For the first time this year, Microsoft has released a Patch Tuesday bundle with no exploited security problems, although one has been made public already, and there are ten critical flaws to fix.

July’s software flaw fix package includes 130 patches with none exploited and only one earning a CVSS score of over nine – CVE-2025-47981. This critical issue comes with a 9.8 score and breaks Microsoft’s Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) security protocols with a heap-based buffer overflow that would allow remote code execution.

Of the other nine new critical issues, four are in Office, which last month had a major patching update and gets more this month. In July’s fixes, four flaws allow for remote code execution in the Office bundle. In all, Office gets 16 patches this week, but those four should be on the list of first to fix.

• CVE-2025-49695 – An ugly use-after-free issue that is thankfully limited to a user with local access.
• CVE-2025-49696 – Another locally exploitable issue that has a nasty twist.
• CVE-2025-49697 – A nasty buffer overflow issue that earns a CVSS 8.4 rating.
• CVE-2025-49702 – This type confusion requires a user being tricked into opening a malicious file, but that’s not too hard.

CVE-2025-49696 is particularly worrisome, since it can be exploited via the Preview Pane in Office, meaning no serious user action is required. It allows the combination of an out-of-bounds read and heap-based buffer overflow for an attack that requires no authentication to carry off.

If you’re running an AMD processor, there are a couple of fixes that should also be on the priority list, since Redmond has highlighted them in the roundup. The early EPYC and Ryzen chips are all listed as needing an update, but the chances of exploitation are less likely. Microsoft also included a previously exploited flaw in the Chromium engine, CVE-2025-6554, that was released earlier this month.

One of the other critical bugs is in SQL, the most serious of three patched in Microsoft’s database platform. CVE-2025-49717 allows remote code execution using a buffer overflow, but Redmond rates it as less likely for exploitation since exploitation would take a complex attack, albeit with no user interaction required.

There were 16 additional flaws fixed in Windows Routing and Remote Access Service, all considered at low risk of exploitation, but which still need to be patched. There are also five fixes for Microsoft’s BitLocker encryption system, four of them listed by Redmond as more likely to be exploited, which if used improperly could be used to harvest data without the usual security checks.

And the best of the rest

As ever, Adobe has been piggybacking off Microsoft’s patching session with a bundle of patches, the most serious of which are for ColdFusion, and Experience Manager Forms. These two applications need to be updated as a priority, Adobe said.

The former includes 13 patches, five of them ranked as critical, including a CVSS 9.3 issue that would allow data examination by an attacker. In the case of Experience Manager Forms, there’s just a single flaw to be fixed, but it’s a CVSS 9.8 that would allow code to be executed on a target system. Experience Manager Screens also picks up a couple of important patches.

As for the rest of Adobe’s offerings, unusually there were no patches for either Reader or Photoshop this month. However, FrameMaker got 15 patches (13 of them critical) and Illustrator got ten patches today, including seven criticals.

Elsewhere, there were six critical flaws to get fixed in InDesign, and three criticals for InCopy, all with a CVSS 7.8 score. There are also three patches for Substance 3D Viewer, including a single critical fix. After Effects picks up a couple of important updates, as does Dimension, and there’s a singleton apiece for Audition, Substance 3D Stager, and Connect.

In another unusual instance this month, Google released no Android security updates. That might be explained by the fact that Android Version 16 was released last month and contains a lot of fixes – although non-Pixel users are going to have to wait until OEMs catch up.

SAP was happy to fill the gap in admins’ lives, however, with 27 new security updates, and four updated ones. The most serious, scoring a perfect 10 on the CVSS ranking, is a grab-bag of issues with SAP Supplier Relationship Management (Live Auction Cockpit), and there’s a CVSS 9.9 issue with Code Injection vulnerability in SAP S/4HANA and SAP SCM that needs a patch. These are two of the six critical fixes SAP issued. ®