Microsoft June 2025 Patch Tuesday

June’s Patch Tuesday was released to fix security flaws in several Microsoft products such as NET and Visual Studio, App Control for Business (WDAC), Microsoft AutoUpdate (MAU), Microsoft Local Security Authority Server (lsasrv), Remote Desktop Client, WebDAV, Windows Common Log File System Driver, Windows Cryptographic Services, Windows DHCP Server, Windows DWM Core Library, Windows Installer, Windows KDC Proxy Service (KPSSVC), Windows Kernel, Windows Local, Security Authority (LSA), Windows Local Security Authority Subsystem Service (LSASS), Windows Recovery Driver, Windows Remote Access Connection Manager, Windows Routing and Remote Access Service (RRAS), Windows Secure Boot, Windows Security App, Windows Shell, Windows SMB, Windows Standards-Based Storage Management Service, Windows Storage Port Driver, Microsoft Office, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office PowerPoint, Microsoft Office Word and Microsoft Office SharePoint.

The actively exploited zero-day vulnerabilities in June’s Patch are:

• Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability “CVE-2025-33053” allows the remote attacker to execute arbitrary code and gain access to the affected system.
• Windows SMB Client Elevation of Privilege Vulnerability “CVE-2025-33073” allows the authorized attacker to gain SYSTEM privileges on vulnerable devices.

Sample of the addressed vulnerabilities:

1. Microsoft Power Automate Privilege Escalation (CVE-2025-47966):

• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Privilege

2. Microsoft Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability (CVE-2025-33053):

• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Consequences: Gain Access