Publicly Disclosed Zero-Day Vulnerability in Microsoft SQL Server
CVE-2025-49719 is an Important information disclosure vulnerability affecting Microsoft SQL Server and has a CVSS score of 7.5. This vulnerability allows unauthenticated remote attackers to access sensitive information by exploiting improper input validation in SQL Server over a network connection. While the vulnerability has been publicly disclosed, there is no evidence of active exploitation in the wild. The vulnerability affects multiple SQL Server versions including SQL Server 2022, 2019, 2017, and 2016. When successfully exploited, attackers can gain access to uninitialized memory contents, potentially exposing sensitive data and compromising the confidentiality of affected systems.
| Severity | CVSS Score | CVE | Description |
| Important | 7.5 | CVE-2025-49719 | Microsoft SQL Server Information Disclosure Vulnerability |
Critical Vulnerability in Windows SPNEGO Extended Negotiation
CVE-2025-47981 is a Critical remote code execution vulnerability in the Windows SPNEGO Extended Negotiation (NEGOEX) security mechanism and has a CVSS score of 9.8. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow in the NEGOEX component. Exploitation requires no user interaction and can be triggered by sending specially crafted malicious messages to the target server.
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is an important authentication protocol in Windows environments and enterprise systems, but it’s not required by all server applications, as many modern web and cloud services instead use alternative authentication methods like OAuth, SAML, or JWT.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Office Products
CVE-2025-49704 is a Critical remote code execution vulnerability in Microsoft SharePoint and has a CVSS score of 8.8. This vulnerability allows authenticated attackers with Site Owner privileges to execute arbitrary code by exploiting code injection flaws in SharePoint Server over a network. The attack complexity is low, requiring minimal prior knowledge of the system, and can be exploited remotely from the internet, potentially leading to complete compromise of affected SharePoint servers.
CVE-2025-49695 is a Critical remote code execution vulnerability in Microsoft Office and has a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting a use-after-free vulnerability in Microsoft Office. Despite being classified as a local attack vector, it can be triggered without user interaction, including through the preview pane.
CVE-2025-49696 is a Critical remote code execution vulnerability in Microsoft Office and has a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting out-of-bounds read and heap-based buffer overflow vulnerabilities in Microsoft Office. The vulnerability can be triggered without user interaction, including through the preview pane.
CVE-2025-49697 is a Critical remote code execution vulnerability in Microsoft Office and has a CVSS score of 8.4. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting a heap-based buffer overflow in Microsoft Office. The vulnerability can be triggered without user interaction, including through the preview pane.
CVE-2025-49698 is a Critical remote code execution vulnerability in Microsoft Word and has a CVSS score of 7.8. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting a use-after-free vulnerability in Microsoft Word. Exploitation requires user interaction, typically by opening a specially crafted file, and can also be triggered through the preview pane.
CVE-2025-49702 is a Critical remote code execution vulnerability in Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting a type confusion vulnerability in Microsoft Office. Exploitation requires user interaction, typically by opening a specially crafted file, and can also be triggered through the preview pane.
CVE-2025-49703 is a Critical remote code execution vulnerability in Microsoft Word and has a CVSS score of 7.8. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting a use-after-free vulnerability in Microsoft Word. Exploitation requires user interaction, typically by opening a specially crafted file, and can also be triggered through the preview pane.
Most of the vulnerabilities can be exploited through the preview pane as an attack vector — malicious files can trigger vulnerabilities when simply viewed in Outlook’s or File Explorer’s preview functionality — significantly increasing the risk, as users don’t need to open files to trigger the exploit.
We have seen the preview pane many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025, June 2025).
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-49695 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-49696 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-49697 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-49698 | Microsoft Word Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-49702 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-49703 | Microsoft Word Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Hyper-V Discrete Device Assignment (DDA)
CVE-2025-48822 is a Critical remote code execution vulnerability in Windows Hyper-V Discrete Device Assignment (DDA) and has a CVSS score of 8.6. This vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting an out-of-bounds read vulnerability in Windows Hyper-V. Exploitation requires user interaction, typically by tricking a user into importing an INF file, and can affect resources beyond the security scope of the vulnerable component, potentially leading to complete compromise of the host system from a virtual machine.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-29828 | Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Remote Desktop Services
CVE-2025-49717 is a Critical remote code execution vulnerability in Microsoft SQL Server and has a CVSS score of 8.5. This vulnerability allows authenticated attackers with low privileges to execute arbitrary code by exploiting a heap-based buffer overflow in SQL Server over a network connection.
The vulnerability poses a significant security risk as successful exploitation enables attackers to break out of SQL Server’s security boundary and run malicious code directly on the underlying host operating system. The vulnerability affects SQL Server instances running both on-premises and in Windows Azure (IaaS) environments. Microsoft has released official patches for all affected versions of SQL Server (2016 through 2022) through both General Distribution Release (GDR) and Cumulative Update (CU) channels.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.5 | CVE-2025-49717 | Microsoft SQL Server Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Kerberos Key Distribution Center Proxy Service (KPSSVC)
CVE-2025-49735 is a Critical remote code execution vulnerability in Windows KDC (Key Distribution Center) Proxy Service (KPSSVC) and has a CVSS score of 8.1. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a use-after-free vulnerability in the Kerberos KDC Proxy Service over a network connection. If successfully exploited, attackers can gain complete control over affected systems by sending specially crafted applications that leverage a cryptographic protocol vulnerability in KDCSVC. The vulnerability only affects Windows Servers specifically configured as Kerberos KDC Proxy Protocol servers, with domain controllers not being vulnerable.
We have seen this particular vulnerability in Windows KPSSVC last month’s blog (June 2025).
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-49735 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft Imaging Component
CVE-2025-47980 is a Critical information disclosure vulnerability in Windows Imaging Component and has a CVSS score of 6.2. This vulnerability allows unauthenticated local attackers to access sensitive information by exploiting exposure of sensitive information to unauthorized actors in the Windows Imaging Component. When successfully exploited, attackers can potentially read small portions of heap memory, which could contain sensitive data, compromising the confidentiality of affected systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 6.2 | CVE-2025-47980 | Windows Imaging Component Information Disclosure Vulnerability |
Critical Vulnerabilities in AMD
CVE-2025-36350 and CVE-2025-36357 are Critical information disclosure vulnerabilities in AMD processors and have the same CVSS score of 5.6. These vulnerabilities, affecting Store Queue and L1 Data Queue respectively, allow authenticated local attackers with low privileges to access sensitive information through transient scheduler attacks without requiring user interaction.
Microsoft has included these AMD vulnerabilities in the Security Update Guide because their mitigation requires Windows updates. The latest Windows builds enable protections against these vulnerabilities, which AMD has documented in security bulletin AMD-SB-7029. Microsoft and AMD have assessed exploitation as “Less Likely,” and according to Microsoft, there is no evidence of public disclosure or active exploitation at this time. These vulnerabilities are similar to the Speculative store bypass vulnerabilities that have been detailed here.
| Severity | CVSS Score | CVE | Description |
| Critical | 5.6 | CVE-2025-36350 | AMD: Transient Scheduler Attack in Store Queue |
| Critical | 5.6 | CVE-2025-36357 | AMD: Transient Scheduler Attack in L1 Data Queue |
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
