June 2025 Patch Tuesday: Microsoft Fixes 66 Vulnerabilities

Today is Patch Tuesday, and like every second tuesday of the month, Microsoft rolls out a new round of updates (this time for June 2025). This month, 66 security flaws have been fixed, including a zero-day vulnerability already being actively exploited by attackers, and another that had already been publicly disclosed.

In addition, today’s patch addresses 10 critical vulnerabilities, 8 of which allow remote code execution (meaning someone could take control of your machine remotely) and 2 related to privilege escalation (giving an attacker more control than they should have).

Here’s a Breakdown by Vulnerability Type:

1. 13 privilege escalation

2. 3 security feature bypass

3. 25 remote code execution

4. 17 information disclosure

5. 6 denial of service

6. 2 spoofing

Note: This count does not include fixes released earlier this month for Microsoft Edge, Power Automate, and Mariner (Microsoft’s Linux-based operating system).

Two Zero-Day Vulnerabilities in the Spotlight

This Patch Tuesday came with a surprise: Microsoft fixed two zero-day vulnerabilities—one that was already being actively exploited and another that had been publicly disclosed before a fix was available.

To clarify: when Microsoft refers to a “zero-day,” it means a flaw that is already publicly known or being used by attackers while no official patch exists yet. These are the most dangerous bugs because the clock starts ticking from the very first moment.

CVE-2025-33053 – Remote Code Execution via WebDAV

The first and most concerning vulnerability is CVE-2025-33053, affecting the Web Distributed Authoring and Versioning (WebDAV) component in Windows. This flaw was actively exploited by a cyber-espionage group known as "Stealth Falcon," according to a report from Check Point Research.

In simple terms: if a user clicks on a specially crafted WebDAV link, an attacker could execute malicious code on the system, as if they were physically present at the keyboard.

Check Point reported that in March 2025, they identified an attempted attack against a defense sector company in Turkey. The attackers used a new technique to run files from a WebDAV server they controlled, leveraging a legitimate Windows tool. Following the report, Microsoft assigned the identifier CVE-2025-33053 and released the patch on June 10, 2025.

CVE-2025-33073 – Privilege Escalation via SMB Client

The second zero-day is CVE-2025-33073, a vulnerability in the Windows SMB client (the component that allows file and printer sharing over a network). Although it hasn’t been seen actively exploited, it was publicly disclosed before the patch, making it equally urgent.

This flaw allows an attacker with network access to escalate privileges to SYSTEM, the highest level in Windows. How? By running a specially crafted script that forces the victim to reconnect to the attacker’s system via SMB, authenticating in the process.

Although Microsoft hasn’t detailed how it was disclosed, the site Born City reported that DFN-CERT, the cybersecurity response team for Germany’s academic network, began issuing alerts this week following a report by RedTeam Pentesting.

The Good News? While there is now an official patch, it can also be temporarily mitigated by enabling SMB signing on the server side using group policies.

Read more: What is Third-Party Patch Management?

All Fixes from the June 2025 Patch Tuesday

If you're interested in the technical details, here’s the full list of vulnerabilities Microsoft addressed with the June 2025 Patch Tuesday updates. Get ready—there are quite a few important points to take into account.

Conclusion

The June 2025 Patch Tuesday was far from ordinary. With 66 vulnerabilities addressed, it's clear that keeping our systems updated is not optional—it's essential.

Threats evolve quickly, and attackers don't wait. A single click on a malicious link or an unpatched system can open the door to data breaches, system hijacking, and chain attacks. So if you haven't done it yet, install the updates as soon as possible.