Today marks the release of Microsoft's June 2025 Patch Tuesday, which addresses a total of 66 vulnerabilities within its software ecosystem. Notably, among these vulnerabilities, one has been actively exploited, while another has been publicly disclosed. This month’s updates focus on enhancing security protocols, fixing ten Critical vulnerabilities, including eight related to remote code execution and two concerning elevation of privileges.
The vulnerabilities addressed in this Patch Tuesday are categorized as follows:
13 Elevation of Privilege Vulnerabilities 3 Security Feature Bypass Vulnerabilities 25 Remote Code Execution Vulnerabilities 17 Information Disclosure Vulnerabilities 6 Denial of Service Vulnerabilities 2 Spoofing VulnerabilitiesIt is important to note that this count does not include vulnerabilities related to Mariner, Microsoft Edge, and Power Automate, which were fixed earlier this month. For more details on the non-security updates released today, please refer to our dedicated articles on the Windows 11 KB5060842 and KB5060999 cumulative updates, as well as the Windows 10 KB5060533 cumulative update.
This month's Patch Tuesday also addresses two critical zero-day vulnerabilities. A zero-day vulnerability is defined by Microsoft as a security flaw that has been publicly disclosed or actively exploited without an official fix available at the time of discovery.
The first zero-day vulnerability addressed is CVE-2025-33053, which pertains to a Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability. Discovered by Check Point Research, this flaw could allow a remote attacker to execute arbitrary code on affected systems. The advisory indicates that users must interact with a specially crafted WebDav URL to exploit this vulnerability.
Check Point Research has reported that the CVE-2025-33053 vulnerability was utilized in zero-day attacks by an Advanced Persistent Threat (APT) group known as Stealth Falcon. In March 2025, they identified an attempted cyberattack on a defense company in Turkey, where attackers exploited a previously undisclosed technique to run files from a WebDAV server they controlled. Microsoft promptly assigned the vulnerability its CVE designation and released a patch on June 10, 2025, during the June Patch Tuesday updates. Credit for identifying this vulnerability goes to Alexandra Gofman and David Driker from Check Point Research.
The second zero-day vulnerability, CVE-2025-33073, involves a flaw in the Windows SMB Client that allows attackers to gain SYSTEM privileges on vulnerable devices. Microsoft explains that improper access control in Windows SMB enables authorized attackers to elevate their privileges over a network. Exploiting this vulnerability requires the execution of a malicious script that tricks the victim’s machine into connecting back to the attacker’s system using SMB and authenticating.
While Microsoft has not disclosed how this flaw became public, reports from Born City indicate that DFN-CERT (Computer Emergency Response Team of the German Research Network) issued warnings regarding this vulnerability, attributed to findings by RedTeam Pentesting. Although a patch is now available, mitigation can also be achieved by enforcing server-side SMB signing through Group Policy. The discovery of this flaw is credited to several researchers, including Keisuke Hirata from CrowdStrike, Synacktiv researchers, Stefan Walter from SySS GmbH, RedTeam Pentesting GmbH, and James Forshaw from Google Project Zero.
In addition to Microsoft, several other vendors have released security updates or advisories in June 2025:
Adobe released security updates for InCopy, Experience Manager, Commerce, InDesign, Substance 3D Sampler, Acrobat Reader, and Substance 3D Painter. Cisco patched three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) products. Fortinet issued updates for an OS command injection vulnerability in FortiManager, FortiAnalyzer, and FortiAnalyzer-BigData products. Google deployed June 2025 security updates for Android, addressing numerous vulnerabilities, including an actively exploited Google Chrome zero-day flaw. Hewlett Packard Enterprise (HPE) released updates to fix eight vulnerabilities impacting StoreOnce. Ivanti issued updates to address three high-severity hardcoded key vulnerabilities in Workspace Control (IWC). Qualcomm provided security updates for three zero-day vulnerabilities in the Adreno Graphics Processing Unit (GPU) driver exploited in targeted attacks. Roundcube released updates for a critical remote code execution flaw with a public exploit that is currently being exploited in attacks. SAP announced security updates for multiple products, including a critical missing authorization check in the SAP NetWeaver Application Server for ABAP.The June 2025 Patch Tuesday represents a significant effort by Microsoft to bolster security across its platforms. With numerous vulnerabilities addressed, including critical zero-day threats, it is crucial for users to install these updates promptly to protect their systems from potential exploitation.
