Microsoft released fixes Tuesday for 107 newly disclosed software vulnerabilities, including 12 critical-severity flaws affecting its products.
The assortment of new CVEs (Common Vulnerabilities and Exposures) disclosed by Microsoft also includes two SharePoint Server flaws that are listed as “important” in terms of severity. The flaws received patches as part of Microsoft’s monthly release of software bug fixes, unofficially known as “Patch Tuesday.”
[Related: ‘Patching Is Not Enough’ With Microsoft SharePoint Server Attacks: Experts]
The disclosure of the remote-code execution and privilege-elevation vulnerabilities impacting SharePoint follows the wave of attacks targeting on-premises SharePoint Server customers in July. The widespread attacks—some of which have been linked to China-based threat actors—exploited SharePoint Server flaws to deliver ransomware and conduct espionage operations, according to researchers.
The pair of new SharePoint vulnerabilities addressed by Microsoft Tuesday includes a remote-code execution flaw tracked as CVE-2025-49712, which Microsoft did not list as having been exploited so far. The flaw received a severity score of 8.8 out of 10.0, just below the threshold of being considered “critical.”
ADVERTISEMENT
“While this bug is not listed as under active attack, it is the same type of bug used in the second stage of existing exploits,” wrote Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a blog post.
The second new SharePoint flaw (tracked at CVE-2025-53760) can enable elevation of privileges and received a severity score of 8.2 out of 10.0.
The dozen new critical vulnerabilities, meanwhile, include flaws affecting Microsoft Office, Word, Windows Hyper-V, Windows NTLM, Windows GDI+, Azure Stack Hub, DirectX Graphics Kernel and Message Queuing. Eight of the bugs could potentially be exploited to remotely execute code, according to Microsoft.