July Patch Tuesday is a sizable one, but no significant security risk. Microsoft resolved 130 new CVEs, including one public disclosure. There are seven additional CVEs from MITRE regarding vulnerabilities in Git resolved through the Visual Studio update this month. Fourteen CVEs are rated Critical by Microsoft, affecting Windows OS, Office, SharePoint, and SQL. 

The DHCP issue caused by the June 2025 update appears to be resolved. It is not reported as a known issue for Windows OS KBs, and some quick querying through Gemini agrees the issue appears to be resolved.  

Gemini’s response to the query is below:

July update server DHCP issue resolved

Yes, according to information available on July 8, 2025, Microsoft has resolved the DHCP server issue that was caused by the June 2025 security updates.

Key points:

  • June 2025 updates caused the problem: Microsoft's June 2025 Patch Tuesday updates introduced a bug that could cause the DHCP service to freeze or stop responding on Windows Server 2016 through 2025. This issue prevented some clients from renewing their IP addresses.
  • Fix released in July updates: Microsoft released Windows updates on July 8, 2025, and subsequent updates that resolve this issue.
  • Workaround before the fix: Before the July updates were available, the recommended workaround was to uninstall the affected June updates and restart the server, but this left systems vulnerable to security threats patched in those updates.

The Windows Server OS updates this month resolve 16 CVEs in Windows Routing and Remote Access Service (RRAS). These vulnerabilities could allow an unauthenticated attacker to convince a user to initiate a connection to a malicious server that could allow them to execute arbitrary code. The attack would require no privileges and could be exploited over the network. Applying the updates to the OS is the best solution, but additional mitigations like restricting RRAS ports to trusted networks or VPN concentrators can limit exposure, as well as employing firewall rules and disabling unused RRAS features.

Developers have a bit of work to do on their side this month. Microsoft resolved seven CVEs in Git and two additional CVEs that require a Visual studio update this month.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Information Disclosure in Microsoft SQL (CVE-2025-49719), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 7.5. The code maturity is unproven, which would indicate no code samples. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Google Chrome resolved their fourth zero-day exploit on June 30, so from a risk-based prioritization perspective, Chrome and Edge updates that take the focus leading up to Patch Tuesday. CVE-2025-6554 was resolved in build 138.9.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.92 for Linux, which they indicated would roll out over the coming days/weeks.

Ivanti security advisory

Ivanti has released three updates for July Patch Tuesday resolving a total of 11 CVEs. The affected products include Ivanti Connect Secure and Policy Secure, Ivanti EPMM and Ivanti EPM.

For more details, you can view the updates and information provided in the July Security Update on the Ivanti blog.

July update priorities

  • The Google Chrome and Microsoft Edge browsers are the top priority this month. Ensure you have deployed the latest updates to resolve the zero-day exploit (CVE-2025-6554) that was identified on June 30.
  • Windows Server OS updates are likely the biggest security priority this month, especially for those who experienced the DHCP issues after the June update and had to uninstall the June update.