Breaking Down the Latest June 2025 Patch Tuesday Report

Microsoft has released its June 2025 Patch Tuesday security updates, addressing 66 vulnerabilities across Windows, Office, Exchange Server, Azure, Visual Studio, and other products. This includes fixes for two zero-day vulnerabilities, with one being actively exploited in the wild.

The two zero-days are a Web Distributed Authoring and Versioning (WebDAV) remote code execution vulnerability (CVE-2025-33053) and a Windows SMB Client elevation of privilege flaw (CVE-2025-33073). The WebDAV vulnerability has been exploited by an advanced persistent threat (APT) group called "Stealth Falcon" in targeted attacks against defense organizations.

Other critical flaws include multiple remote code execution bugs in Microsoft Office (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953), a Windows Schannel RCE vulnerability (CVE-2025-29828), a Windows Remote Desktop Services RCE flaw (CVE-2025-32710), and a Windows KDC Proxy Service RCE bug (CVE-2025-33071).

In total, Microsoft addressed 10 critical vulnerabilities and 56 important ones. The most common issues are remote code execution (25 bugs), information disclosure (17 bugs), and elevation of privilege (13 bugs).

Key products receiving security updates include Windows, Office, SharePoint, Visual Studio, Power Automate, WebDAV, and various Windows components. Administrators should prioritize testing and deploying patches for the actively exploited zero-day and the critical remote code execution flaws, particularly those affecting Office applications where the Preview Pane is listed as an attack vector.

Additional steps may be required to fully remediate some vulnerabilities, and organizations should carefully review Microsoft's advisories for specific guidance. Overall, applying these critical monthly security updates helps harden environments against emerging threats and sophisticated attack campaigns.

In this monthly report, we'll break down these zero-day threats along with other major critical issues addressed. Our analysis will examine severity ratings, exploitation vectors, and remediation advice to underscore the essential patches for prioritization. Whether you manage Windows clients and servers or cloud-based services, applying these latest critical and important updates helps secure environments as we progress through 2025.

Key Highlights - Patch Tuesday June 2025

In June's Patch Tuesday, Microsoft addressed 66 flaws, including two zero-day vulnerabilities, with one actively exploited in the wild. This update included patches across categories like remote code execution, elevation of privilege, information disclosure, denial of service, security feature bypass, and spoofing vulnerabilities.

The key affected products in this update span across Microsoft's product range, including Windows, Office, SharePoint, Visual Studio, Power Automate, WebDAV, and various Windows system components. It is crucial for administrators and end users to apply these security updates promptly to protect their systems from these vulnerabilities.

Key Highlights are:

This June's Patch Tuesday highlights Microsoft's ongoing commitment to securing its wide range of products against sophisticated threat actors and zero-day exploitation campaigns targeting enterprise environments.

Zero-day Vulnerabilities Patched in June 2025

In June 2025, Microsoft addressed two zero-day vulnerabilities in its Patch Tuesday release. One of these vulnerabilities was actively exploited in the wild by an advanced persistent threat (APT) group, while the other was publicly disclosed before a patch became available. These vulnerabilities posed immediate risks to affected systems and required urgent attention.

CVE-2025-33053 (Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability):

This vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems through the Windows WebDAV implementation. The flaw has a CVSS v3 base score of 8.8 and is rated as Important severity, though it was actively exploited as a zero-day before patches were available.

According to Check Point Research, who discovered and reported this vulnerability, CVE-2025-33053 was exploited by an APT group known as "Stealth Falcon" in targeted attacks against defense companies. The attack campaign was first identified in March 2025 when Check Point researchers observed an attempted cyberattack against a defense company in Turkey.

The threat actors used a previously undisclosed technique to execute files hosted on a WebDAV server they controlled by manipulating the working directory of a legitimate built-in Windows tool. Successful exploitation requires the attacker to convince a user to click on a specially crafted WebDAV URL, making social engineering a key component of the attack vector.

Interestingly, Microsoft had deprecated the Windows WebDAV implementation (WebClient service) in November 2023, meaning it no longer starts by default. However, the service can still be enabled, and all supported Windows versions, including newer releases like Server 2025 and Windows 11 24H2, receive patches for this vulnerability.

CVE-2025-33073 (Windows SMB Client Elevation of Privilege Vulnerability):

This vulnerability affects the Windows Server Message Block (SMB) client and allows an authenticated attacker to elevate privileges to SYSTEM level. The flaw has a CVSS v3 base score of 8.8 and is rated as Important severity. Unlike the WebDAV vulnerability, this zero-day was publicly disclosed rather than actively exploited.

The vulnerability involves improper access control in Windows SMB that enables privilege escalation over a network. To exploit this flaw, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB credentials and authenticate. Successful exploitation could result in elevation of privilege to SYSTEM level.

According to reports, DFN-CERT (Computer Emergency Response Team of the German Research Network) began circulating warnings from RedTeam Pentesting about this vulnerability before the patch was released. The flaw was discovered by multiple security researchers, including Keisuke Hirata with CrowdStrike, Synacktiv research team, Stefan Walter with SySS GmbH, RedTeam Pentesting GmbH, and James Forshaw of Google Project Zero.

While an update is now available through this Patch Tuesday release, Microsoft notes that the vulnerability can be mitigated by enforcing server-side SMB signing via Group Policy as an interim measure for organizations that cannot immediately deploy the patch.

Both zero-day vulnerabilities underscore the continued targeting of Windows infrastructure by sophisticated threat actors and the importance of rapid patch deployment to prevent exploitation in enterprise environments.

Here's a table for the Zero-Day Vulnerabilities section:

Critical Vulnerabilities Patched in June 2025

Microsoft's June 2025 security updates addressed ten critical vulnerabilities that could be exploited to achieve remote code execution or elevation of privilege. These flaws represent significant risks that malicious actors could leverage in attacks. Promptly patching critical issues should be a top priority for security teams.

Microsoft Office Remote Code Execution Vulnerabilities Lead Critical Threats

Four critical remote code execution vulnerabilities in Microsoft Office components pose immediate risks to organizations. CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, and CVE-2025-47953 all share CVSS v3 scores of 8.4 and were discovered by prolific security researcher 0x140ce.

What makes these vulnerabilities particularly dangerous is that the Preview Pane is listed as an attack vector for CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167, meaning users don't need to fully open malicious documents to trigger exploitation. Microsoft has assessed three of these vulnerabilities as "Exploitation More Likely" in their Exploitability Index.

The vulnerabilities affect various Office components through different attack mechanisms:

Windows KDC Proxy Service Critical RCE

CVE-2025-33071 represents a critical unauthenticated remote code execution vulnerability in the Windows KDC Proxy Service (KPSSVC) with a CVSS v3 score of 8.1. This service allows clients to communicate with Kerberos Key Distribution Centers over HTTPS instead of TCP, acting as a bridge for authentication requests.

The vulnerability involves a use-after-free flaw that could allow an unauthenticated attacker to achieve remote code execution by exploiting a cryptographic protocol weakness. While exploitation requires the attacker to win a race condition, Microsoft still considers exploitation "More Likely."

The concern is heightened because KDC proxy servers are often exposed to untrusted networks to facilitate Kerberos authentication from external clients, making them attractive targets for attackers. Only Windows Server assets configured as Kerberos Key Distribution Center Proxy Protocol servers are affected, which is not standard configuration for domain controllers.

Windows Schannel Remote Code Execution

CVE-2025-29828 is a critical remote code execution vulnerability in Windows Schannel (Secure Channel) with a CVSS v3 score of 8.1. Schannel is a Security Support Provider used by Windows to implement SSL and TLS protocols.

The vulnerability involves missing memory release after an effective lifetime that may allow an unauthenticated attacker to execute code over a network. Attackers can exploit this flaw by maliciously using fragmented ClientHello messages against target servers that accept TLS connections.

Windows Remote Desktop Services Critical RCE

CVE-2025-32710 affects Windows Remote Desktop Services (RDS), formerly Terminal Services, which allows users to access Windows applications and desktops remotely. This critical vulnerability has a CVSS v3 score of 8.1.

The flaw involves a use-after-free condition that may allow an unauthenticated attacker to execute code over a network. To successfully exploit this vulnerability, an attacker must win a race condition, but the remote nature and lack of authentication requirements make this a high-priority patch.

Microsoft SharePoint Server Critical RCE

CVE-2025-47172 is a critical remote code execution vulnerability in Microsoft SharePoint Server with a CVSS v3 score of 8.8. This flaw involves improper neutralization of special elements used in SQL commands, essentially an SQL injection vulnerability.

Unlike the other critical vulnerabilities, this SharePoint flaw requires an authenticated attacker to achieve remote code execution, but successful exploitation could lead to complete server compromise in SharePoint environments.

Windows Netlogon Elevation of Privilege

CVE-2025-33070 represents a critical elevation of privilege vulnerability in Windows Netlogon with a CVSS v3 score of 8.1. Netlogon is a Remote Procedure Call (RPC) protocol and service that facilitates authentication and communication between domain controllers and other devices within a domain.

The vulnerability involves the use of uninitialized resources that allows an unauthenticated attacker to elevate privileges over a network, potentially gaining domain administrator access. Despite requiring additional actions to prepare targets for exploitation, Microsoft has assessed this as "Exploitation More Likely."

With remote exploitation capabilities and no authentication requirements, these critical vulnerabilities open significant attack pathways for determined adversaries. Their high CVSS v3 scores reflect the urgent need to apply fixes before threats leverage them in enterprise environments.

Vulnerabilities by Category

In total, 66 vulnerabilities were addressed in June's Patch Tuesday. Remote Code Execution flaws top the list with 25 patches, followed by 17 Information Disclosure and 13 Elevation of Privilege vulnerabilities. The rest consist of 6 Denial of Service, 3 Security Feature Bypass, and 2 Spoofing flaws.

Here is the breakdown of the categories patched this month:

1. Remote Code Execution – 25

2. Information Disclosure – 17

3. Elevation of Privilege – 13

4. Denial of Service – 6

5. Security Feature Bypass – 3

6. Spoofing – 2

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's June 2025 Patch Tuesday:

Remote code execution vulnerabilities continue to dominate Microsoft's monthly patches, representing 37.9% of the June updates. These critical bugs enable attackers to execute arbitrary code for extensive system control, making them high-priority targets for exploitation.

The second most prevalent category is information disclosure at 25.8%, which can provide attackers with sensitive data to facilitate further attacks. Elevation of privilege vulnerabilities account for 19.7% of the patches, empowering threat actors to increase compromised user rights and gain deeper system access.

While less frequent, denial of service, security feature bypass, and spoofing flaws still pose risks and should undergo systematic patching. The concentration of remote code execution vulnerabilities, particularly in widely-used Office applications, underscores the critical importance of prioritizing these updates in enterprise environments.

List of Products Patched in June 2025 Patch Tuesday Report

Microsoft's June 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

The distribution shows that Windows Storage Management Provider received the most patches with 13 vulnerabilities, followed by Microsoft Office with 5 patches and Microsoft Word with 4 patches. This reflects Microsoft's continued focus on securing core Windows infrastructure components and widely-used productivity applications that represent high-value targets for attackers.

Summary charts

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Windows ESU vulnerabilities

Bottom Line

Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities, including two zero-day flaws affecting WebDAV and Windows SMB, with one being actively exploited by the APT group "Stealth Falcon."

This release fixed a variety of vulnerability types, with remote code execution issues being most prevalent at 25 instances. Information disclosure ranked second with 17 patches issued, followed by elevation of privilege with 13 patches. Among the critical bugs are multiple Office RCE vulnerabilities where Preview Pane is an attack vector, a WebDAV RCE exploited in the wild, Windows Schannel RCE, and a Windows KDC Proxy Service RCE.

Critical vulnerabilities addressed this month consist of four Microsoft Office remote code execution flaws (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953), the actively exploited WebDAV RCE (CVE-2025-33053), Windows Schannel RCE (CVE-2025-29828), Windows Remote Desktop Services RCE (CVE-2025-32710), SharePoint Server RCE (CVE-2025-47172), Windows KDC Proxy Service RCE (CVE-2025-33071), and a Windows Netlogon elevation of privilege (CVE-2025-33070).

Alongside the critical problems, numerous important-rated issues also got remediated, including the publicly disclosed Windows SMB Client elevation of privilege vulnerability and various information disclosure and denial of service vulnerabilities affecting Windows components and Office applications. Overall, June's patches close 66 security gaps across Microsoft's portfolio.

The concentration of critical Office vulnerabilities with Preview Pane attack vectors, combined with the actively exploited WebDAV zero-day, emphasizes the urgent need for comprehensive patch deployment. Organizations should prioritize the critical remote code execution fixes and implement additional mitigations where immediate patching isn't feasible.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: