This month, Microsoft closed 137 vulnerabilities as part of the periodical Patch Tuesday release. None of these vulnerabilities were under active attack at the time of disclosure. However, one zero-day vulnerability in Microsoft SQL Server became publicly known before the patch was released.
Advertisеment
Critical Vulnerabilities Summary
In total, Microsoft resolved 14 critical severity vulnerabilities during this update cycle. Ten of these issues allow for remote code execution (RCE), one involves information disclosure, and two relate to side-channel attacks affecting AMD processors.
AMD Microarchitectural Vulnerabilities Exposed via TSA Attacks
Advanced Micro Devices (AMD) has disclosed a new class of microarchitectural attacks called Transient Scheduler Attacks (TSA). These attacks allow an adversary to bypass CPU isolation mechanisms and infer data processed in different contexts. Attackers may extract information from user space to kernel-level operations or between virtual machines hosted on shared hardware.
Discovery and Research Background
Researchers from Microsoft and ETH Zurich identified these vulnerabilities during the development of a toolkit designed to test microarchitectural isolation across distinct security domains. These domains include the kernel, virtual machines, and separate processes running on the same system.
Technical Mechanism of TSA
The TSA attack exploits timing discrepancies in instruction execution that depend on the state of internal CPU structures. When a processor expects fast completion of a memory load instruction—such as when assuming data resides in the L1 cache—but fails to retrieve it correctly, it enters a "false completion" state.
In this state, the processor speculatively schedules dependent instructions before confirming the actual result of the original instruction. Although the processor later invalidates the incorrect data and re-executes the instruction when valid data becomes available, it does not flush the pipeline immediately after detecting the false completion condition.
This speculative execution allows incorrect data to influence dependent operations. While these operations do not modify the cache or Translation Lookaside Buffer (TLB), they affect the timing of subsequent instructions. By analyzing execution times, attackers can infer residual data from microarchitectural structures left behind by speculative execution.
Identified Vulnerabilities
Based on the source of data leakage, researchers identified two specific vulnerabilities:
- CVE-2024-36350 (TSA-SQ): This vulnerability enables data leakage through the Store Queue, a temporary buffer for write operations. Attackers can determine the results of prior memory write instructions.
- CVE-2024-36357 (TSA-L1): This vulnerability involves data leakage through the L1 Data Cache (L1D), allowing access to previously handled memory contents.
Affected Processor Families
These vulnerabilities affect AMD processors in the Fam19h family, including those based on Zen 3 and Zen 4 microarchitectures. Specific impacted models include:
- AMD Ryzen 5000/6000/7000/8000 series
- AMD EPYC Milan/Milan-X/Genoa/Genoa-X/Bergamo/Siena
- AMD Instinct MI300A
- AMD Ryzen Threadripper PRO 7000 WX
- AMD EPYC Embedded 7003/8004/9004/97X4
- AMD Ryzen Embedded 5000/7000/V3000
Mitigation
To address these vulnerabilities, AMD implemented firmware updates that OEMs have received for integration into their platforms. The December firmware update includes necessary changes to block exploitation of the TSA vulnerabilities.
Additionally, patches have been submitted for inclusion in the Linux kernel. A command-line option, “tsa=off”, allows administrators to disable the protection mechanism if performance impact becomes a concern.
The Xen hypervisor also integrated protections against TSA-based attacks.
Effective mitigation requires both firmware updates and activation of protection features at the operating system or hypervisor level.
Zero-Day Vulnerability in Microsoft SQL Server
The only zero-day vulnerability this month exists in Microsoft SQL Server. Microsoft defines a zero-day as a vulnerability that becomes public before a patch is available or one actively exploited in the wild. CVE-2025-49719 falls into the first category as a publicly disclosed issue prior to patch availability.
CVE-2025-49719 is an information disclosure flaw in Microsoft SQL Server. A remote, unauthenticated attacker could exploit this vulnerability to access data from uninitialized memory. Microsoft explains that improper input validation in SQL Server enables unauthorized attackers to disclose sensitive information.
Administrators can mitigate this risk by updating to the latest version of Microsoft SQL Server and using Microsoft OLE DB Driver 18 or 19.
Remote Code Execution Issues in Microsoft Office
Microsoft also fixed several critical RCE bugs in Microsoft Office. These include CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, and CVE-2025-49702. Attackers may trigger these vulnerabilities simply by opening a malicious document or viewing it in the preview pane.
Currently, patches for these vulnerabilities are not yet available in Microsoft Office LTSC for Mac 2021 and 2024. Microsoft expects to release updates for these versions shortly.
Microsoft patched a critical RCE vulnerability in SharePoint (CVE-2025-49704). An attacker with a valid account on the platform can exploit this issue remotely over the internet.
Highest Severity Bug This Month
The highest CVSS score this month went to CVE-2025-47981, which received a rating of 9.8. This vulnerability affects Microsoft’s Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) through a heap buffer overflow. It allows remote code execution without requiring user interaction.
Positive Technologies Contribution
Representatives from Positive Technologies reported that Marat Gayanov, a specialist from the company, contributed to resolving one of the vulnerabilities addressed in July. The vulnerability, identified as CVE-2025-49686, received a CVSS score of 7.8.
This bug resides in the NTFS file system components. It allows an attacker to bypass Windows defense mechanisms. A potential victim only needs to open a specially crafted virtual disk for the attacker to gain full control of the system.
Gayanov explained that exploitation of CVE-2025-49686 does not require privilege escalation or special access rights. An attacker must trick a user into running a malicious program that exploits a network driver vulnerability. Due to incorrect pointer handling, this flaw could cause application crashes and system instability, limiting access to corporate resources and potentially disrupting business operations.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
