Microsoft Discloses RCE Flaws in SPNEGO NEGOEX and SQL Server Native Client
Microsoft published security advisories for two remote code execution vulnerabilities affecting distinct enterprise components: CVE-2025-47981 in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism and CVE-2024-49008 in SQL Server Native Client. Both issues were listed in the Microsoft Security Update Guide as remote code execution flaws, indicating that successful exploitation could allow arbitrary code to run in the context of the targeted component.
The disclosures highlight risk across both authentication infrastructure and database connectivity software commonly used in Windows environments. Organizations relying on Microsoft authentication mechanisms or legacy SQL Server client components should review the relevant advisories, identify exposed systems, and prioritize vendor updates to reduce the chance of compromise through unpatched RCE paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2025-47981
Microsoft added CVE-2025-47981, a SPNEGO Extended Negotiation (NEGOEX) Security Mechanism remote code execution vulnerability, to its Security Update Guide. This marks public disclosure of the vulnerability and related remediation guidance.
Microsoft publishes advisory for CVE-2024-49008
Microsoft added CVE-2024-49008, a SQL Server Native Client remote code execution vulnerability, to its Security Update Guide. This indicates public disclosure of the vulnerability and associated security update information.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2025-47981 - Security Update Guide - Microsoft - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49008 - Security Update Guide - Microsoft - SQL Server Native Client Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Discloses Remote Code Execution Flaws in Remote Desktop and RPC Components
Microsoft published security advisories for multiple remote code execution vulnerabilities affecting **Remote Desktop Client**, **Remote Desktop Protocol**, and the **Remote Procedure Call (RPC) Runtime**. The referenced issues include `CVE-2025-58718` in the Remote Desktop Client, alongside earlier Microsoft advisories for `CVE-2022-21851` in the Remote Desktop Client, `CVE-2022-21893` in Remote Desktop Protocol, and `CVE-2022-21922` in the RPC Runtime. The advisories indicate continued security risk around core Windows remote access and interprocess communication components that are widely used in enterprise environments. For defenders, the common thread is exposure to **remote code execution** in services and clients tied to remote connectivity, making Microsoft’s security updates for these CVEs a priority for systems that rely on RDP and RPC functionality.
May 25, 2026
Microsoft Patched Multiple SQL Server Client and Component Flaws
Microsoft disclosed a broad set of vulnerabilities affecting the SQL Server ecosystem, including **remote code execution**, **elevation of privilege**, and **information disclosure** issues across **SQL Server Native Client**, **Microsoft ODBC Driver for SQL Server**, core **Microsoft SQL Server** components, and `Microsoft.SqlServer.XEvent.Configuration.dll`. The largest group of advisories covered SQL Server Native Client RCE flaws, including `CVE-2024-38255`, `CVE-2024-43459`, `CVE-2024-43462`, `CVE-2024-48993`, `CVE-2024-48995`, `CVE-2024-48996`, `CVE-2024-48997`, `CVE-2024-48998`, `CVE-2024-48999`, `CVE-2024-49000`, `CVE-2024-49004`, `CVE-2024-49005`, and `CVE-2024-49007`. Microsoft also listed `CVE-2024-49043` as an RCE flaw in `Microsoft.SqlServer.XEvent.Configuration.dll` and earlier ODBC driver RCE bugs `CVE-2023-36730` and `CVE-2023-36785`. Additional SQL Server issues included Native Scoring RCE vulnerabilities `CVE-2024-26186` and `CVE-2024-37338`, Native Scoring information disclosure flaws `CVE-2024-37342` and `CVE-2024-37966`, SQL Server elevation of privilege bugs `CVE-2024-37965`, `CVE-2024-37341`, `CVE-2024-37980`, and `CVE-2026-26116`, plus a general SQL Server information disclosure issue tracked as `CVE-2024-43474`. The disclosures show Microsoft addressing repeated attack surface in SQL Server connectivity layers and supporting components, underscoring the need for organizations running SQL Server clients, drivers, and related libraries to prioritize vendor updates across both server-side and workstation-deployed software.
May 25, 2026
Microsoft Discloses Windows RCE Flaws in Scripting Languages and URL Parsing
Microsoft published Security Update Guide entries for two Windows remote code execution vulnerabilities affecting different core components: **CVE-2022-41118** in **Windows Scripting Languages** and **CVE-2025-59295** in **Windows URL Parsing**. Both advisories classify the issues as remote code execution flaws, indicating that successful exploitation could allow an attacker to run arbitrary code on a targeted Windows system. The disclosures point to risk across widely used Windows functionality rather than a single application, underscoring the need for defenders to review affected product versions and apply Microsoft-issued updates through normal patch management channels. The vulnerabilities are tracked under the identifiers `CVE-2022-41118` and `CVE-2025-59295`, with Microsoft maintaining the authoritative remediation details in its Security Update Guide.
May 25, 2026