md3d - stock.adobe.com
June Patch Tuesday brings a lighter load for defenders
Barely 70 vulnerabilities make the cut for Microsoft's monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention.
Microsoft’s latest Patch Tuesday update landed on schedule around teatime on 10 June, with admins facing a much lighter load heading into the summer – at least lighter than of late – with barely 70 security flaws awaiting attention and just two potential zero-day common vulnerabilities and exposures (CVEs) in scope.
The two most pressing issues for patching this month are CVE-2025-33053, a remote code execution (RCE) flaw in Web Distributed Authoring and Versioning (WEBDAV), and CVE-2025-33073, an elevation of privilege (EoP) vulnerability in Windows Server Message Block (SMB) Client. Both carry a CVSS score of 8.8.
Microsoft revealed it has evidence that the first of these CVEs is already being exploited in the wild, although proof-of-concept code is not publicly available, while for the second, the opposite is true. It credited the RCE flaw to Alexandra Gofman and David Driker of Check Point Research, and the second to researchers with CrowdStrike, Synacktiv, SySS GmbH, and Google Project Zero.
Of these two, CVE-2025-33053 probably presents the most pressing patching need. This is because in practice, the issue affects various tools that still incorporate the defunct Internet Explorer browser in a legacy capacity, hence Microsoft has been forced into the position of producing patches for long out-of-support platforms, dating back as far as Windows 8 and Server 2012.
“This vulnerability allows attackers to execute remote code on affected systems when users click on malicious URLs,” explained Mike Walters, president and co-founder of patch management specialist Action1.
“The exploit takes advantage of WebDAV’s file handling capabilities to run arbitrary code in the context of the current user. If the user holds administrative privileges, the impact can be severe.
“What makes this flaw particularly concerning is the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration. Many organisations enable WebDAV for legitimate business needs – often without fully understanding the security risks it introduces,” said Walters.
“The potential impact is extensive, with millions of organisations worldwide at risk. An estimated 70 to 80% of enterprises could be vulnerable – especially those lacking strict URL filtering or user training on phishing threats,” he added.
Meanwhile, Ben Hopkins, cyber threat intelligence researcher at Immersive, ran the rule over the second potential zero-day, CVE-2023-33073.
“It’s classified as an Elevation of Privilege vulnerability, which indicates that a successful exploit would allow an attacker to gain higher-level permissions on a compromised system,” explained Hopkins.
“Threat actors highly seek out vulnerabilities of this nature. Once an attacker has gained an initial foothold on a machine, often through methods like phishing or exploiting another vulnerability, they can leverage privilege escalation flaws to gain deeper control.”
He continued: “With elevated privileges, an attacker could potentially disable security tools, access and exfiltrate sensitive data, install persistent malware, or move laterally across the network to compromise additional systems.
“Given the high severity rating and the critical role of SMB in Windows networking, organisations should prioritise applying the necessary security patches to mitigate the risk posed by this vulnerability.”
10 critical flaws, hanging on the wall
The Microsoft June Patch Tuesday update also includes no fewer 10 critical flaws – four affecting Microsoft Office, and one apiece in Microsoft SharePoint Server, Power Automate, Windows KDC Proxy Service (KPSSVC), Windows Netlogon, Windows Remote Desktop Services and Windows Schannel. Of these, eight – including all four office vulns – are RCE issues, and the other two enable privilege escalation.
Kev Breen, senior director of threat research at Immersive, said defenders should put the Office vulnerabilities high on their list of priorities.
“Listed as a use after free, heap-based buffer overflow, and type confusion RCE, these vulnerabilities would allow an attacker to craft a malicious document that, if sent and opened by a victim, would give the attacker access to run commands on the victim's computer remotely,” said Breen.
“Microsoft also says that ‘The Preview Pane’ is an attack vector, meaning that simply viewing the attachment in something like Outlook could be enough to trigger the exploit.
“More concerning is that Microsoft says there are no updates available for Microsoft 365 at the time of release, and customers will be notified via a revision to this notice,” said Breen.
“While this CVE is not actively being exploited, the risk remains high as threat actors have been known to quickly reverse engineer patches to create n-day exploits before organisations have a chance to roll out patches,” he added.
Read more about Patch Tuesday
- May 2025: Microsoft fixes five exploited, and two publicly disclosed, zero-days in the fifth Patch Tuesday update of 2025.
- April 2025: Microsoft is correcting 124 vulnerabilities in its April Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’.
- March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days.
- February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’.
- January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws.
- December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol.
- November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update.
- October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.
- September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy.
- August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update.
- July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention.
- June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update.
