In its July 2025 Patch Tuesday, Microsoft patched 130 vulnerabilities, a rate consistent with previous July batches (130 in 2023 and 138 in 2024).
This latest patch update fixes 14 critical vulnerabilities, including a particularly concerning one that could be leveraged in self-propagating malware reminiscent of the infamous WannaCry and NotPetya malware strains.
This flaw, tracked as CVE-2025-47981, targets the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), a protocol used in computer networks to help two parties, such as a client and a server, securely agree on how to authenticate each other.
SPNEGO acts as a middleman to negotiate which authentication method (e.g. Kerberos or NTLM) should be used without exposing sensitive details upfront.
“SPNEGO [is] the backbone protocol used to negotiate authentication on critical services, including those that are (whether we like it not) regularly Internet-facing, including SMB, RDP, and IIS,” Benjamin Harris, CEO of WatchTowr, explained.
Disclosure of a ‘Wormable’ Vulnerability
CVE-2025-47981 is a remote code execution flaw in SPNEGO Extended Negotiation (NEGOEX), the extension of the SPNEGO negotiation mechanism that allows for negotiating the security mechanism to be used before authentication.
It is a highly critical flaw, with a CVSS score of 9.8 and only requires unauthenticated access to the target network to be exploited. Microsoft assessed that the vulnerability exploitation was “more likely.”
Satnam Narang, a senior staff research engineer in Tenable's Special Operations Team described this vulnerability as “a peculiar bug.”
“While it is considered more likely to be exploited, it only affects Windows 10 version 1607 and above due to a specific group policy object being enabled by default. Since 2022, there haven’t been many flaws in SPNEGO NEGOEX. There was one in 2022 (CVE-2022-37958) and one earlier this year in January (CVE-2025-21295), both of which were rated as not likely to be exploited,” he added.
Nevertheless, WatchTowr’s Harris noted that the flaw was concerning because early analysis suggests that this vulnerability may be ‘wormable’ and could be utilized in a self-propagating attack.
“It has the unfortunate hallmarks of becoming a significant problem [because it is] the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident,” he said.
“We shouldn’t fool ourselves - if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice. Defenders need to drop everything, patch rapidly, and hunt down exposed systems,” Harris added.
High-Severity Zero-Day with Low Exploitation Likelihood
Microsoft’s July Patch Tuesday update also included a zero-day vulnerability, a flaw disclosed publicly before being patched.
This flaw, tracked as CVE-2025-49719, is a high-severity information disclosure Vulnerability in Microsoft SQL Server (CVSS score of 7.5).
However, Tenable’s Narang noted that despite the vulnerability being publicly disclosed, the likelihood of exploitation by attackers remains low.
“Users of SQL Server can update to the latest version, which includes driver fixes. However, if users have built their own apps or use software from another vendor that happens to use SQL Server, they need to update to Microsoft OLE DB Driver for SQL Server version 18 or 19 or ensure compatibility before updating,” he explained.
No tags.
