During the monthly Patch Tuesday in July 2025, Microsoft released security updates for a total of 137 vulnerabilities in its products.
These updates are spread across various parts of the Microsoft ecosystem and should help to better protect users and organizations against potential cyberattacks. Notably, this month there were no vulnerabilities resolved that were actively being exploited at the time of disclosure, something that was regularly the case in previous months.
Of the 137 vulnerabilities addressed, nine have been classified as critical. Most of these relate to Remote Code Execution (RCE), a type of vulnerability that allows attackers to execute malicious code remotely. The remaining 128 vulnerabilities are classified as important and relate to issues such as privilege escalation, information leaks, spoofing, and denial of service.
Vulnerability with impact
A particularly relevant vulnerability in this round is CVE-2025-24087, an RCE leak in Microsoft SQL Server. Although Microsoft does not classify this leak as critical, security company Rapid7 warns that the impact could be significant. Although the leak requires valid authentication, an attacker who manages to bypass this step can connect to a vulnerable SQL Server instance via the Tabular Data Stream protocol and then execute code remotely.
Greater risk of abuse
Other important patches address Windows Remote Desktop Licensing, Windows Message Queuing, Microsoft Office, and the Windows Kernel-mode driver, among others. Rapid7 also points out that details of five vulnerabilities were already publicly known before the updates, which increases the risk of exploitation.
Although no actively exploited zero-days were patched this month, both Microsoft and security researchers emphasize the importance of quickly implementing these updates. Timely patch management remains crucial to effectively limit the attack surface of organizations.