🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

🔒 Microsoft Releases July 2025 Patch Tuesday Update — Fixes 130 Security Vulnerabilities Including Critical SQL Server Flaw

On July 9, 2025, Microsoft released this month’s Patch Tuesday update, addressing a total of 130 security vulnerabilities, including 10 rated as “Critical.” The updates span multiple key Microsoft products such as SQL Server, Windows, and Office (Word, PowerPoint, Excel).

Among the vulnerabilities, one is particularly relevant to PCI DSS compliance: CVE-2025-49719 (CVSS score: 7.5), an information disclosure vulnerability in Microsoft SQL Server. The flaw could potentially allow unauthorized attackers to read uninitialized memory, exposing sensitive data such as passwords or encryption keys.

 

According to Adam Barnett, Principal Software Engineer at Rapid7, while attackers might not immediately retrieve meaningful data, with skilled manipulation, it may be possible to extract critical information such as encryption keys.

Mike Walters, President of Action1, noted that the vulnerability may stem from insufficient input validation in SQL Server’s memory management, which allows access to uninitialized memory. This could lead to leakage of credentials, connection strings, or other sensitive information. Affected components include the SQL Server engine and applications using OLE DB drivers.

⚠️ Security experts strongly urge:
System administrators and IT teams should immediately deploy this update, especially for organizations running Microsoft SQL Server, to prevent the risk of widespread exploitation.

Source:

https://thehackernews.com/2025/07/microsoft-patches-130-vulnerabilities.html

https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/

#Microsoft #CyberSecurity #PatchTuesday #InfoSec #VulnerabilityManagement #PCI #SQLServer #WindowsSecurity


 

【Secure Vectors's Security Classroom】

📌 What is CVSS?

CVSS stands for the Common Vulnerability Scoring System. It’s a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way. This score helps organizations prioritize their response to different security risks.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability.
With 10 being the most critical, based on factors like how easily the vulnerability can be exploited, its potential impact on confidentiality, integrity, and availability, and the complexity of the attack.

RED Compliance Deadline: August 1, 2025 – What You Need to Know

All radio devices sold in the EU must meet new RED cybersecurity requirements by August 1, 2025. Learn what’s changing, who’s affected, and what to do if you miss the deadline.

The New RED Cybersecurity Deadline Is Approaching

From August 1, 2025, all radio equipment placed on the EU market must comply with the new cybersecurity requirements of the Radio Equipment Directive (RED) under Articles 3.3(d), 3.3(e), and 3.3(f).

Key Points:

  • Compliance is mandatory for manufacturers, importers, and distributors
  • EN 18031 is the harmonised standard for demonstrating compliance
  • Affected products include IoT devices, wearables, connected toys, childcare products, and any device processing personal or financial data

What Happens If I Miss the August 2025 Deadline?

Can I still sell my radio devices in the EU if they don’t comply by August 1, 2025?

No. After this date, non-compliant products cannot be placed on the EU market. Products already on the market before the deadline may remain, but new stock must meet the new requirements.

What are the risks of missing the deadline?

Market Access Loss: Products placed on the market before August 1st can continue to be used without specific adaptations. However, any new products—or new batches of existing products—must be compliant with the new requirements. Placing non-compliant products on the market after the deadline is illegal and carries significant risks:

  • Legal Penalties: Regulatory authorities may impose fines or sanctions..
  • Reputation Damage: Non-compliance can harm your brand and customer trust.
  • Increased Costs: Delays in certification can disrupt your supply chain and sales.

What should I do if I’m not ready?

Act fast

  • Contact Applus+ Laboratories immediately for a gap analysis
  • Begin the EN 18031 assessment process as soon as possible.
  • Prepare all required documentation and evidence for compliance.

How to Prepare for the Deadline

  • 1. Identify if your product is affected
  • 2. Perform a risk analysis assessment based on the product, its intended use and the applicability of RED DA (2022/30) Cybersecurity
  • 3. Conduct a gap analysis to assess current compliance status
  • 4. Implement necessary cybersecurity measures as per EN 18031
  • 5. Undergo official evaluation(self-assessment or Notified Body, as required)
  • 6. Update your Declaration of Conformity (DoC) and technical file
  • 7. Apply the CE marking and maintain compliance documentation

Don’t risk your market access.

Contact Secure Vectors Surveillance today to ensure your products are ready for the August 2025 RED cybersecurity deadline.