Microsoft has announced today the rollout of updates that address at least 137 security vulnerabilities in its Windows operating systems and various supported software. Although none of the issues resolved this month are recognized to be actively exploited, 14 of the vulnerabilities received Microsoft’s most severe “critical” rating, indicating they could potentially be leveraged to gain control of susceptible Windows PCs with minimal or no user intervention.

Although not categorized as critical, CVE-2025-49719 is a publicly revealed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving updates. Microsoft assesses CVE-2025-49719 as less prone to exploitation; however, the presence of proof-of-concept code for this vulnerability suggests that its patch should likely be prioritized by impacted enterprises.

Mike Walters, co-founder of Action1, indicated that CVE-2025-49719 can be exploited without authentication and that many third-party applications rely on SQL server and the affected drivers—potentially introducing a supply-chain vulnerability that extends beyond SQL Server users directly.

“The possible exposure of sensitive data makes this a significant concern for organizations managing valuable or regulated information,” Walters stated. “The extensive nature of the affected versions, covering multiple SQL Server releases from 2016 through 2022, points to a fundamental flaw in how SQL Server manages memory and validates input.”

Adam Barnett from Rapid7 mentioned that today marks the end of support for SQL Server 2012, meaning there will be no forthcoming security updates even for critical vulnerabilities, even if users are ready to pay Microsoft for support.

Barnett also highlighted CVE-2025-47981, a vulnerability carrying a CVSS score of 9.8 (where 10 denotes the worst), concerning remote code execution due to the way Windows servers and clients negotiate to identify mutually supported authentication methods. This pre-authentication vulnerability affects any Windows client running Windows 10 1607 or higher, along with all recent versions of Windows Server. Microsoft believes that there is a higher likelihood of attackers taking advantage of this flaw.

Additionally, Microsoft corrected at least four critical remote code execution vulnerabilities in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two have been rated by Microsoft as having a greater likelihood of exploitation, requiring no user interaction, and can be initiated through the Preview Pane.

Two additional high-severity vulnerabilities include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former allows harmful files to evade detection by Microsoft Defender SmartScreen, a built-in feature that attempts to block untrusted downloads and malicious websites.

CVE-2025-47178 pertains to a remote code execution vulnerability in Microsoft Configuration Manager, an enterprise utility for managing, deploying, and securing computers, servers, and devices across a network. Ben Hopkins from Immersive Labs asserted that this bug requires minimal privileges for exploitation and that it is feasible for a user or assailant with read-only access to take advantage of it.

“Exploiting this vulnerability permits an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins commented. “This access could be utilized to manipulate deployments, push harmful software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, granting the attacker extensive control over the entire IT environment.”

In addition, Adobe has released security updates for a wide array of software, including After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.

The SANS Internet Storm Center provides an overview of each specific patch, categorized by severity. If you are responsible for managing multiple Windows systems, it may be beneficial to monitor AskWoody for insights on any potentially problematic updates (given the significant number of vulnerabilities and Windows components addressed this month).

If you’re a Windows home user, please consider backing up your data and/or drive prior to installing any patches, and feel free to leave a comment if you experience any issues with these updates.