The 130 CVEs (Common Vulnerabilities and Exposures) disclosed in Microsoft’s monthly release of security fixes includes a remote code execution flaw that ‘definitely’ should be prioritized for patching, writes Trend Micro’s Dustin Childs.
The huge quantity of CVEs (Common Vulnerabilities and Exposures) disclosed by Microsoft Tuesday includes a critical-severity remote code execution flaw that should be given a high priority for patching, according to a Trend Micro researcher.
The flaws received patches as part of Microsoft’s monthly release of software bug fixes, unofficially known as “Patch Tuesday.”
[Related: 5 Things To Know On The SafePay Ransomware Group]
Microsoft released fixes for a total of 130 CVEs on Tuesday, a “whopping” number of patches for a single month, wrote Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a blog post.
As usual, the patches address vulnerabilities that affect numerous Microsoft product categories including Windows, Office, Azure, .NET, Visual Studio, Windows BitLocker, Windows Hyper-V and Microsoft Edge.
Among the highest-risk flaws is a Windows remote code execution vulnerability (tracked at CVE-2025-47981) that “many will be talking about” in the security community for a number of reasons, Childs wrote in the post.
That’s because the flaw “allows remote, unauthenticated attackers to execute code simply by sending a malicious message to an affected system,” he wrote. “Since there’s no user interaction, and since the code executes with elevated privileges, this bug falls into the wormable class of bugs.”
Additionally, Microsoft “gives this [flaw] its highest exploitability index rating, which means they expect attacks within 30 days,” Childs wrote. “Definitely test and deploy these patches quickly.”
The vulnerability has received a severity rating of 9.8 out of 10.0.
In total, 10 of the newly disclosed vulnerabilities patched in the software updates Tuesday are rated as “critical” issues in terms of severity, he noted.
Other critical vulnerabilities disclosed Tuesday include remote code execution flaws affecting Microsoft Office, SharePoint and SQL Server.
Those flaws include a SharePoint remote code execution vulnerability (tracked at CVE-2025-49704) with a severity rating of 8.8 of out 10.0, as well as a SQL Server remote code execution vulnerability (tracked at CVE-2025-49717) with a severity rating of 8.5 out of 10.0.
