heise PlusAbo
Anzeige

Patchday: Microsoft closes $100,000 gap in SharePoint from hacker competition

Update collection published: To prevent attacks, admins should ensure that their Microsoft products are up to date.

listen Print view

(Image: heise online)

2 min. read
Security
By

Microsoft is closing several security gaps in its software portfolio. Of these, the hardware and software developer classifies several vulnerabilities as “critical”. In many cases, malicious code can completely compromise computers.

A vulnerability (CVE-2025-49719 “high”) in Microsoft SQL Server is publicly known, and attacks may be imminent. According to the description of the vulnerability, attackers can use it without authentication to access information that is actually protected via a network. The versions protected against this are listed in an article.

Microsoft classifies numerous malicious code gaps that attackers should be able to exploit remotely as “critical,” even if the CVE rating is lower. Among others, Office (e.g., CVE-2025-49695 “high”), SharePoint (CVE-2025-49704 “high”), and Hyper-V (CVE-2025-48822 “high”) are affected. However, according to Microsoft, the Office security updates are not yet fully available. However, they should follow as soon as possible.

The aforementioned SharePoint vulnerability was discovered by security researchers during the Pwn2Own hacker competition in Berlin. They received a prize of 100,000 US dollars for their efforts. 

Videos by heise

Attackers can also exploit software vulnerabilities in BitLocker, Edge, and various Windows components, such as the kernel. At these points, they can gain higher user rights or cause services to crash via a DoS attack.

Repairs and enhanced protection

With the current updates, the developers are repairing a firewall error and the update preview that were broken by the patchday in June. Microsoft has also restored the Windows Recovery Environment update under Windows 10 and Server 2022, which was broken in the April updates.

Kerberos authentication has also been hardened. Since July 8, 2025, only certificates signed by certificate issuers that are part of the NTAuth store are considered trusted by default. Until October 14, 2025, admins can still bypass this via the registry entry AllowNtAuthBypass. From the last date mentioned, this will no longer be possible.

Microsoft lists further information on all gaps closed on this patchday in the Security Update Guide.

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten