Microsoft immediately launched updates to repair a minimum of 137 safety vulnerabilities in its Home windows working methods and supported software program. Not one of the weaknesses addressed this month are recognized to be actively exploited, however 14 of the failings earned Microsoft’s most-dire “vital” ranking, that means they may very well be exploited to grab management over weak Home windows PCs with little or no assist from customers.
Whereas not listed as vital, CVE-2025-49719 is a publicly disclosed data disclosure vulnerability, with all variations way back to SQL Server 2016 receiving patches. Microsoft charges CVE-2025-49719 as much less prone to be exploited, however the availability of proof-of-concept code for this flaw means its patch ought to most likely be a precedence for affected enterprises.
Mike Walters, co-founder of Action1, stated CVE-2025-49719 will be exploited with out authentication, and that many third-party functions rely on SQL server and the affected drivers — probably introducing a supply-chain danger that extends past direct SQL Server customers.
“The potential publicity of delicate data makes this a high-priority concern for organizations dealing with useful or regulated information,” Walters stated. “The great nature of the affected variations, spanning a number of SQL Server releases from 2016 by means of 2022, signifies a elementary situation in how SQL Server handles reminiscence administration and enter validation.”
Adam Barnett at Rapid7 notes that immediately is the top of the street for SQL Server 2012, that means there might be no future safety patches even for vital vulnerabilities, even for those who’re prepared to pay Microsoft for the privilege.
Barnett additionally known as consideration to CVE-2025-47981, a vulnerability with a CVSS rating of 9.8 (10 being the worst), a distant code execution bug in the best way Home windows servers and purchasers negotiate to find mutually supported authentication mechanisms. This pre-authentication vulnerability impacts any Home windows consumer machine operating Home windows 10 1607 or above, and all present variations of Home windows Server. Microsoft considers it extra probably that attackers will exploit this flaw.
Microsoft additionally patched a minimum of 4 vital, distant code execution flaws in Workplace (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The primary two are each rated by Microsoft as having the next probability of exploitation, don’t require person interplay, and will be triggered by means of the Preview Pane.
Two extra excessive severity bugs embrace CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the previous is a weak spot that would enable malicious information to bypass screening by Microsoft Defender SmartScreen, a built-in function of Home windows that tries to dam untrusted downloads and malicious websites.
CVE-2025-47178 entails a distant code execution flaw in Microsoft Configuration Supervisor, an enterprise device for managing, deploying, and securing computer systems, servers, and gadgets throughout a community. Ben Hopkins at Immersive stated this bug requires very low privileges to take advantage of, and that it’s attainable for a person or attacker with a read-only entry function to take advantage of it.
“Exploiting this vulnerability permits an attacker to execute arbitrary SQL queries because the privileged SMS service account in Microsoft Configuration Supervisor,” Hopkins stated. “This entry can be utilized to control deployments, push malicious software program or scripts to all managed gadgets, alter configurations, steal delicate information, and probably escalate to full working system code execution throughout the enterprise, giving the attacker broad management over the whole IT surroundings.”
Individually, Adobe has released security updates for a broad vary of software program, together with After Results, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.
The SANS Web Storm Heart has a breakdown of each individual patch, listed by severity. For those who’re answerable for administering a variety of Home windows methods, it might be price maintaining a tally of AskWoody for the lowdown on any probably wonky updates (contemplating the massive variety of vulnerabilities and Home windows parts addressed this month).
For those who’re a Home windows residence person, please take into account backing up your information and/or drive earlier than putting in any patches, and drop a be aware within the feedback for those who encounter any issues with these updates.
For the reason that the admin of this site is working, no uncertainty very quickly it will be renowned, due to its quality contents.