Microsoft’s July 2025 Patch Tuesday has released security updates addressing 137 vulnerabilities across its product line, including one actively exploited zero-day in WebDAV (CVE-2025-33053). This month’s update contains 11 critical remote code execution (RCE) and privilege escalation flaws, with particular attention required for SharePoint, SMB Client, and Office vulnerabilities that could be weaponized through common attack vectors like malicious URLs or email preview panes1.
Executive Summary for Security Leadership
The July 2025 updates present several high-risk scenarios requiring immediate attention. The WebDAV zero-day (CVE-2025-33053) has been observed in active attacks with a CVSS score of 8.8, allowing remote code execution through specially crafted URLs. SharePoint Server contains an SQL injection vulnerability (CVE-2025-47172) that could lead to full system compromise via xp_cmdshell abuse. Windows Server environments face domain-wide risks from the BadSuccessor vulnerability in Delegated Managed Service Accounts (dMSA)2.
- Critical Patches: WebDAV (CVE-2025-33053), SharePoint (CVE-2025-47172), SMB Client (CVE-2025-33073)
- Enterprise Risks: Windows Server dMSA, OneDrive OAuth flaws affecting third-party integrations
- Third-Party Updates: Chrome zero-day (CVE-2025-5419), Firefox memory corruption flaws
Technical Analysis of Critical Vulnerabilities
The SharePoint Server RCE (CVE-2025-47172) stems from improper input handling in SQL queries, allowing low-privilege users to execute arbitrary commands through SQL injection (CWE-89). Microsoft’s advisory confirms this affects SharePoint Server 2016 and 2019, with exploitation possible through xp_cmdshell or CLR integration3. Proof of concept scripts demonstrating the attack chain have been privately circulated among security researchers.
For the WebDAV zero-day (CVE-2025-33053), Microsoft has documented the attack vector involving malicious URLs that trigger memory corruption in the WebDAV client service. The vulnerability requires no user interaction beyond accessing a compromised network share or website. Akamai researchers note that successful exploitation grants SYSTEM privileges on unpatched systems4.
| CVE | CVSS | Impact | Affected Products |
|---|---|---|---|
| CVE-2025-33053 | 8.8 | RCE via WebDAV | Windows 10/11, Server 2025 |
| CVE-2025-47172 | 8.8 | SQLi to RCE | SharePoint Server 2016/2019 |
| CVE-2025-33073 | 8.8 | Privilege Escalation | Windows SMB Client |
Third-Party Security Updates
Concurrent with Microsoft’s updates, Google patched a Chrome zero-day (CVE-2025-5419) involving V8 engine heap corruption, actively exploited by commercial spyware vendors. Mozilla addressed memory corruption flaws in Firefox ESR (CVE-2025-4918/4919) discovered during Pwn2Own competitions. Qualcomm released GPU driver updates for Adreno chipsets (CVE-2025-21479/21480/27038) affecting Snapdragon-powered Android devices5.
Remediation and Mitigation Strategies
For SharePoint Server environments, Microsoft recommends immediate patching combined with restricting Site Member permissions to prevent exploitation of CVE-2025-47172. WebDAV protections should include network segmentation and disabling unnecessary WebClient service where possible. Windows Server administrators must review dMSA configurations and apply Akamai’s provided script to detect vulnerable Kerberos PAC configurations6.
Enterprise security teams should prioritize updating Cisco IOS XE (CVE-2025-20188), HPE StoreOnce (CVE-2025-37093), and Ivanti EPMM (CVE-2025-4427/4428) due to available exploit chains combining authentication bypass with RCE capabilities. Network monitoring for anomalous SMB and WebDAV traffic patterns can help detect exploitation attempts before patches are fully deployed.
Conclusion
The July 2025 Patch Tuesday highlights ongoing challenges in securing complex enterprise environments, particularly with the convergence of zero-day exploits and legacy protocol vulnerabilities. Organizations should adopt a risk-based approach to patching, focusing first on externally facing systems and critical infrastructure components. The simultaneous release of third-party updates underscores the need for coordinated vulnerability management programs that extend beyond Microsoft products.
References
- “Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws,” BleepingComputer, Jul. 2025. [Online]. Available: https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws
- “July 2025 Patch Tuesday forecast,” Help Net Security, Jul. 2025. [Online]. Available: https://www.helpnetsecurity.com/2025/07/07/july-2025-patch-tuesday-forecast
- Microsoft Security Advisory, Jul. 2025. [Online]. Available: https://msrc.microsoft.com/update-guide
- Akamai Research, Jul. 2025. [Online]. Available: https://www.akamai.com/blog/security-research
- “Stable Channel Update for Desktop,” Google Chrome Releases, Jul. 2025. [Online]. Available: https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop.html
- “Ivanti EPMM zero-day vulnerabilities,” Wiz Research, Jul. 2025. [Online]. Available: https://www.wiz.io/blog/ivanti-epmm-zero-day
