{"id":1218,"date":"2025-07-09T19:52:00","date_gmt":"2025-07-09T19:52:00","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/07\/09\/microsoft-patch-tuesday-one-zero-day-and-a-potential-wormable-flaw\/"},"modified":"2025-07-09T19:52:00","modified_gmt":"2025-07-09T19:52:00","slug":"microsoft-patch-tuesday-one-zero-day-and-a-potential-wormable-flaw","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/09\/microsoft-patch-tuesday-one-zero-day-and-a-potential-wormable-flaw\/","title":{"rendered":"Microsoft Patch Tuesday: One Zero-Day and A Potential ‘Wormable’ Flaw"},"content":{"rendered":"
\n

In its July 2025 Patch Tuesday, Microsoft patched 130 vulnerabilities, a rate consistent with previous July batches (130 in 2023 and 138 in 2024).<\/p>\n

This latest patch update fixes 14 critical vulnerabilities, including a particularly concerning one that could be leveraged in self-propagating malware reminiscent of the infamous WannaCry and NotPetya malware strains.<\/p>\n

This flaw, tracked as CVE-2025-47981, targets the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), a protocol used in computer networks to help two parties, such as a client and a server, securely agree on how to authenticate each other.<\/p>\n

SPNEGO acts as a middleman to negotiate which authentication method (e.g. Kerberos or NTLM) should be used without exposing sensitive details upfront.<\/p>\n

\u201cSPNEGO [is] the backbone protocol used to negotiate authentication on critical services, including those that are (whether we like it not) regularly Internet-facing, including SMB, RDP, and IIS,\u201d Benjamin Harris, CEO of WatchTowr, explained.<\/p>\n

Disclosure of a \u2018Wormable\u2019 Vulnerability<\/strong><\/h2>\n

CVE-2025-47981 is a remote code execution flaw in SPNEGO Extended Negotiation (NEGOEX), the extension of the SPNEGO negotiation mechanism that allows for negotiating the security mechanism to be used before authentication.<\/p>\n

It is a highly critical flaw, with a CVSS score of 9.8 and only requires unauthenticated access to the target network to be exploited. Microsoft assessed that the vulnerability exploitation was \u201cmore likely.\u201d<\/p>\n

Satnam Narang, a senior staff research engineer in Tenable’s Special Operations Team described this vulnerability as \u201ca peculiar bug.\u201d<\/p>\n

\u201cWhile it is considered more likely to be exploited, it only affects Windows 10 version 1607 and above due to a specific group policy object being enabled by default. Since 2022, there haven\u2019t been many flaws in SPNEGO NEGOEX. There was one in 2022 (CVE-2022-37958) and one earlier this year in January (CVE-2025-21295), both of which were rated as not likely to be exploited,\u201d he added.<\/p>\n

Nevertheless, WatchTowr\u2019s Harris noted that the flaw was concerning because early analysis suggests that this vulnerability may be \u2018wormable\u2019 and could be utilized in a self-propagating attack.<\/p>\n

\u201cIt has the unfortunate hallmarks of becoming a significant problem [because it is] the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident,\u201d he said.<\/p>\n

\u201cWe shouldn\u2019t fool ourselves – if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice. Defenders need to drop everything, patch rapidly, and hunt down exposed systems,\u201d Harris added.<\/p>\n

High-Severity Zero-Day with Low Exploitation Likelihood<\/strong><\/h2>\n

Microsoft\u2019s July Patch Tuesday update also included a zero-day vulnerability, a flaw disclosed publicly before being patched.<\/p>\n

This flaw, tracked as CVE-2025-49719, is a high-severity information disclosure Vulnerability in Microsoft SQL Server (CVSS score of 7.5).<\/p>\n

However, Tenable\u2019s Narang noted that despite the vulnerability being publicly disclosed, the likelihood of exploitation by attackers remains low.<\/p>\n

\u201cUsers of SQL Server can update to the latest version, which includes driver fixes. However, if users have built their own apps or use software from another vendor that happens to use SQL Server, they need to update to Microsoft OLE DB Driver for SQL Server version 18 or 19 or ensure compatibility before updating,\u201d he explained.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

In its July 2025 Patch Tuesday, Microsoft patched 130 vulnerabilities, a rate consistent with previous July batches (130 in 2023 and 138 in 2024). This latest patch update fixes 14 critical vulnerabilities, including a particularly concerning one that could be leveraged in self-propagating malware reminiscent of the infamous WannaCry and NotPetya malware strains. This flaw<\/p>\n","protected":false},"author":2,"featured_media":1219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1218","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1218-b093bd20-e3b4-4ead-be00-dd5138e33e2f-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1218"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1218\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1219"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1218"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}