Overview
- July’s Patch Tuesday delivers 130 Windows fixes with no actively exploited vulnerabilities, marking the first exploit-free update of the year.
- The release addresses a critical SPNEGO heap-overflow (CVE-2025-47981) rated 9.8 that allows remote code execution.
- Four new Office vulnerabilities, including a Preview Pane bypass (CVE-2025-49696), require no user interaction to execute code and are among 16 Office patches.
- Microsoft also patched a SQL Server zero-day and a previously exploited Chromium engine flaw (CVE-2025-6554) included earlier this month.
- Adobe released urgent fixes for ColdFusion and Experience Manager Forms and SAP issued 27 updates including a CVSS 10 flaw, while Google skipped its Android patch cycle.