July 2025 brought seven critical vulnerabilities affecting a broad spectrum of technologies: desktop OSes, collaboration platforms, browsers, office suites, and network devices. Several allow remote code execution with minimal or no user action and are already being exploited in the wild.
The list includes heap-based buffer overflows, use-after-free bugs, input validation flaws, and command injections. Impacted systems range from Microsoft Windows, SharePoint, and Office to Google Chrome, SQL Server, and enterprise modems.
What We'll Cover
CVE-2025-47981: Remote Code Execution in Windows SPNEGO (NEGOEX)
Severity: Critical
CVSS Score: 9.8
Vulnerability Type: Heap-Based Buffer Overflow Leading to Remote Code Execution
Impact: Full System Compromise, Wormable Propagation
Affected Systems: All supported versions of Microsoft Windows using SPNEGO/NEGOEX
A critical RCE vulnerability in Windows’ SPNEGO authentication mechanism allows unauthenticated attackers to execute arbitrary code remotely, without any user interaction. Exploiting a heap-based buffer overflow in the NEGOEX protocol, this flaw could be used to create a worm capable of spreading autonomously across enterprise networks.
Mitigation Strategies:
- Patch Immediately: Apply Microsoft’s July 2025 updates across all Windows endpoints and servers.
- Segment Networks: Use strict internal segmentation to contain wormable threats.
- Audit SPNEGO Usage: Disable if not required in specific environments.
Deploy EDR/NIDS: Use intrusion prevention systems to catch lateral movement or unusual traffic.
CVE-2025-49704: Remote Code Execution in Microsoft SharePoint Server
Severity: Critical
CVSS Score: 8.8
Vulnerability Type: Code Injection via Improper Input Handling
Impact: Full SharePoint Takeover, Arbitrary Code Execution
Affected Systems: SharePoint Server 2016, 2019, Subscription Edition
A remote code injection vulnerability in SharePoint allows Site Owners to execute arbitrary code. This CVE forms part of the broader “ToolShell” exploit chain. Combined with a spoofing vulnerability (CVE-2025-49706), attackers can bypass authentication and achieve persistent compromise.
Mitigation Strategies:
- Apply Patch: Microsoft’s July updates are essential.
- Follow CISA Guidance: Implement AMSI, antivirus scanning, EDR, and rotate ASP.NET machine keys before and after patching.
- Disconnect Legacy Systems: Remove unsupported versions like SharePoint 2013 from internet exposure.
Active Monitoring: Watch for attacker IPs used in live attacks and monitor for anomalies.
CVE-2025-6558: Zero-Day Exploitation in Google Chrome & Apple WebKit
Severity: High
CVSS Score: 8.8
Vulnerability Type: Sandbox Escape via Untrusted Input Handling
Impact: Code Execution via Web Content, Privacy Breach
Affected Systems: Chrome (Windows/macOS/Linux), Safari (iOS/macOS), WebKit-based apps
A zero-day exploited in the wild allowed attackers to escape browser sandboxes and execute code using specially crafted HTML. Linked to mercenary spyware campaigns, this flaw was patched mid-July by both Google and Apple.
Mitigation Strategies:
- Update Immediately: Chrome version 138.0.7204.157+ and Apple OS updates resolve the issue.
- Enable Auto-Update: Enforce browser and OS auto-updates and browser restarts.
- Web Controls: Use browser isolation, EDR, and URL filtering to block malicious content.
CVE-2025-49719: Information Disclosure in Microsoft SQL Server
Severity: Important
CVSS Score: 7.5
Vulnerability Type: Input Validation Flaw Leading to Memory Disclosure
Impact: Unauthorized Access to Sensitive Memory or Key Material
Affected Systems: SQL Server 2022, 2019, 2017, 2016
This publicly disclosed zero-day flaw allows attackers to extract sensitive information from memory using malformed requests. While not yet exploited, the risk of cryptographic material exposure warrants rapid action.
Mitigation Strategies:
- Patch Promptly: Apply Microsoft’s updates to all SQL Server deployments.
- Restrict Access: Harden network access and apply least privilege across services.
- Audit Encryption Keys: Rotate potentially exposed cryptographic materials.
CVE-2025-49695: Remote Code Execution via Microsoft Office Preview Pane
Severity: Critical
CVSS Score: 8.4
Vulnerability Type: Use-After-Free (UAF)
Impact: Zero-Click RCE via File Preview
Affected Systems: Microsoft Office (All supported versions)
Office users are vulnerable to arbitrary code execution without opening malicious files. Simply previewing a crafted document triggers the exploit via a UAF flaw, bypassing traditional user-awareness safeguards.
Mitigation Strategies:
- Apply KB5002742: Microsoft’s July patch addresses the flaw.
- Disable Preview Panes: Especially in Outlook and File Explorer until all systems are patched.
EDR Protection: Deploy robust EDR and antimalware capable of detecting preview-based attacks.
CVE-2025-7921: Stack-Based Buffer Overflow in Askey Modems
Severity: High
CVSS Score: 9.8
Vulnerability Type: Stack Overflow
Impact: Full Device Takeover, Perimeter Breach
Affected Systems: Select Askey modem models (check vendor bulletins)
This flaw in Askey modem firmware allows unauthenticated remote attackers to execute code. As gateway devices, compromised modems can allow attackers to infiltrate internal networks undetected.
Mitigation Strategies:
- Update Firmware: Immediately apply Askey’s firmware patches.
- Segment Access: Isolate modem-connected segments from core networks.
Audit Firmware Regularly: Build firmware patching into your vulnerability lifecycle.
CVE-2025-53928: Remote Command Execution in MaxKB AI Assistant
Severity: Critical
CVSS Score: 9.8
Vulnerability Type: Remote Command Injection
Impact: Total Compromise of AI Workflows and Data
Affected Systems: MaxKB versions prior to 1.10.9-lts and 2.0.0
This RCE flaw allows full remote command execution in MaxKB, an open-source AI platform. Given MaxKB’s role in enterprise automation, successful exploitation can result in IP theft, system manipulation, or operational shutdowns.
Mitigation Strategies:
- Upgrade Immediately: Move to MaxKB version 1.10.9-lts or 2.0.0.
- Secure Deployment: Enforce least privilege, isolate AI systems, and validate all inputs.
API Hardening: Implement API-level authentication, authorization, and throttling.
These vulnerabilities highlight the persistent risk across critical enterprise systems. Immediate patching, vigilant monitoring, and strong network segmentation remain essential to prevent exploitation. Staying proactive and up to date is the best defense against attackers leveraging these flaws to compromise infrastructure, steal data, or disrupt operations.
Learn how our tailored cybersecurity services help you manage vulnerabilities and protect your assets.
