Microsoft addressed 65 CVEs in its June 2025 Patch Tuesday release, nine of which are critical and 56 of which are important, with one vulnerability reported by CERT CC omitted.
Remote code execution (RCE) vulnerabilities accounted for 38.5% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities at 26.2%.
“Our CVE count for 2025 is already pushing us past the halfway mark of last year’s total of 1,009 patched CVEs,” said Tenable Research Engineer Satnam Narang.” As this number continues to grow year over year, so does the pressure on cyber defenders to mitigate these issues effectively. Tenable Research Special Operations is here to help with informed intelligence.”
“This month, there were only two zero-day vulnerabilities, one of which was exploited in the wild and the other publicly disclosed.”
Key vulnerabilities patched included:
CVE-2025-33053 | Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution
CVE-2025-33053 is a RCE in Web Distributed Authoring and Versioning (WebDAV). It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker could exploit this vulnerability through social engineering by convincing a target to open a malicious URL or file. Successful exploitation would give the attacker the ability to execute code on the victim’s network.
According to Microsoft, it was exploited in the wild as a zero-day. It was reported by researchers at Check Point Research, who have released a blog post discussing the discovery of this zero-day. According to the researchers, CVE-2025-33053 was exploited by Stealth Falcon, an APT group that has been observed using zero-day exploits in espionage attacks.
CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability
CVE-2025-33073 is an EoP vulnerability affecting the Windows Server Message Block (SMB) client. It was assigned a CVSSv3 score of 8.8 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to execute a crafted script to force a target device to connect to an attacker-controlled machine using SMB credentials. If successful, the attacker could elevate their privileges to SYSTEM.
CVE-2025-33070 | Windows Netlogon Elevation of Privilege Vulnerability
CVE-2025-33070 is an EoP vulnerability in Windows Netlogon. It was assigned a CVSSv3 score of 8.1 and is rated as critical. An attacker could exploit this vulnerability to gain domain administrator privileges. According to Microsoft, a successful attack requires the attacker to take additional actions in order to prepare a target for exploitation. Despite these requirements, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability
CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.
In addition, CVE-2025-47173, another RCE in Microsoft Office was patched this month. It received a CVSSv3 score of 7.8, was rated as important and assessed as “Exploitation Unlikely.” Unlike the other Office vulnerabilities, the preview pane is not an attack vector for CVE-2025-47173.
CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability
CVE-2025-33071 is a RCE vulnerability affecting Windows Kerberos Key Distribution Center (KDC) proxy service, an authentication mechanism used for KDC servers over HTTPS. It received a CVSSv3 score of 8.1 and is rated as critical. An unauthenticated attacker could exploit this vulnerability utilising a crafted application to exploit a cryptographic protocol vulnerability in order to execute arbitrary code. According to the advisory, this only impacts Windows Servers that have been “configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server.” While the advisory does mention that exploitation requires the attacker to win a race condition, this vulnerability was still assessed as “Exploitation More Likely.”
CVE-2025-32713 | Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2025-32713 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. CVE-2025-32713 was assessed as “Exploitation More Likely.” Successful exploitation would allow an attacker to elevate their privileges to SYSTEM.
Prior to this month’s release, Microsoft has patched five other EoP vulnerabilities in the Windows CLFS driver in 2025, three of which were exploited as zero-days. This includes CVE-2025-29824 from the April 2025 Patch Tuesday release and both CVE-2025-32701 and CVE-2025-32706, which were patched in the May 2025 Patch Tuesday release.
“One notable exploited in the wild zero-day from this release is CVE-2025-33053, a remote code execution vulnerability in Web Distributed Authoring and Versioning or WebDAV, a protocol for extending HTTP protocol functionality for interacting with files,” said Narang. “Check Point Research confirmed that Stealth Falcon launched a social engineering campaign to convince targets to open a malicious .url file, which would then exploit this vulnerability, giving them the ability to execute code.”
“It is rare to hear of a zero-day reported during Patch Tuesday as being leveraged widely. We typically expect these types of zero-days to be used sparingly, with an intention to remain undetected for as long as possible. However, not all zero-days are used stealthily. The precedent set by groups like Cl0p with file transfer appliances shows that zero-days can rapidly become widespread when money is the motivator.”
“This month, Microsoft did not patch BadSuccessor, a zero-day elevation of privilege vulnerability, despite its disclosure by researchers at Akamai on May 21 and the subsequent release of public proof-of-concepts, including a .NET implementation dubbed SharpSuccessor, and its inclusion in NetExec and BloodyAD. BadSuccesor only affects domains that have at least one Windows Server 2025 domain controller, a rare configuration that we’ve observed in just 0.7% of AD domains based on a subset of our telemetry data,” Narang continued. “Nonetheless, we know that Microsoft intends to fix the flaw, but not this month. Organisations that do have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.
“Microsoft recently updated its advisory for CVE-2025-21204, an elevation of privilege vulnerability that was patched in April. As part of that release, Microsoft created a folder on systems under %systemdrive%\inetpub, noting that it was important to “increase protection.” Understandably, some users were concerned about the creation of a new folder on their systems, so many deleted it. In its latest update, Microsoft published a remediation script that will restore this folder with the correct permissions and update access control lists (ACLs). Users are advised to run this script from Microsoft directly if they manually removed the folder.”
