Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

Today is Microsoft's June 2025 Patch Tuesday, which includes security updates for 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed.

This Patch Tuesday also fixes ten "Critical" vulnerabilities, eight being remote code execution vulnerabilities and two being elevation of privileges bugs.

The number of bugs in each vulnerability category is listed below:

• 13 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 25 Remote Code Execution Vulnerabilities
• 17 Information Disclosure Vulnerabilities
• 6 Denial of Service Vulnerabilities
• 2 Spoofing Vulnerabilities

This count does not include Mariner, Microsoft Edge, and Power Automate flaws fixed earlier this month.

Two zero-days

This month's Patch Tuesday fixes one actively exploited zero-day and one publicly disclosed vulnerability. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The actively exploited zero-day vulnerability in today's updates is:

CVE-2025-33053 - Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability

Microsoft fixed a remote code execution vulnerability discovered by Check Point Research

"A remote code execution vulnerability exists in Microsoft Windows Web Distributed Authoring and Versioning. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system," reads a Check Point Research advisory.

Microsoft's advisory further states that a user must click on a specially crafted WebDav URL for the flaw to be exploited.

While Microsoft says that the vulnerability has been exploited in attacks, no further details have been shared. BleepingComputer contacted Check Point to learn more about how the flaw was used in attacks.

Microsoft attributes the discovery of this flaw to Alexandra Gofman and David Driker (Check Point Research).

The publicly disclosed zero-day is:

CVE-2025-33073 - Windows SMB Client Elevation of Privilege Vulnerability

Microsoft fixes a flaw in Windows SMB that allows attackers to gain SYSTEM privileges on vulnerable devices.

"Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network," explains Microsoft.

"To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege," further explains Microsoft.

Microsoft has not shared how the flaw was publicly disclosed. However, Born City reports that DFN-CERT (Computer Emergency Response Team of the German Research Network) began circulating warnings from RedTeam Pentesting about the flaw this week.

While an update is now available, the flaw can reportedly be mitigated by enforcing server-side SMB signing via Group Policy.

Microsoft attributes the discovery of this flaw to multiple researchers, including Keisuke Hirata with CrowdStrike, Synacktiv research with Synacktiv, Stefan Walter with SySS GmbH, RedTeam Pentesting GmbH, and James Forshaw of Google Project Zero.

Recent updates from other companies

Other vendors who released updates or advisories in June 2025 include:

• Adobe released security updates for InCopy, Experience Manager, Commerce, InDesign, Substance 3D Sampler, Acrobat Reader, and Substance 3D Painter.
• Cisco released patches for three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) products.
• Fortinet released security updates for an OS command ('OS Command Injection') vulnerability in FortiManager, FortiAnalyzer & FortiAnalyzer-BigData products.
• Google's June 2025 security updates for Android fix numerous vulnerabilities. Google also fixed an actively exploited Google Chrome zero-day flaw.
• Hewlett Packard Enterprise (HPE) issued security updates to fix eight vulnerabilities impacting StoreOnce,
• Ivanti released security updates to fix three high-severity hardcoded key vulnerabilities in Workspace Control (IWC).
• Qualcomm released security updates for three zero-day vulnerabilities in the Adreno Graphics Processing Unit (GPU) driver that are exploited in targeted attacks.
• Roundcube released security updates for a critical remote code execution (RCE) flaw with a public exploit that is now exploited in attacks.
• SAP releases security updates for multiple products, including a critical missing authorization check in SAP NetWeaver Application Server for ABAP.

The June 2025 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the June 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.