Microsoft Patch Tuesday June 2025 – 66 Vulnerabilities Patched Including 2 Zero-Day

Microsoft has released its June 2025 Patch Tuesday security updates, addressing a total of 66 vulnerabilities across its software ecosystem.

This month’s updates include fixes for ten critical vulnerabilities and two zero-day flaws, one of which is actively exploited in the wild and another that was publicly disclosed.

The patches cover a wide range of products, including Windows, Microsoft Office, .NET, Visual Studio, and more.

Microsoft Patch Tuesday June – Key Highlights

• 66 vulnerabilities patched, including 13 elevation of privilege, 25 remote code execution, 17 information disclosure, 6 denial of service, 3 security feature bypass, and 2 spoofing vulnerabilities.
• Ten critical vulnerabilities, with eight remote code execution flaws and two elevation of privilege bugs.
• Two zero-day vulnerabilities, one actively exploited and one publicly disclosed, posing immediate risks to unpatched systems.
• Updates do not include fixes for Mariner, Microsoft Edge, or Power Automate, which were addressed earlier this month.

Here is a table listing the vulnerabilities, with those rated as Critical at the top, followed by the Important vulnerabilities:

Two Zero-Day Vulnerabilities in Focus

1. CVE-2025-33053 – Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability (Actively Exploited)

This actively exploited zero-day vulnerability affects Microsoft Windows Web Distributed Authoring and Versioning (WebDAV).

Discovered by Alexandra Gofman and David Driker of Check Point Research, the flaw allows a remote attacker to execute arbitrary code on a victim’s system if the user clicks a specially crafted WebDAV URL.

According to Check Point Research, “Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.” Microsoft has confirmed that the vulnerability is being exploited in the wild, though specific details about the attacks remain undisclosed.

2. CVE-2025-33073 – Windows SMB Client Elevation of Privilege Vulnerability (Publicly Disclosed)

This publicly disclosed zero-day vulnerability resides in the Windows SMB (Server Message Block) client, enabling attackers to gain SYSTEM-level privileges on vulnerable devices.

Microsoft explains that “improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network” by executing a malicious script that coerces the victim’s machine to authenticate via SMB to the attacker’s system.

The flaw was reported by multiple researchers, including Keisuke Hirata (CrowdStrike), Synacktiv, Stefan Walter (SySS GmbH), RedTeam Pentesting GmbH, and James Forshaw (Google Project Zero).

Born City noted that DFN-CERT issued warnings about the flaw following alerts from RedTeam Pentesting.

While a patch is now available, Microsoft suggests mitigating the issue by enforcing server-side SMB signing through Group Policy.

Critical Vulnerabilities Addressed

Among the ten critical vulnerabilities patched, eight are remote code execution flaws affecting products like Microsoft Office, SharePoint Server, Windows Cryptographic Services, Windows KDC Proxy Service, Windows Netlogon, and Windows Remote Desktop Services.

The two critical elevation of privilege vulnerabilities impact Windows Netlogon and other components.

These critical flaws could allow attackers to take full control of affected systems, making timely patching essential.

Notable critical vulnerabilities include:

• CVE-2025-47164, CVE-2025-47167, CVE-2025-47162, CVE-2025-47953 (Microsoft Office): Remote code execution vulnerabilities that could allow attackers to execute malicious code via specially crafted Office files.
• CVE-2025-47172 (Microsoft SharePoint Server): A critical remote code execution flaw that could compromise SharePoint environments.
• CVE-2025-29828 (Windows Schannel): A critical remote code execution vulnerability in Windows Cryptographic Services.
• CVE-2025-32710 (Windows Remote Desktop Services): A critical remote code execution flaw that could be exploited over a network.

The June 2025 Patch Tuesday also addresses numerous important-severity vulnerabilities, including:

• Windows Storage Management Provider: Thirteen information disclosure vulnerabilities (e.g., CVE-2025-24065, CVE-2025-33055) that could leak sensitive data.
• Microsoft Office Components: Multiple remote code execution flaws in Excel, Outlook, PowerPoint, and Word (e.g., CVE-2025-47165, CVE-2025-47171, CVE-2025-47175).
• Windows SMB: Another elevation of privilege vulnerability (CVE-2025-32718) alongside the zero-day CVE-2025-33073.
• Windows Secure Boot: A security feature bypass vulnerability (CVE-2025-3052) in InsydeH2O, reported by Cert CC.

Updates from Other Vendors

In addition to Microsoft, several other vendors released security updates in June 2025:

• Adobe: Patches for InCopy, Experience Manager, Commerce, InDesign, and Acrobat Reader.
• Cisco: Fixes for three vulnerabilities in Identity Services Engine and Customer Collaboration Platform.
• Fortinet: Updates for an OS command injection flaw in FortiManager and FortiAnalyzer.
• Google: Android and Chrome updates, including a fix for an actively exploited Chrome zero-day.
• SAP: Security updates for a critical missing authorization check in SAP NetWeaver.

Recommendations

Organizations and individuals are urged to apply the June 2025 Patch Tuesday updates as soon as possible, particularly due to the actively exploited zero-day (CVE-2025-33053) and the publicly disclosed flaw (CVE-2025-33073).

Prioritize patching systems exposed to the internet, such as those running WebDAV or SMB services, and ensure critical vulnerabilities in Office and Windows components are addressed promptly.

For more details on non-security updates, refer to Microsoft’s articles on Windows 11 KB5060842 and KB5060999, and Windows 10 KB5060533 cumulative updates. To view the full list of resolved vulnerabilities, visit Microsoft’s Security Update Guide.