Patch Tuesday July 2025

Patch Tuesday July 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

Microsoft Vulnerabilities

This Patch Tuesday, Microsoft has released fixes for 137 vulnerabilities—significantly more than last month—including 14 rated as critical. Notably, there are no zero-days this time, and only one vulnerability with a publicly available proof of concept. This marks the first Patch Tuesday without any zero-days since June 2024. Here are the details of the most notable critical updates.

Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49719)

CVE-2025-49719 is a publicly disclosed information disclosure vulnerability in Microsoft SQL Server and its associated OLE DB drivers. A proof-of-concept (PoC) is available. The issue stems from improper input validation (CWE-20) in how SQL Server processes certain queries or commands, leading to exposure of uninitialized memory.

This likely results from SQL Server failing to correctly validate input parameters in its memory management logic. When memory is allocated but not properly cleared before reuse, remnants of prior data may be exposed—such as application data, credentials, or connection strings. Specific queries can bypass validation and cause SQL Server to return memory contents that should remain inaccessible.

The vulnerability affects both the SQL Server engine and applications that connect via vulnerable OLE DB drivers.

Exploitability details:

• Attack Vector: Network (AV:N) – Remotely exploitable
• Attack Complexity: Low (AC:L) – No special conditions required
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Base Score: 7.5 (HIGH)
• Temporal Score: 6.5 (MEDIUM)
• Publicly Disclosed: Yes
• Exploited in the Wild: No (as of assessment)
• Exploitation Assessment: Microsoft classifies it as “Exploitation Less Likely”

Despite this rating, once technical details spread, exploitation attempts may rise.

Affected versions:

• SQL Server 2022: 16.0.1000.6 – 16.0.4195.2
• SQL Server 2019: 15.0.2000.5 – 15.0.4430.1
• SQL Server 2017: 14.0.1000.169 – 14.0.3490.10
• SQL Server 2016:
  • 13.0.6300.2 – 13.0.6455.2
  • 13.0.7000.253 – 13.0.7050.2
• Applications using affected OLE DB drivers
• Applies to both on-premises and Azure IaaS SQL Server instances

Potential impact:

• Sensitive Data Exposure: Attackers may extract data fragments from uninitialized memory.
• Reconnaissance: Could be used to gather environment details and uncover potential entry points.

In advanced attack chains, this vulnerability may assist with:

• Database Mapping: Helps attackers map schema or identify injection points.
• Credential Harvesting: May leak partial credentials or session data.
• Attack Chain Integration:
  • With SQL injection, leaked data can improve precision.
  • Recovered credentials could support authentication bypass.
  • Connection strings may allow lateral movement to other systems.

Key considerations:

1. Unauthenticated Access: No login required increases exposure.
2. Memory Exposure: Databases often hold sensitive, high-value data.
3. OLE DB Driver Dependencies: Fixing this may require updates to both servers and client-side applications.
4. Cloud Deployments: Azure-hosted SQL Servers are also vulnerable.
5. Supply Chain Risk: Applications relying on SQL Server or OLE DB drivers inherit the vulnerability.

While the issue is limited to information disclosure and doesn’t enable direct code execution, the risk of leaking sensitive data makes this a high-priority issue—especially for organizations handling regulated or critical data. The broad version coverage—from SQL Server 2016 to 2022—suggests a fundamental flaw in memory handling and input validation.

Microsoft Office Remote Code Execution Vulnerabilities

Microsoft has disclosed several critical remote code execution vulnerabilities in Microsoft Office. While each has distinct technical characteristics, they share similar impact potential.

CVE-2025-49695 – Use After Free

This vulnerability stems from improper memory management, where Office continues to reference memory after it has been freed. An attacker can reallocate objects into the same memory space, allowing malicious data to be processed as if it were legitimate.

Steps involved:

1. An object is allocated and then freed.
2. Office continues to reference the freed memory.
3. The attacker allocates new data in that memory location.
4. Office unknowingly operates on attacker-controlled data.

This vulnerability can be triggered through the Preview Pane, meaning it can be exploited without user interaction—simply viewing a malicious email may be enough.

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None (Preview Pane)
• Base Score: 8.4 (Critical)
• Temporal Score: 7.3
• Exploitation Assessment: More Likely
• Public Disclosure: No
• Exploitation in the Wild: No
• Proof of Concept: Not available

CVE-2025-49696 – Out-of-bounds Read / Heap-based Buffer Overflow

This issue combines an out-of-bounds read with a heap-based buffer overflow. Attackers can read beyond allocated memory and potentially overwrite heap data.

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Base Score: 8.4 (Critical)
• Temporal Score: 7.3
• Exploitation Assessment: More Likely
• Public Disclosure: No
• Exploitation in the Wild: No
• Proof of Concept: Not available

CVE-2025-49697 – Heap-based Buffer Overflow

A heap overflow allowing attackers to write beyond buffer boundaries in the heap.

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Base Score: 8.4 (Critical)
• Temporal Score: 7.3
• Exploitation Assessment: Less Likely
• Public Disclosure: No
• Exploitation in the Wild: No
• Proof of Concept: Not available

CVE-2025-49702 – Type Confusion

This vulnerability occurs when Office misinterprets an object’s type, resulting in code execution in unintended contexts.

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (user must open a malicious file)
• Base Score: 7.8 (High)
• Temporal Score: 6.8
• Exploitation Assessment: Less Likely
• Public Disclosure: No
• Exploitation in the Wild: No
• Proof of Concept: Not available

Most Critical Threats

Among the four, CVE-2025-49695 and CVE-2025-49696 pose the highest risk. Both are rated “More Likely” to be exploited. Neither requires user interaction. Both can be triggered via Preview Pane.

CVE-2025-49695 is particularly notable due to:

• More reliable exploitation via use-after-free conditions.
• Greater predictability in memory corruption.
• Historical use of similar vulnerabilities in targeted attack campaigns.

Common Exploitation Scenarios

• Email Campaigns – Malicious documents sent as attachments
• Preview Pane Attacks – Particularly relevant for CVE-2025-49695, 49696, and 49697
• Drive-by Downloads – Documents downloaded from compromised sites
• Supply Chain Attacks – Malicious files distributed through trusted channels

Post-Exploitation Risks

• Privilege Escalation – To gain SYSTEM-level access
• Sandbox Escape – To break out of Office’s protected environment
• Credential Harvesting – To support lateral movement
• Persistence – Using scheduled tasks, registry changes, or COM hijacking

Due to the widespread use of Microsoft Office, these vulnerabilities represent high-impact risks across both enterprise and individual environments.

Microsoft Word Remote Code Execution Vulnerabilities

Microsoft has disclosed two critical remote code execution vulnerabilities in Microsoft Word. While they share many similarities, each has distinct technical aspects that require separate consideration.

CVE-2025-49698 – Use After Free in Microsoft Word
This vulnerability involves Microsoft Word continuing to use memory after it has been freed. An attacker can manipulate this freed memory to execute arbitrary code.

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (the user must open a malicious file)
• Base Score: 7.8 (High)
• Temporal Score: 6.8
• Exploitation Assessment: Less Likely
• Public Disclosure: No
• Exploitation in the Wild: No
• Proof of Concept: Not available

CVE-2025-49703 – Use After Free in Microsoft Word
Similar to CVE-2025-49698, this vulnerability is also caused by improper memory management. Freed memory remains accessible, allowing attackers to control execution flow.

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (the user must open a malicious file)
• Base Score: 7.8 (High)
• Temporal Score: 6.8
• Exploitation Assessment: Less Likely
• Public Disclosure: No
• Exploitation in the Wild: No
• Proof of Concept: Not available

Shared Characteristics:

• Identical CVSS scores and attack vectors
• Both are use-after-free vulnerabilities
• Same exploitation assessment
• Affect the same product

Despite the similarities, Microsoft assigned distinct CVEs, suggesting different code paths, document features, or exploitation methods.

Exploitation Vectors:

• Email Attachments – Malicious .doc or .docx files sent via email
• Preview Pane Attacks – Both can be triggered without opening the file fully
• Web Downloads – Documents hosted on compromised or malicious websites
• Collaboration Tools – Shared via platforms like SharePoint, Teams, or OneDrive

Post-Exploitation Scenarios:

• Privilege Escalation – Leveraging initial code execution to gain higher privileges
• Macro Combinations – Enhancing reliability or persistence through document macros
• Multi-Stage Payloads – Dropping additional malware, such as ransomware or data stealers

Exploitation Considerations:

• Address Space Layout Randomization (ASLR) reduces predictability
• Modern Windows defenses complicate reliable exploitation
• Bypassing multiple protections is required

The Preview Pane remains a key concern:

• Simply selecting an email may trigger exploitation
• No need to open the document fully
• Many environments have the Preview Pane enabled by default

While user interaction is required, the ability to trigger these vulnerabilities via the Preview Pane raises their risk. Organizations should prioritize patching based on exposure, usage, and security controls in place.

Microsoft SharePoint Remote Code Execution Vulnerability — CVE-2025-49704

CVE-2025-49704 is a critical code-injection flaw (CWE-94) in SharePoint Server 2019 and 2016. Because user input is not fully sanitized, a site owner—or any account with equivalent rights—can inject server-side code that runs under the SharePoint application-pool identity.

Technical details

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low (Site Owner)
• User Interaction: None
• Base Score: 8.8 (Critical)
• Temporal Score: 7.7
• Microsoft rating: Exploitation More Likely
• Public disclosure / PoC: None

Impact

1. Embed crafted content that SharePoint treats as executable code.
2. Run that code on the server with application-pool permissions.
3. Access or modify SharePoint data and underlying Windows resources.

Because SharePoint often stores sensitive documents and runs with elevated rights, successful exploitation can fully compromise confidentiality, integrity, and availability. Internet-facing deployments are especially at risk.

Likely attack paths

• Direct use by authenticated site owners.
• Privilege-escalation chains to reach higher system rights.
• Lateral movement and data exfiltration across the network.
• Ransomware or supply-chain distribution through malicious web parts or templates.

Previous SharePoint code-injection bugs such as CVE-2019-0604 were heavily exploited; CVE-2025-49704 warrants the same level of urgency for patching.

Microsoft SQL Server Remote Code Execution Vulnerability — CVE-2025-49717

CVE-2025-49717 is a critical heap-based buffer overflow vulnerability in Microsoft SQL Server. It allows attackers to overwrite memory beyond the bounds of a heap-allocated buffer, potentially gaining code execution within the SQL Server process. Because the vulnerability permits a scope change, attackers can break out of the SQL Server context and execute code directly on the host system.

The issue arises from SQL Server’s failure to properly validate the size of data written to memory. When malformed queries are processed, they can trigger buffer overflows that corrupt adjacent memory structures and redirect code execution.

This vulnerability affects a wide range of versions:

• SQL Server 2022 (16.x) through CU19
• SQL Server 2019 (15.x) through CU32
• SQL Server 2017 (14.x) through CU31
• SQL Server 2016 (13.x) with Azure Connect Feature Pack and SP3
• OLE DB drivers 18 and 19

Both on-premises deployments and Azure IaaS instances are at risk.

Key CVSS metrics include:

• Attack vector: Network
• Attack complexity: High
• Privileges required: Low
• User interaction: None
• Scope: Changed
• Base score: 8.5 (Critical)
• Temporal score: 7.4
• Exploitation assessment: “Exploitation Unlikely” (Microsoft)
• Public disclosure: No
• Proof of concept: None available

Despite the high attack complexity, the scope change makes this particularly dangerous. Successful exploitation would allow attackers to escape the SQL Server process and execute code with host-level privileges.

Exploitation would likely involve:

1. Submitting crafted queries to trigger the overflow
2. Overwriting memory to manipulate execution flow
3. Executing arbitrary code within the SQL Server context
4. Escalating to code execution on the host system

Potential attack scenarios include:

• Initial access via SQL Server + host takeover: Attackers who gain SQL Server access could use this flaw to move to the operating system and escalate privileges.
• Data exfiltration and persistence: Attackers may deploy tools to extract data directly from files, install persistent backdoors, or harvest credentials from memory.
• Lateral movement: SQL Servers often have high-trust relationships with other systems. Exploiting this vulnerability could allow attackers to pivot across the network.
• Ransomware deployment: The attacker could encrypt database files, disable backups, and steal data for extortion.

This vulnerability is especially concerning because:

1. It involves a remote memory corruption flaw in widely deployed server software.
2. The “changed” scope indicates it can break out of SQL Server’s process boundaries.
3. It affects versions from 2016 through 2022, pointing to a long-standing issue in core components.
4. The connection to OLE DB drivers suggests potential risks in client-server data exchange.
5. SQL Server often handles critical data, making it a prime target for attackers.

While Microsoft classifies exploitation as unlikely, the severity, attack surface, and host escape potential mean organizations should prioritize applying available patches.

Google Chrome

Google has released an update for Chrome 138 to patch a high-severity vulnerability actively exploited in the wild. Tracked as CVE-2025-6554, the flaw involves type confusion in the V8 JavaScript and WebAssembly engine. Such issues can lead to memory safety errors and trigger denial-of-service (DoS), remote code execution (RCE), or other unexpected behavior.

According to NIST, successful exploitation allows remote attackers to perform arbitrary read/write operations via specially crafted HTML pages. Google confirmed awareness of in-the-wild exploitation. The vulnerability was disclosed on June 25 and addressed the following day through a configuration change applied to the stable channel on all platforms. As usual, no technical details were released, but the urgency of the fix suggests active exploitation.
The patched versions are 138.0.7204.96/.97, 138.0.7204.92/.93, and 138.0.7204.96 for Windows, macOS, and Linux respectively. Users are advised to update their browsers promptly.

Linux

Researchers at Stratascale Cyber Research Unit (CRU) have identified two vulnerabilities in the Sudo command-line utility that can allow local privilege escalation to root on affected Linux and Unix-like systems.

CVE-2025-32463 (CVSS 9.3) affects Sudo versions prior to 1.9.17p1. It allows attackers to gain root privileges via the –chroot option, which can be manipulated to load configuration from a user-controlled directory. CVE-2025-32462 (CVSS 2.8) enables command execution through misuse of the -h (host) option, a feature introduced in 2013 to list sudo privileges for remote hosts.
CVE-2025-32462 permits execution of commands allowed on a remote host but run locally, affecting setups using shared sudoers files across multiple systems, including those managed via LDAP or SSSD.

CVE-2025-32463, classified as critical, allows an unprivileged local user to execute arbitrary commands as root without requiring specific sudoers permissions. This is done by creating a fake /etc/nsswitch.conf file in a user-specified root directory, tricking Sudo into loading a malicious shared library. Developers plan to remove the chroot feature entirely in a future release due to its risk-prone nature.

The flaws were responsibly disclosed on April 1, 2025, and fixed in Sudo version 1.9.17p1, released at the end of June. Users should apply patches and ensure their systems are up to date.

CitrixBleed 2

A newly discovered vulnerability in Citrix NetScaler ADC and Gateway has been dubbed CitrixBleed 2 due to its similarity to a previously exploited flaw that allowed attackers to intercept authentication session cookies.

Citrix has issued a bulletin on CVE-2025-5777 and CVE-2025-5349, which affect NetScaler ADC and Gateway up to versions 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDcPP, and 12.1-55.328-FIPS.

CVE-2025-5777 is a critical out-of-bounds memory read vulnerability impacting NetScaler instances configured as gateways (VPN, ICA proxy, CVPN, RDP proxy) or AAA virtual servers. Researcher Kevin Beaumont likened it to CitrixBleed (CVE-2023-4966), noting that it could enable attackers to access session tokens, credentials, and other sensitive data from publicly exposed services, allowing session hijacking and MFA bypass.

CVE-2025-5349, also mentioned in the advisory, is a high-severity issue related to improper access control. It can be exploited if an attacker has access to NSIP, Cluster Management IP, or Local GSLB Site IP.

Users are urged to upgrade to NetScaler ADC and Gateway 14.1-43.56, 13.1-58.32 or later, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS). Citrix recommends terminating all active ICA and PCoIP sessions after updating—advice that echoes guidance from the original CitrixBleed incident.

Charles Carmakal, CTO at Mandiant, stressed the importance of ending active sessions post-update, noting that in 2023, many organizations failed to do so. As a result, attackers reused stolen sessions even after patches were applied, leading to incidents involving espionage and ransomware.

The vulnerabilities also affect ADC/Gateway 12.1 (non-FIPS) and 13.0, which no longer receive patches. Organizations still using these versions should upgrade immediately.

Shadowserver analysts have found more than 1,200 devices still exposed to attacks using CVE-2025-5777. While Citrix has not confirmed in-the-wild exploitation, ReliaQuest has observed targeted attacks using this vulnerability, including signs of MFA bypass and session reuse, as well as LDAP queries linked to Active Directory.

Shadowserver also reports over 2,100 unpatched NetScaler devices vulnerable to CVE-2025-6543, which is currently being used in DoS attacks. Given the growing interest in CitrixBleed 2, these numbers are likely to translate into more incidents soon.
Citrix continues to struggle with fixing critical vulnerabilities in NetScaler. A recent update intended to address security flaws is now causing authentication failures.

Starting with NetScaler 14.1.47.46 and 13.1.59.19, the Content Security Policy (CSP) header is enabled by default. While CSP helps block unauthorized scripts and reduce risks from XSS and injection attacks, it also interferes with legitimate scripts used in DUO-based Radius authentication, custom SAML settings, and other identity provider configurations.

After updating to these builds, users may experience broken login pages, particularly when using non-standard authentication setups. Citrix recommends disabling the default CSP header through the user interface or command line and clearing the cache. Admins should then access the authentication portal to confirm whether the issue is resolved.

Cisco

Cisco has issued a warning about a critical vulnerability in Unified Communications Manager (CUCM), tracked as CVE-2025-20309. The flaw stems from hardcoded root SSH credentials that allow remote attackers to access unpatched systems with root privileges.

CUCM, formerly Cisco CallManager, is the central platform for managing Cisco IP telephony systems. CVE-2025-20309 affects Unified CM and Unified CM SME ES versions 15.0.1.13010-1 through 15.0.1.13017-1. Cisco emphasized that no workarounds exist and the only solution is to upgrade to version 15SU3 (July 2025) or apply patch CSCwp27755.

While there’s no confirmed exploitation or public proof-of-concept, Cisco noted that successful exploitation would leave a log entry in /var/log/active/syslog/secure under a root user. Admins can check for signs of compromise using the file get activelog syslog/secure command.

Cisco has also disclosed two critical RCE vulnerabilities in Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20281 and CVE-2025-20282. Both received a maximum CVSS score of 10.0.

CVE-2025-20281 affects ISE and ISE-PIC versions 3.3 and 3.4. It allows unauthenticated remote attackers to execute OS-level commands using specially crafted public API requests. CVE-2025-20282 affects ISE 3.4 only and allows remote attackers to upload and execute arbitrary files by writing to privileged directories via an internal API.

Both vulnerabilities enable full device takeover with no authentication or user interaction. Cisco advises updating to 3.3 Patch 6 or 3.4 Patch 2 or later. No workarounds are available.

Additionally, Cisco disclosed CVE-2025-20264, a medium-severity authentication bypass issue in ISE caused by improper authorization for users authenticated through SAML SSO. With valid SSO credentials, attackers can issue commands to alter system settings or initiate a restart.

This affects all ISE versions up to 3.4. Fixes were released in 3.4 Patch 2 and 3.3 Patch 5, with a fix for 3.2 expected in Patch 8 this November. ISE 3.1 and earlier are no longer supported, and users should migrate to a current version.

WordPress Forminator Plugin

A vulnerability in the WordPress Forminator plugin allows attackers to delete arbitrary files and potentially take over more than 400,000 websites. Forminator is a widely used form-building plugin with over 600,000 active installations, supporting various types of forms including contact forms, payment forms, and surveys.

The issue, tracked as CVE-2025-6463 (CVSS 8.8), stems from insufficient validation of file paths in the function used to delete uploaded form submission files. According to Defiant, Forminator does not properly sanitize values saved in the database, allowing attackers to submit arrays of files via form fields. Additionally, the deletion function fails to check field types, file extensions, or upload directory restrictions. As a result, attackers can specify any file for deletion when a form is removed, either manually or automatically, depending on site settings. For instance, deleting the wp-config.php file would force the site into setup mode, making it possible for attackers to gain control.

Although exploitation requires some interaction, researchers note that form deletion is a common event, making the vulnerability attractive to attackers.

The issue was fixed in Forminator version 1.44.3, released on June 30, which adds validation to ensure only files from fields labeled “upload” or “signature” within the uploads directory can be removed.

However, telemetry indicates the update has been downloaded fewer than 200,000 times in the past two days, leaving over 400,000 sites still at risk. Users are strongly encouraged to update immediately.

WinRAR

WinRAR developers have patched a directory traversal vulnerability that allows malicious code execution after extracting a specially crafted archive. Tracked as CVE-2025-6218 (CVSS 7.8), the vulnerability affects WinRAR for Windows version 7.11 and earlier. The fix is included in WinRAR 7.12 beta 1.

In earlier versions, WinRAR could extract files to unintended paths if the archive contained manipulated relative paths. This allowed files to be silently placed in sensitive system locations, such as autorun folders. If these files were malicious, they could be executed the next time the user logs into Windows. While the attack is limited to user-level permissions, it could still enable data theft or provide persistence for further access
Exploitation requires user interaction—such as opening a malicious archive or visiting a specially crafted page—but given the popularity of WinRAR and continued use of outdated versions, the risk remains high.

The update also fixes an HTML injection issue in report generation, as well as two minor bugs affecting recovery volumes and Unix timestamp precision. There are currently no reports of CVE-2025-6218 being exploited in the wild, but users are advised to update without delay.

Brother Printers

Rapid7 researchers have discovered eight vulnerabilities affecting more than 700 printer, scanner, and labeling device models, primarily from Brother, but also including devices from Fujifilm, Ricoh, Konica Minolta, and Toshiba.
The most critical issue, CVE-2024-51978, allows remote, unauthenticated attackers to bypass authentication and retrieve the default admin password. This can be chained with CVE-2024-51977, an information disclosure vulnerability that leaks the device’s serial number—used to generate the default password.

Knowing the default password gives attackers control over the device, allowing reconfiguration or abuse of administrative functions. The other vulnerabilities range from medium to high severity and include risks such as DoS, TCP flooding, password leaks, stack overflows, and arbitrary HTTP requests. Six of the eight vulnerabilities do not require authentication.

Rapid7 reported the findings to Brother via JPCERT/CC a year ago. Most issues have since been addressed, but CVE-2024-51978 cannot be fully mitigated via firmware. Brother has modified its manufacturing process and provided a workaround for existing devices.

GitHub

GitHub has patched a high-severity vulnerability affecting multiple versions of Enterprise Server that could allow remote code execution. Tracked as CVE-2025-3509 (CVSS 7.1), the flaw involves misuse of pre-receive functionality to bind to dynamically allocated ports. Exploitation is possible under specific conditions, such as during hotpatching, and requires either site admin privileges or access to repositories with pre-receive hooks.

The initial fix was incomplete, prompting a new patch. Successful exploitation could lead to arbitrary code execution and privilege escalation.

The vulnerability affects all Enterprise Server versions prior to 3.18. Fixes were released in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, and 3.13.16. CVE-2025-3509 was disclosed through a bug bounty program, and there are no known reports of in-the-wild exploitation.

Teleport

Teleport developers have issued a warning about a critical vulnerability that allows remote attackers to bypass SSH authentication and access managed systems. The issue, tracked as CVE-2025-49825 (CVSS 9.8), affects Teleport Community Edition versions prior to 17.5.1 and has been fixed in versions 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27, and 12.4.35.

Teleport provides connectivity, authentication, and access control for servers and cloud applications and supports SSH, RDP, HTTPS, Kubernetes, and various databases. The vulnerability affects systems running Teleport SSH agents, integrated OpenSSH setups, and Git proxy configurations.
While cloud customers have already received automatic patches, self-hosted Teleport agents must be updated manually. For Kubernetes, admins should use the teleport-kube-agent update tool instead of teleport-update.

There are currently no public proof-of-concept exploits or evidence of exploitation in the wild, but all nodes must be updated to the appropriate patched version for the cluster.

Veeam

Veeam has released updates for several vulnerabilities in Veeam Backup & Replication (VBR), including a critical remote code execution flaw tracked as CVE-2025-23121.

The vulnerability affects VBR version 12 and later and has been fixed in version 12.3.2.3617. It can be exploited by authenticated domain users to remotely execute code on the backup server. While it only applies to VBR installations joined to a domain, any domain user can take advantage of it, increasing the risk in enterprise environments.

Many organizations have added backup servers to Windows domains, contrary to Veeam’s best practices. With over 550,000 customers, including a majority of Fortune 500 and Global 2000 companies, vulnerabilities in Veeam solutions are frequently targeted by ransomware and APT groups.

Previously, RCE flaws in VBR were exploited by operators behind Frag, Akira, Fog, Cuba, and FIN7. This new vulnerability is expected to attract similar interest.

Grafana

More than 46,000 internet-facing Grafana instances remain vulnerable to a client-side open redirect flaw that can be exploited to hijack accounts and distribute malicious plugins.

CVE-2025-4123 was discovered by Álvaro Balada and patched by Grafana Labs on May 21. Despite the fix, researchers at OX Security report that 36% of identified Grafana instances have not been updated. Out of 128,864 scanned instances, 46,506 are still vulnerable.

The vulnerability allows attackers to craft URLs that redirect users to attacker-controlled sites hosting malicious plugins. These can be used to execute arbitrary JavaScript in the victim’s browser, hijack sessions, modify credentials, and—if the Grafana Image Renderer plugin is present—perform SSRF attacks to access internal resources.

Although Grafana’s default Content Security Policy offers some protection, it does not fully prevent exploitation. The exploit bypasses browser normalization using Grafana’s client-side routing logic, allowing attackers to serve fake plugins that change user email addresses and trigger password resets.

Exploitation requires a valid user session, user interaction (clicking a link), and an active plugin feature. Due to the number of vulnerable instances and lack of authentication requirements, the attack surface is considered significant.

Admins are urged to update to one of the following patched versions:

• 10.4.18+security-01
• 11.2.9+security-01
• 11.3.6+security-01
• 11.4.4+security-01
• 11.5.4+security-01
• 11.6.1+security-01
• 12.0.0+security-01

Palo Alto

Palo Alto Networks has addressed seven vulnerabilities across its product line, applied 11 Chrome-related fixes, and patched the cache vulnerability CVE-2025-4233 affecting the Prisma Access browser.

The most serious issue, CVE-2025-4232 (CVSS 7.1), is an authenticated code injection vulnerability in the GlobalProtect application’s log collection feature on macOS. It allows non-admin users to escalate privileges to root.

The company also fixed an authenticated administrator command injection flaw in the PAN-OS web interface, tracked as CVE-2025-4231 (CVSS 6.1). This vulnerability allows authenticated admins with web interface access to execute actions as root. Cloud NGFW and Prisma Access are not affected.

Another issue, CVE-2025-4230 (CVSS 5.7), involves command injection via the PAN-OS CLI. An authenticated administrator with CLI access can execute arbitrary commands as root. The advisory notes that risk is reduced when CLI access is limited to a small group of admins. Again, Cloud NGFW and Prisma Access are not affected.

Other fixes include CVE-2025-4228, which exposed unencrypted SD-WAN data in PAN-OS, and a privilege escalation vulnerability in the Cortex XDR Broker virtual machine. Palo Alto has not confirmed exploitation of these issues in the wild.

Trend Micro

Trend Micro has released patches for multiple critical vulnerabilities affecting Apex Central and Endpoint Encryption (TMEE) PolicyServer. These tools provide full disk and removable media encryption for Windows systems, often used in regulated environments.

The following vulnerabilities affect TMEE PolicyServer:

• CVE-2025-49212 – Pre-authentication RCE due to unsafe deserialization in PolicyValueTableSerializationBinder. Allows code execution as SYSTEM without login.
• CVE-2025-49213 – Pre-authentication RCE in PolicyServerWindowsService, also caused by unsafe deserialization.
• CVE-2025-49216 – Authentication bypass in DbAppDomain, enabling attackers to perform admin-level actions without credentials.
• CVE-2025-49217 – Pre-authentication RCE in the ValidateToken method due to unsafe deserialization.

These flaws affect all versions up to the latest and were fixed in version 6.0.0.4013 (Patch 1 Update 6). There are no mitigations or workarounds.

Trend Micro also patched two critical pre-authentication RCE vulnerabilities in Apex Central (CVSS 9.8):

• CVE-2025-49219 – Unsafe deserialization in the GetReportDetailView method, allowing remote code execution as NETWORK SERVICE.
• CVE-2025-49220 – Similar flaw in the ConvertFromJson method, due to improper input validation.

Apex Central 2019 users can apply patch B7007. For the cloud-based version, fixes have been applied automatically on the backend.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Setup in minutes to reduce your cyber risks and costs:

START NOW WATCH DEMO