Microsoft Discloses 12 ‘Critical’ Vulnerabilities, More SharePoint Flaws

The 107 vulnerabilities addressed in Microsoft’s monthly release of security fixes includes a pair of new SharePoint Server flaws.

Microsoft released fixes Tuesday for 107 newly disclosed software vulnerabilities, including 12 critical-severity flaws affecting its products.

The assortment of new CVEs (Common Vulnerabilities and Exposures) disclosed by Microsoft also includes two SharePoint Server flaws that are listed as “important” in terms of severity. The flaws received patches as part of Microsoft’s monthly release of software bug fixes, unofficially known as “Patch Tuesday.”

The disclosure of the remote-code execution and privilege-elevation vulnerabilities impacting SharePoint follows the wave of attacks targeting on-premises SharePoint Server customers in July. The widespread attacks—some of which have been linked to China-based threat actors—exploited SharePoint Server flaws to deliver ransomware and conduct espionage operations, according to researchers.

The pair of new SharePoint vulnerabilities addressed by Microsoft Tuesday includes a remote-code execution flaw tracked as CVE-2025-49712, which Microsoft did not list as having been exploited so far. The flaw received a severity score of 8.8 out of 10.0, just below the threshold of being considered “critical.”

“While this bug is not listed as under active attack, it is the same type of bug used in the second stage of existing exploits,” wrote Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a blog post.

The second new SharePoint flaw (tracked at CVE-2025-53760) can enable elevation of privileges and received a severity score of 8.2 out of 10.0.

The dozen new critical vulnerabilities, meanwhile, include flaws affecting Microsoft Office, Word, Windows Hyper-V, Windows NTLM, Windows GDI+, Azure Stack Hub, DirectX Graphics Kernel and Message Queuing. Eight of the bugs could potentially be exploited to remotely execute code, according to Microsoft.

The critical Windows GDI+ bug (tracked at CVE-2025-53766) was reported by a Check Point researcher and can “allow attackers to execute arbitrary code on the affected system, effectively giving them the ability to run any malicious software they choose,” Check Point Research wrote in a post. “This could include installing remote control tools or launching other damaging attacks, leading to a full system compromise.”

Check Point researchers discovered a total of six Windows vulnerabilities that were addressed by Microsoft Tuesday, according to the post. Among the other flaws was “what is probably the first-ever publicly disclosed security flaw in a Rust-based component of the Windows kernel,” Check Point researchers wrote in the post.

On the whole, the “whopping” 107 new vulnerabilities disclosed Tuesday “puts Microsoft slightly ahead of where they were last year in terms of volume,” wrote Trend Micro’s Childs. “In fact, this year is the largest volume of fixes from Redmond since 2020, although it’s unlikely they will eclipse that total.”