Microsoft Patch Tuesday June 2025: 65+ Security Vulnerabilities Patched, Zero-Day Exploit Fixed

Microsoft’s June 2025 Patch Tuesday has arrived, delivering urgent security fixes for a broad range of its products. The company addressed more than 65 vulnerabilities, including a zero-day exploit that was being actively used in cyber espionage campaigns. This month’s updates are critical for both enterprise and individual users, reinforcing the importance of timely patching to protect against emerging threats.

Microsoft Patch Tuesday at a Glance

This month’s security release is notable for its breadth and the severity of the vulnerabilities addressed. Microsoft has fixed at least 65 security flaws (CVEs), with some sources reporting up to 67, depending on the counting methodology and inclusion of third-party patches. Of these, approximately 9 to 11 are rated Critical, and the rest are classified as Important in severity.

The standout fix is for CVE-2025-33053, a remote code execution (RCE) vulnerability in the WebDAV (Web Distributed Authoring and Versioning) component of Windows. This flaw was being actively exploited by the advanced persistent threat (APT) group known as Stealth Falcon (also called FruityArmor), which has a history of leveraging Windows zero-days for espionage purposes.

The Zero-Day Threat: CVE-2025-33053

CVE-2025-33053 is a remote code execution vulnerability in WebDAV, a protocol designed to extend HTTP for file management. While WebDAV has been deprecated since 2023 and is not enabled by default, Microsoft has chosen to patch the flaw across both current and legacy Windows and Windows Server versions, including some that are officially out of support.

The vulnerability has been exploited in real-world attacks, most notably in March 2025, when Stealth Falcon targeted a major defense organization in Turkey. The attack began with a phishing email containing a malicious .url file disguised as a PDF document related to military equipment damage. When executed, the file exploited the zero-day to launch malware from an attacker-controlled WebDAV server.

Attack Chain Details:

• Delivery: Phishing email with a .url file disguised as a PDF.

• Execution: The victim clicks the file, triggering the exploit.

• Exploitation: The exploit manipulates the Windows file execution search order, tricking a legitimate Windows utility (iediagcmd.exe, an Internet Explorer diagnostics tool) into executing malicious code hosted on a remote server.

• Payload: The attack delivers the Horus Agent, a custom-built implant designed for the Mythic command-and-control (C2) framework.

• Evasion: Attackers use techniques like string encryption and control flow flattening to complicate analysis and avoid detection.

This approach allows attackers to execute code remotely without dropping files directly onto the victim’s machine, making detection more challenging.

Other Critical Vulnerabilities and Risk Analysis

Beyond the zero-day, Microsoft patched several other critical vulnerabilities. Remote code execution (RCE) flaws were the most prominent, accounting for about 38% of the total patches1. Other risk types included information disclosure (26%) and elevation of privilege (20%).

Breakdown of Vulnerability Types:

• Remote Code Execution (RCE): 25–26 patches (38–39% of total)

• Information Disclosure: 17 patches (26%)

• Elevation of Privilege: 13–14 patches (20%)

• Denial of Service: 6 patches

• Security Feature Bypass: 3 patches

• Spoofing: 2 patches

These vulnerabilities affect a wide range of Microsoft products, including Windows, Office, .NET, Visual Studio, SharePoint, Microsoft Edge, Power Automate, and more.

Affected Products and Components

Windows and Windows Components:
The majority of the vulnerabilities are in Windows and its core components, including the kernel, shell, and various services. Both Windows 10 and Windows 11 are affected, along with related server versions.

Microsoft Office:
Four critical vulnerabilities were patched in Office, making it a continued target for attackers who use malicious documents to deliver payloads via email.

Other Products:
Patches were also released for:

• .NET and Visual Studio

• Microsoft Edge (Chromium-based)

• Power Automate

• Nuance Digital Engagement Platform

• Windows Cryptographic Services

• Windows Hello

• Windows Installer

• Windows Kernel

• Windows Local Security Authority (LSA)

• Windows Media

• Windows Netlogon

• Windows Remote Desktop Services

• Windows SMB

Notable Vulnerabilities and Exploitation

1. CVE-2025-33053: As discussed, this is the most urgent vulnerability to patch due to its active exploitation. Microsoft has even released patches for out-of-support operating systems, underscoring the severity of the threat.
2. Other Critical RCEs: Several other critical RCE vulnerabilities were patched, including in Office components. These are often exploited via malicious documents, making them a favorite vector for phishing campaigns.
3. Elevation of Privilege and Information Disclosure: These vulnerabilities could allow attackers to gain higher privileges on a system or access sensitive information, respectively. While not always exploited in the wild, they are frequently targeted in advanced attacks.

The Unpatched Vulnerability: BadSuccessor

Despite the extensive coverage, one notable vulnerability remains unpatched this month: BadSuccessor. This flaw affects Windows Server 2025 domain controllers and could have significant implications for enterprise environments. Microsoft has not provided a timeline for a fix, so organizations are advised to monitor for updates and apply mitigations if available.

Patch Tuesday: What You Need to Do

Given the severity and active exploitation of CVE-2025-33053, it is critical for all users—especially enterprises—to apply the June 2025 Patch Tuesday updates as soon as possible. Here are the recommended steps:

1. Apply All Available Updates:

   • Use Windows Update to install the latest security patches for Windows, Office, and other affected products.

   • For enterprise environments, deploy updates through your patch management system.

2. Prioritize Critical Systems:

   • Focus on systems that are exposed to the internet or handle sensitive data.

   • Ensure domain controllers, file servers, and endpoints are updated promptly.

3. Monitor for Unpatched Vulnerabilities:

   • Keep an eye on the status of BadSuccessor and other unpatched vulnerabilities.

   • Apply mitigations or workarounds if recommended by Microsoft.

4. Educate Users:

   • Remind users to be cautious with email attachments and links, especially those that appear to be documents or PDFs.

   • Conduct regular security awareness training to reduce the risk of phishing.

Cybersecurity

The June 2025 Patch Tuesday highlights several ongoing trends in cybersecurity:

1. Zero-Day Exploits Are Increasingly Common:
   Attackers are leveraging zero-day vulnerabilities to target high-value organizations, often using sophisticated tactics to evade detection.

2. Legacy Systems Remain at Risk:
   Even deprecated components like WebDAV can be exploited if not properly secured or removed.

3. Phishing Remains a Primary Attack Vector:
   Many critical vulnerabilities are exploited through phishing campaigns, underscoring the need for robust email security and user education.

Detailed Technical Overview

For those interested in the technical specifics, here is a deeper dive into the key vulnerabilities and their impact:

1. CVE-2025-33053 – WebDAV RCE: This vulnerability allows an attacker to execute arbitrary code on a victim’s system by tricking them into opening a specially crafted .url file. The exploit leverages the Windows file execution search order to load malicious code from a remote WebDAV server, using a legitimate Windows utility as a conduit. This technique is highly effective at bypassing traditional security controls, as it does not require the attacker to drop files on the victim’s machine.
2. Critical Office Vulnerabilities: Four critical RCE vulnerabilities in Office were patched. These are typically exploited via malicious documents, such as Word or Excel files, which are delivered via email. Once opened, the documents execute malicious code, often leading to full system compromise.
3. Elevation of Privilege and Information Disclosure: These vulnerabilities allow attackers to gain higher privileges or access sensitive information, respectively. They are often used in combination with other exploits to escalate attacks within a network.

Enterprise Impact and Recommendations

For enterprise IT teams, this month’s Patch Tuesday is a reminder of the importance of a robust patch management strategy. Key recommendations include:

• Automate Patch Deployment:
  Use automated tools to ensure all systems are updated promptly.

• Monitor for Exploits:
  Implement threat intelligence feeds to stay informed about active exploits and emerging threats.

• Segment Networks: Limit the spread of potential attacks by segmenting networks and restricting lateral movement.

• Regularly Audit Systems: Ensure that all systems are up to date and that deprecated components are removed or disabled.

Microsoft’s June 2025 Patch Tuesday is a critical security event, addressing over 65 vulnerabilities—including a zero-day exploit that was actively used in cyber espionage. The updates cover a wide range of products, from Windows and Office to .NET and SharePoint, and are essential for protecting against both known and emerging threats.

The active exploitation of CVE-2025-33053 underscores the need for immediate action, especially for enterprises and organizations handling sensitive data. While most vulnerabilities have been patched, the unpatched BadSuccessor flaw in Windows Server 2025 domain controllers remains a concern.

By staying vigilant, applying updates promptly, and educating users, organizations can significantly reduce their risk of falling victim to these and future threats. As always, Microsoft’s Patch Tuesday serves as a reminder of the ever-evolving landscape of cybersecurity and the importance of proactive defense.

To access the full description of each vulnerability and the systems it affects, check this chart below.