Overview

• July’s Patch Tuesday delivers 130 Windows fixes with no actively exploited vulnerabilities, marking the first exploit-free update of the year.
• The release addresses a critical SPNEGO heap-overflow (CVE-2025-47981) rated 9.8 that allows remote code execution.
• Four new Office vulnerabilities, including a Preview Pane bypass (CVE-2025-49696), require no user interaction to execute code and are among 16 Office patches.
• Microsoft also patched a SQL Server zero-day and a previously exploited Chromium engine flaw (CVE-2025-6554) included earlier this month.
• Adobe released urgent fixes for ColdFusion and Experience Manager Forms and SAP issued 27 updates including a CVSS 10 flaw, while Google skipped its Android patch cycle.