Microsoft’s July 2025 Patch Tuesday: Urgent fixes for cloud and identity security

Microsoft’s July 2025 Patch Tuesday release is not business as usual. The company shipped security updates for 137 vulnerabilities, including fourteen rated Critical and a newly disclosed SQL Server zero-day. 

However, the real story lies in three pillars of your Microsoft stack: Office 365 productivity apps, Azure management services, and the identity and access control engines that bind hybrid Windows and Entra ID environments together. 

If any one of these pillars cracks under exploitation, conventional perimeter controls will not save you. This deep-dive explains which CVEs matter most, how attackers are already mapping paths to exploit them, and the precise order in which security teams should respond.

Office 365 remote-code traps: why simply previewing a document can compromise the tenant

Vulnerabilities that can hit Office 365 tenants

Microsoft fixed twenty-two Office-related CVEs this month, and at least ten of them allow remote code execution when a victim previews, not even opens, an Office file inside Outlook, Teams, or SharePoint. Six of the bugs sit in the common Office rendering engine (CVE-2025-49697, 49695, 49696, 49702, 47994, 49699), four of them critical. 

Word, Excel and PowerPoint each receive their own RCE patches, while SharePoint Online closes two Internet-facing RCE holes plus a spoofing flaw. Even the Office add-in platform carries a security-feature bypass that can neutralize macro-blocking GPOs. 

The takeaway is blunt: a single poisoned document uploaded to a shared channel can give an attacker the exact same Azure AD token your employee just used to log in. 

Because Microsoft 365 Apps for Enterprise update automatically only when a client remains online long enough, kiosks, VDI golden images and irregularly used laptops frequently miss the “silent” update window and become low-hanging fruit for phishing crews.

Azure runtime flaws: Monitor Agent and Service Fabric weaken the cloud’s foundation

Vulnerabilities specific to Microsoft Azure services

Azure customers might breathe a sigh of relief at seeing only two Azure-labelled CVEs in the July list, but both live at the very base of cloud operations. CVE-2025-47988 targets the Azure Monitor Agent, code that runs as NT AUTHORITY\SYSTEM inside every Windows or Linux VM where you enabled Azure Monitor or Log Analytics. 

A crafted telemetry payload can spawn arbitrary shellcode in that privileged context, creating an ideal beachhead for lateral movement across your subscription. CVE-2025-21195 hits the Service Fabric Runtime that underpins containers and microservices for first-party Microsoft apps and thousands of customer workloads. 

Successful exploitation lets an attacker escalate privileges across the Service Fabric cluster, hopping from one node to the next until they reach data stores or management APIs you assumed were isolated. 

Cloud defenders who rely on image-based rollouts must rebuild gold images fast, because extension autoupdate alone does not touch a custom VM image sitting in your Shared Image Gallery.

Identity and Access Management under siege: Kerberos, KDC Proxy, SPNEGO and friends

Vulnerabilities that directly affect Identity & Access Management

Nothing in July’s bundle is more dangerous than the pair of critical remote-code-execution bugs buried deep in Windows authentication. CVE-2025-49735 compromises KDC Proxy Service, Microsoft’s “Kerberos over HTTPS” feature that lets remote Windows clients obtain Kerberos tickets through port 443. 

Exploit code can forge or relay tickets over TLS and grant domain-level access without a password. CVE-2025-47981 lives in SPNEGO / NEGOEX, the protocol that negotiates single sign-on mechanisms; it ships with a CVSS 9.8 score and Microsoft’s “Exploitation More Likely” tag. 

Add an elevation-of-privilege flaw in CredSSP and two denial-of-service weaknesses in Netlogon and the core Kerberos KDC, and you have a perfect storm: attackers can combine ticket forgery, RDP credential theft and controller-level DoS to own a hybrid environment or knock it offline at will. 

Domain controllers, ADFS proxies and Azure AD Connect servers therefore become the highest-priority patch targets in any environment that still depends on Kerberos or NTLM, meaning practically every enterprise.

The ripple effect of delayed patching: From document preview to full domain compromise

Picture the kill chain. 

A threat actor sends a finance-themed Word document that hides exploit code for CVE-2025-49703. A busy sales rep previews the file in Outlook on an unpatched laptop. The attacker executes code under the rep’s identity, spins up a local RDP session and pivots to a line-of-business server. 

From there they probe TCP 443 on the KDC Proxy, weaponizing CVE-2025-49735 to mint forged Kerberos tickets. Within minutes the adversary has domain admin, shares enumerated credentials, and leverages SPNEGO RCE to plant backdoors on any server that trusts negotiation-based SSO. 

Finally, the attacker crashes Netlogon, forcing help-desk staff into a frenzy of emergency resets while ransomware quietly encrypts file shares. 

The gap between “harmless attachment” and “company-wide incident” is no longer measured in days but in hours, and every hour your patch deployment lags increases the odds of that scenario unfolding.

Remediation begins with a deceptively simple step: your TPV should match your MTTR.

A phased remediation plan that balances user impact and security urgency

Begin with user endpoints and Office 365 clients, because they are the easiest entry vector and the fastest to fix. Push the July “Current Channel” build through Intune Device Configuration Profiles, trigger an immediate update scan, and block logon for versions below build 2407 using Conditional Access device filters. 

Next move to domain controllers and proxy servers. Schedule an after-hours maintenance window so that the cumulative Windows update and associated schema patches install cleanly, then reboot twice to make sure KDC Proxy, SPNEGO and CredSSP load the new DLLs. 

Third, target Azure Monitor Agent by running Azure Policy compliance scans for extension version 3.6.0 or later and remediating any drift automatically. If your estate uses Service Fabric, update cluster images or node binaries and validate health in the Service Fabric Explorer before resuming production traffic. 

Only after these core layers are sealed should you circle back to lower-risk servers and ancillary workstations.

Hardening moves to apply while patches roll out

Patching is the first line of defense, not the last. 

While staged deployments progress, reduce the attack surface with short-term controls. Disable or severely restrict access to KDC Proxy by filtering inbound traffic to IP ranges you fully trust. Enforce macros = blocked for all documents from the Internet and quarantine any unsigned Office add-ins. 

In SharePoint Online, switch on the Safe Documents feature so even patched clients must undergo an Insider-Only check in Microsoft Defender before files open. For RDP, set Network Layer Authentication to required, disallow fallback to unprotected connection methods, and limit CredSSP delegation to hard-coded host lists in Group Policy. 

Finally, instrument your SIEM to flag spikes in Kerberos ticket-granting-service requests or SPNEGO negotiation failures: classic indicators that someone is probing the very CVEs you are racing to close.

The cost of complacency: Lessons from previous Patch Tuesday laggards

Organizations that delayed the August 2023 Outlook Elevation-of-Privilege (EoP) fix learned the hard way that attackers weaponize Office flaws fast. That Microsoft bug allowed hackers to breach over two dozen organizations via forged Azure AD tokens.

Within a month after the disclosure, Russian APT group FIN7 chained that EoP with an Azure AD device-registration gap to steal session tokens and bypass MFA. Similar opportunistic crews will seize on July 2025’s Office and IAM bugs. 

The direct costs of these situations - incident response, downtime, forensic retainers - can stretch into seven figures. Indirect costs such as regulatory penalties under GDPR or HIPAA, customer churn, and board-level reputational damage often dwarf the incident bill. 

Investing a weekend in patch cycles and hardening is considerably cheaper than explaining to the C-suite why a hide-and-seek RCE still existed ten days after Microsoft released the fix.

‍

‍