Current events · 3 MIN READ · AARON WALTON, BEN NAHORNEY AND MATT JASTRAM · JUL 8, 2025 · TAGS: vulnerability prioritization
TL;DR
- We’re highlighting a couple of vulnerabilities in Citrix NetScaler that have seen action in the wild.
- Microsoft released 137 new CVEs for Patch Tuesday
- You can use this blog as a guide when figuring out which vulnerabilities to patch this month
It’s the second Tuesday of the month—better known as Patch Tuesday!
This month, Microsoft has fixed 137 vulnerabilities, including 41 that contain remote code execution (RCE) conditions. We’ll take a closer look at four we think deserve priority. We’ll also be taking a deeper dive into the recent Citrix NetScaler vulnerabilities.
So let’s dive in!
Patch Tuesday: July 8, 2025
There are 14 critical vulnerabilities included within this month’s release of 137 CVEs. Here are a few we think should be patched as soon as possible:
- Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49719): This vulnerability resides in the OLE DB drivers used in SQL Server. So while it impacts Microsoft’s SQL Server, it can also impact other applications leveraging OLE DB drivers in your environment. The drivers fail to validate input correctly, resulting in the exposure of data left in memory, which could include credentials and other application data.
- SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability (CVE-2025-47981): If you aren’t familiar with terms like SPNEGO or NEGEOX, you aren’t alone. The important bit to know is that the vulnerability exists in Microsoft’s authentication mechanisms that leverage login credentials for single sign-on. The vulnerability allows an unauthenticated attacker to remotely execute code on systems by leveraging a buffer overflow.
- Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2025-49701 and CVE-2025-49704): Microsoft doesn’t disclose too many details, but someone with access to an account that’s at least a Sharepoint Site Owner can send data that can cause the server to execute the attackers code. This poses a risk that someone with stolen credentials can run code on hosted Sharepoint Servers.
- Windows Connected Devices Platform Service Remote Code Execution Vulnerability (CVE-2025-49724): This vulnerability takes advantage of a flaw in the Nearby Sharing feature in Windows 10 and 11. If an attacker sends specially crafted traffic to a Windows device that has Nearby Sharing enabled, then tricks a user into taking specific actions, they could be able to execute code on that device.
Exploit tales: Citrix NetScaler
The big news this month on the vulnerability front comes from vulnerabilities discovered in Citrix NetScaler ADC and NetScaler Gateway.
First, CVE-2025-6543 is a buffer overflow vulnerability that can lead to unintended behavior. In the case of these appliances, it’s particularly risky since they function as network gateways and handle user authentication.
Second, CVE-2025-5777 was also disclosed last month, impacting the same devices. This vulnerability has been called CitrixBleed2 due to its similarity to a 2023 vulnerability. For context, back in 2023, CVE-2023-4966 (a buffer overflow vulnerability) was disclosed. If successfully exploited, it could cause NetScaler to expose—or “bleed”—session tokens and other sensitive information. As a result, this vulnerability was notoriously dubbed “CitrixBleed.” After its disclosure, the vulnerability was leveraged by several ransomware groups, as the vulnerability provided them with quick access to potential victim networks.
Patches have been released to address the new vulnerabilities, which we recommend installing as soon as possible. If they aren’t patched, the situation could go downhill fast, as it did in one incident we saw recently.
In the incident, bad actors managed to exploit one of these vulnerabilities and used it to access a virtual desktop infrastructure (VDI) client. This is really the power of the vulnerability: easily gaining access to the network of the targeted organization. Once the actor had access, they began their standard playbook to figure out what they had access to: running common enumeration commands such as `whoami`, `dsquery`, as well as using the SystemInternals tool AD Explorer.
After observing the attacker’s attempts to learn about the environment, our SOC immediately jumped in and contained the threat. This included disabling the compromised accounts, containing the affected hosts, and blocking the execution of abused applications.
That’s it for this month’s Patch Tuesday. If you’d like to learn more about Expel Vulnerability Prioritization, which can provide further context for your environment, drop us a line. See you next month!
