Microsoft Patch Tuesday June 2025

This month’s Patch Tuesday has been released, which addresses a total of 66 vulnerabilities across various products. Among these, one actively exploited vulnerability and another publicly disclosed flaw are being patched, alongside several other critical issues.

The June update includes fixes for 10 "Critical" vulnerabilities, which comprise eight remote code execution (RCE) vulnerabilities and two elevation of privilege (EoP) flaws. This round of patches also covers a range of other security risks, such as information disclosure, denial of service, and spoofing vulnerabilities. Here’s a breakdown of the categories:

1. 13 Elevation of Privilege Vulnerabilities

2. 3 Security Feature Bypass Vulnerabilities

3. 25 Remote Code Execution Vulnerabilities

4. 17 Information Disclosure Vulnerabilities

5. 6 Denial of Service Vulnerabilities

6. 2 Spoofing Vulnerabilities

It’s worth noting that this count does not include vulnerabilities fixed earlier in the month for Mariner, Microsoft Edge, and Power Automate.

Zero-Day Vulnerabilities Addressed

This month’s updates fix two notable zero-day vulnerabilities—one that is actively being exploited and another that was publicly disclosed before a fix was made available.

Actively Exploited Zero-Day: WEBDAV RCE Vulnerability (CVE-2025-33053)

The first critical zero-day patched today is a remote code execution vulnerability in Web Distributed Authoring and Versioning (WEBDAV), tracked as CVE-2025-33053. Discovered by Check Point Research, this flaw allows attackers to execute arbitrary code on affected systems if a user clicks on a specially crafted WebDav URL.

Check Point Research uncovered this vulnerability during a cyberattack attempt in March 2025, attributed to the APT group "Stealth Falcon." The attackers used an undisclosed technique to execute malicious files hosted on a WebDAV server they controlled. Microsoft has now patched the vulnerability, thanks to responsible disclosure from the researchers.

Publicly Disclosed Zero-Day: SMB Elevation of Privilege (CVE-2025-33073)

The second zero-day fixed in the June Patch Tuesday updates is an elevation of privilege vulnerability in Windows SMB, tracked as CVE-2025-33073. This flaw allows attackers to escalate privileges to SYSTEM-level access on vulnerable devices.

To exploit this vulnerability, an attacker could trick the victim machine into connecting to their system via SMB and execute a specially crafted script, resulting in elevated privileges. While the flaw was publicly disclosed by DFN-CERT earlier this month, Microsoft has since released a patch to fix it. Additionally, enforcing server-side SMB signing via Group Policy can mitigate the risk of exploitation.

Multiple security researchers, including those from CrowdStrike, Synacktiv, and RedTeam Pentesting, contributed to the discovery and responsible disclosure of this flaw.

Other Security Updates and Vendor Patches

In addition to the vulnerabilities addressed in Microsoft’s updates, several other vendors also released critical patches in June 2025:

1. Adobe released patches for a variety of products, including InCopy, Experience Manager, Acrobat Reader, and Substance 3D tools.

2. Cisco patched three vulnerabilities with known exploits in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) products.

3. Fortinet fixed an OS command injection vulnerability impacting its FortiManager and FortiAnalyzer products.

4. Google issued security updates for Android, including a fix for a Chrome zero-day vulnerability actively being exploited in the wild.

5. Hewlett Packard Enterprise (HPE) released patches for vulnerabilities in its StoreOnce systems.

6. Qualcomm addressed three zero-day flaws in the Adreno Graphics Processing Unit (GPU) driver.

7. SAP released critical updates for SAP NetWeaver and other products.

Stay Protected

As always, it’s essential to apply these security updates as soon as possible to protect your systems from potential exploitation. Regular patching is a crucial step in safeguarding your infrastructure against known vulnerabilities, especially those actively targeted by cybercriminals.

For a full description of each vulnerability and the systems affected, please refer to the complete report from Microsoft’s security update guide.

If you need assistance with vulnerability management or want to learn how these threats might impact your organisation, reach out to our team or discover how our platform can streamline patching and help minimise cyber risk.