07/02/2025-07/09/2025 Microsoft Fixes 130 Security Flaws, CISA Flags Four Actively Exploited Old Vulnerabilities, Cisco Patches Critical Unified CM Flaw And More.

1. Microsoft Fixes 130 Security Flaws, Including Public SQL Server Bug

Microsoft’s July 2025 Patch Tuesday delivers fixes for 130 vulnerabilities, including a publicly disclosed SQL Server flaw (CVE-2025-49719, CVSS 7.5). Though not exploited in the wild, this bug allows unauthenticated information disclosure over the network. Users are urged to update SQL Server and related drivers. This release ends an 11-month streak without zero-day patches. About a dozen critical bugs were addressed, 10 of which enable remote code execution (RCE). High-priority fixes target NEGOEX, SharePoint, and the Kerberos Key Distribution Center proxy.

Office updates include patches for two local code execution flaws (CVE-2025-49695 and CVE-2025-49696). Another key fix is CVE-2025-49724—a use-after-free bug in Windows Connected Devices Platform, exploitable if Nearby Sharing is enabled and specific user actions occur.

Of the 130 bugs, 53 allow privilege escalation, 41 RCE, and others impact info disclosure, spoofing, and denial-of-service. Users are advised to update systems promptly.

2. Malicious Pull Request Targets 6,000+ Developers via Vulnerable Ethcode VS Code Extension

Researchers have uncovered a supply chain attack targeting the Visual Studio Code extension Ethcode, used to deploy Ethereum smart contracts. The extension, with over 6,000 installs, was compromised via a GitHub pull request by a newly created user, Airez299, on June 17, 2025. ReversingLabs found that the attacker slipped malicious code into 43 commits, including a hidden npm package, keythereum-utils. The package, now removed, downloaded an obfuscated payload via PowerShell. The goal may have been to steal crypto assets or tamper with contracts.

Microsoft removed Ethcode from its marketplace after responsible disclosure. The extension was later reinstated without the malicious dependency.

This attack highlights growing supply chain threats. In Q2 2025, over 16,000 malicious open-source packages were discovered, with many stealing credentials or damaging data. Meanwhile, fake Firefox extensions were also found redirecting users and stealing OAuth tokens, emphasizing the evolving risk in trusted developer tools and browser add-ons.

3. CISA Adds Four Older CVEs to Known Exploited Vulnerabilities List

On July 7, CISA added four vulnerabilities—dating back to 2014–2019—to its KEV catalog, urging federal agencies to patch them by July 28. Private organizations are strongly advised to follow suit.

Despite their age, two of the flaws are rated critical, showing that old vulnerabilities remain valuable targets for attackers. The bugs include:

• CVE-2014-3931: MRLG buffer overflow (9.8 severity)
• CVE-2016-10033: PHPMailer command injection (9.8)
• CVE-2019-5418: Ruby on Rails path traversal (7.5)
• CVE-2019-9621: Zimbra SSRF vulnerability (7.5)

Trend Micro linked CVE-2019-9621 to Chinese threat actor Earth Lusca, and intelligence suggests renewed interest from state-backed groups.

Experts warn that threat actors prioritize impact over age, targeting internet-facing systems like email servers and web frameworks. Security teams should inventory legacy software, limit exposure of critical tools, and segment networks to reduce risk. Even decade-old flaws can be actively exploited if left unpatched.

4. Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials

Cisco has released a patch for a critical vulnerability (CVE-2025-20309, CVSS 10.0) in its Unified Communications Manager (Unified CM) and Session Management Edition (SME). The flaw, caused by hard-coded root credentials left from development, allows attackers to gain root access and execute arbitrary commands.
Cisco warns that exploitation could let attackers move laterally, intercept calls, or alter authentication settings. The flaw affects versions 15.0.1.13010-1 to 15.0.1.13017-1, regardless of configuration.

Discovered during internal testing, there is no evidence of active exploitation. Cisco has shared indicators of compromise (IoCs), including log entries showing root access in /var/log/active/syslog/secure. Admins can check using: cucm1# file get activelog syslog/secure

This patch follows recent fixes for two other critical flaws (CVE-2025-20281 and CVE-2025-20282) in Cisco Identity Services Engine products that also allowed root command execution.