Microsoft has released its June 2025 Patch Tuesday updates, addressing 66 security vulnerabilities, including an actively exploited zero-day and another that was publicly disclosed.
Of the total flaws, 10 are classified as “Critical,” with the majority being remote code execution vulnerabilities.
Vulnerability Breakdown:
- 13 Elevation of Privilege
- 3 Security Feature Bypass
- 25 Remote Code Execution
- 17 Information Disclosure
- 6 Denial of Service
- 2 Spoofing
These numbers do not account for vulnerabilities in Microsoft Edge, Power Automate, or Mariner patched earlier this month.
Two Zero-Day Vulnerabilities Fixed
1. CVE-2025-33053 – Actively Exploited WebDAV Remote Code Execution
This zero-day vulnerability was discovered by Check Point Research and exploited by an APT group known as Stealth Falcon. The flaw exists in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) and can be triggered if a user clicks a specially crafted URL, enabling remote attackers to execute arbitrary code. The exploit was observed in an attempted cyberattack targeting a defense company in Turkey.
2. CVE-2025-33073 – Publicly Disclosed SMB Client Elevation of Privilege
This vulnerability affects the Windows SMB Client and can grant SYSTEM privileges via improper access control. Attackers can trick a system into authenticating to a malicious SMB server using a crafted script. The flaw was disclosed publicly and mitigations include enforcing server-side SMB signing via Group Policy. Contributors to this discovery include researchers from CrowdStrike, Synacktiv, SySS GmbH, RedTeam Pentesting, and Google Project Zero.
As always, users and IT administrators are urged to apply these updates promptly to mitigate potential threats.
