137 Microsoft CVEs, Critical sudo chroot Flaw, and Schizophrenic ZIP | Automox Cybersecurity Expert Analysis

Welcome to July 2025’s Patch Tuesday! With 137 vulnerabilities this month, there's a lot to do on the Microsoft side. There’s also a fresh batch of updates from open‑source maintainers and the broader security community. 

Let’s take a look and see how this Patch Tuesday stacks up before diving in.

Now, here’s what matters most, why it matters, and how you can act before an attacker does. For more insights, be sure to listen to the Automox Patch [FIX] Tuesday podcast.

BitLocker Security Feature Bypass Vulnerability

BitLocker’s pre‑boot checks leave a brief window where the full‑volume encryption key sits in memory. A determined thief can steal a laptop, attach a DMA‑capable device, and grab that key before Windows mounts the drive. The race condition — time of check versus time of use — drops the encryption guard you rely on when devices go missing.

This CVE is scored at 3.1/10 because the attacker needs physical access. Even so, stolen endpoints often remain offline for months, waiting for techniques like this to surface. Treat any unreturned laptop as data at risk.

It is recommended to set a pre‑boot PIN in the BIOS, disable DMA at boot where feasible, and apply July’s BitLocker update through the Automox console as soon as your validation cycle allows. In addition, consider tightening device‑tracking procedures and treating every unreturned endpoint as an active exposure.

– Seth Hoyt, Senior Security Engineer, Automox

​Secure Boot Certificates Expiring June 2026

Secure Boot protects devices from boot-level malware, but the Microsoft-issued certificates that underpin that trust model begin expiring in June 2026. Everything shipped before this year’s Copilot Plus PC line will need fresh certificates well before the deadline. If your fleet misses the window, Windows will refuse future Secure Boot updates, and you may lose the ability to load trusted third-party drivers.

When the certificate lapses, bootloaders and early-boot components fail signature checks. That leaves endpoints exposed to bootkits and signed-driver attacks that Secure Boot would normally block. Devices with Secure Boot disabled today cannot fetch the new certs automatically, so they remain vulnerable even if Secure Boot is enabled later.

It is recommended to inventory every Windows device and verify Secure Boot status. Enterprise tenants should opt in to Microsoft’s update channel or AutoPatch service so the new certificates arrive through normal patching. Non-enterprise devices require a registry change, followed by a manual check using Microsoft’s diagnostic app.

Where policy allows, enable Secure Boot before you deploy the certificate update, then validate that endpoints report Opted In in the diagnostic tool. Plan remediation workflows now for any stragglers you uncover.

– Cody Dietz, Staff Software Architect

sudo access via chroot

CVE‑2025‑32463 (CVSS 9.1/10) exploits a logic slip between chroot pivoting and sudo permission checks, which lets an unprivileged Linux user sidestep normal policy. When sudo -R begins a chroot operation, it still consults NSS configuration files outside the new root. By placing a crafted nsswitch.conf alongside a malicious shared object inside the target directory, an attacker convinces sudo to load that library while it retains root privileges.

During the brief moment between pivoting into the chroot and dropping effective IDs, the injected library runs as root. The proof-of-concept exploit code spawns a shell or executes arbitrary commands — all in fewer than ten lines. Builds 1.9.14 through 1.9.17 remain common across container images and LTS distributions, so CI runners, build hosts, and developer workstations sit squarely in the danger zone.

Patching sudo to 1.9.18 or newer, rebuilding base images, and pushing updates is recommended as a first line of defense. You may also want to audit Dockerfiles for stray sudo -R calls and consider modern isolation tools in place of chroot.

– Tom Bowyer, Director IT Security, Automox

Researchers recently demonstrated a proof‑of‑concept attack dubbed Schizophrenic ZIP, which abuses redundant ZIP metadata to serve different file listings to different software stacks.

A ‘multiple‑personality’ ZIP file hides two different central directory maps. Your machine shows one file list, your finance system sees another, and malware slips through unseen. Researchers have published the method as an open‑source proof of concept rather than a CVE, but the absence of a CVE ID does not reduce its impact. 

Attackers modify the End of Central Directory Record so one parser follows the offset value while another trusts the size field. The mismatch lets them deliver a believable invoice to approvers while silently swapping in a fraudulent PDF for Accounts Payable — or embedding scripts that auto‑execute during extraction.

Training employees to treat unsolicited archives cautiously — even those that appear to contain just a single PDF — should be your first line of defense. It is recommended to block inbound ZIP attachments at the email gateway unless they’re business‑critical, or route them for a security review before delivery.

– Cody Dietz, Staff Software Architect

July’s slate may look manageable, but one missed update is still one breach away from a major security incident. Close the window while it’s measured in hours, not headlines — review your Automox policies, schedule rollouts, and confirm every endpoint reports green before you log off.

Patch regularly, patch often, and we’ll be back in August with the next round of patches and security updates.