SAP and Microsoft patch critical flaws: July 2025

Microsoft’s July 2025 Patch Tuesday addressed 137 security issues, including 14 critical vulnerabilities and one publicly disclosed flaw. While none of the flaws are confirmed as actively exploited, 41 pose risks for remote code execution (RCE) and 53 for privilege escalation.

CVE-2025-49719, described as an information disclosure vulnerability in SQL Server related to improper input validation, had been publicly disclosed prior to the patch release. This flaw could allow read of uninitialized memory over the network. Affected versions include SQL Server 2016-2022, and mitigation requires updating both the server and associated OLE DB Drivers.

The most critical issue fixed this month is CVE-2025-47981, a critical heap-based buffer overflow in SPNEGO NEGOEX, a Windows authentication mechanism. Microsoft rated this bug CVSS 9.8, as it could allow unauthorized users to trigger the exploit by sending a malicious message to a vulnerable system.

Microsoft marked the flaw as "Exploitation More Likely", likely due to its self-propagating potential and the fact that no user interaction is required for exploitation. The flaw only affects Windows client machines running Windows 10, version 1607 and above, as the following GPO is enabled by default on these operating systems: "Network security: Allow PKU2U authentication requests to this computer to use online identities".

Microsoft also resolved critical vulnerabilities across SharePoint, Office, Connected Devices Platform, and Kerberos proxy services:

• CVE-2025-49704 – Code injection in SharePoint, exploitable by authenticated site owners
• CVE-2025-49695 – RCE in Microsoft Office triggered via previewing a crafted document
• CVE-2025-49724 – Remote code execution via Nearby Sharing in Connected Devices
• CVE-2025-49735 – Pre-auth RCE in Windows KDC Proxy, impacting domain controllers

Analyst notes:

These flaws pose significant risks in enterprise environments where collaboration tools and shared resources are widely deployed.

To reduce risk from Microsoft’s July 2025 vulnerabilities, administrators should apply the patches, prioritizing fixes for SQL Server, and SPNEGO NEGOEX.

SAP issues critical fixes in patch release

On July 8, 2025, SAP released 27 new and four updated Security Notes. Among the flaws patched in July patches are six critical vulnerabilities, including one flaw with a maximum- severity rating.

The flaw, tracked as CVE-2025-30012, impacts the Live Auction Cockpit component in SAP Supplier Relationship Management (SRM). It could allow unauthenticated users to execute malicious operating system commands on affected systems.

CVE-2025-30012 was patched in May 2025 and initially classified as low severity. In June, SAP reclassified the issue as Critical, assigning it a maximum CVSS score of 10 out of 10.

SAP also addressed six additional critical vulnerabilities (CVSS scores between 9.1–9.9) across core enterprise components including:

• CVE-2025-42967: Code injection in SAP S/4HANA and SCM
• CVE-2025-42966: Insecure deserialization in NetWeaver XML Data Archiving Service
• CVE-2025-42963: Insecure deserialization in NetWeaver Java Log Viewer
• CVE-2025-42964: Insecure deserialization in Enterprise Portal Administration
• CVE-2025-42980: Insecure deserialization in Federated Portal Network

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst notes:

While SAP has not reported active exploitation of these flaws, similar vulnerabilities in enterprise systems have historically been targeted by threat actors.

To mitigate these vulnerabilities, organizations should apply the CVE-2025-30012 update immediately, and prioritize other critical SAP updates. Additionally, review your SAP landscape for deprecated components like Java applets and insecure deserialization routines, and disable or replace them where possible.