2025-49699 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-49700 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2025-49701 | Microsoft SharePoint Remote Code Execution Vulnerability |
| CVE-2025-49702 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-49703 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability |
| CVE-2025-49705 | Microsoft PowerPoint Remote Code Execution Vulnerability |
| CVE-2025-49711 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-49714 | Visual Studio Code Python Extension Remote Code Execution Vulnerability |
| CVE-2025-49717 | Microsoft SQL Server Remote Code Execution Vulnerability |
| CVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution Vulnerability |
| CVE-2025-49729 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-49735 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability |
| CVE-2025-49742 | Windows Graphics Component Remote Code Execution Vulnerability |
| CVE-2025-49753 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
Security Feature Bypass Vulnerabilities
| CVE | CVE Title |
| CVE-2025-48001 | BitLocker Security Feature Bypass Vulnerability |
| CVE-2025-48003 | BitLocker Security Feature Bypass Vulnerability |
| CVE-2025-48800 | BitLocker Security Feature Bypass Vulnerability |
| CVE-2025-48804 | BitLocker Security Feature Bypass Vulnerability |
| CVE-2025-48814 | Remote Desktop Licensing Service Security Feature Bypass Vulnerability |
| CVE-2025-48818 | BitLocker Security Feature Bypass Vulnerability |
| CVE-2025-49740 | Windows SmartScreen Security Feature Bypass Vulnerability |
| CVE-2025-49756 | Office Developer Platform Security Feature Bypass Vulnerability |
Spoofing Vulnerabilities
| CVE | CVE Title |
| CVE-2025-33054 | Remote Desktop Spoofing Vulnerability |
| CVE-2025-48802 | Windows SMB Server Spoofing Vulnerability |
| CVE-2025-49706 | Microsoft SharePoint Server Spoofing Vulnerability |
Tampering Vulnerability
| CVE | CVE Title |
| CVE-2025-49723 | Windows StateRepository API Server file Tampering Vulnerability |
Share This Article
An Article By
An Article By
Security News
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
