Microsoft released its June 2025 security updates on Tuesday, delivering fixes for 66 vulnerabilities across its product line. The update is headlined by an urgent patch for a zero-day vulnerability in the WebDAV protocol that is being actively exploited in targeted cyber-espionage campaigns attributed to the sophisticated threat actor known as “Stealth Falcon.”
The actively exploited flaw, tracked as CVE-2025-33053, is a remote code execution vulnerability that could grant an attacker control over a victim’s system. Its use in the wild makes immediate patching a critical priority for enterprises. In total, the update addresses ten flaws rated ‘Critical’ by Microsoft and includes a fix for a second zero-day vulnerability, CVE-2025-33073, an elevation of privilege flaw in the Windows SMB Client that was publicly disclosed before a patch was available.
The sheer volume of fixes includes 25 for remote code execution, 13 for elevation of privilege, 17 for information disclosure, six for denial of service, three for security feature bypass, and two for spoofing. The combination of an active exploit and a publicly known bug makes this a particularly significant month for system administrators.
A Closer Look at the Zero-Day Threats
The two zero-day vulnerabilities represent the most immediate risks in the June patch cycle. The exploited WebDAV flaw, CVE-2025-33053, carries a CVSS severity score of 8.8. According to an analysis from Tenable, successful exploitation relies on social engineering, requiring an attacker to trick a user into clicking a specially crafted URL or file. Chris Goettl, vice president of product management for security products at Ivanti, argued that while Microsoft rated the flaw as ‘Important,’ a risk-based approach means it should be treated as “critical because it’s actively exploited.”
The second zero-day, CVE-2025-33073, is an elevation of privilege vulnerability in the Windows SMB protocol, also with a CVSS score of 8.8. An attacker who has already gained a foothold on a network could execute a crafted script to force a target device to connect to an attacker-controlled machine. This action could grant the attacker full SYSTEM-level privileges, effectively giving them complete control. Microsoft noted that while the patch is the recommended fix, the risk can also be mitigated by enforcing server-side SMB signing via Group Policy.
Behind the Attack: The ‘Stealth Falcon’ Espionage Campaign
The group leveraging the WebDAV zero-day, Stealth Falcon, is a well-resourced and persistent threat actor with a long history of targeting entities in the Middle East. Also known as FruityArmor, the group has been active since at least 2012 and is known for its use of custom malware and zero-day exploits. A detailed report by Check Point Research revealed the mechanics of the current campaign, which was first identified in an attack against a Turkish defense company in March 2025.
The attack begins with a spear-phishing email containing a malicious `.url` file. When opened, this file cleverly abuses a legitimate Windows tool, `iediagcmd.exe`. The vulnerability allows the attackers to manipulate the tool’s working directory, causing it to execute a malicious payload from a remote WebDAV server controlled by the threat actor.
This payload is a custom C++ implant for the Mythic C2 framework, which researchers have dubbed the “Horus Agent.” The malware is an evolution of a previous implant used by the group and is designed for stealthy reconnaissance and deploying further payloads.
According to Check Point, the group’s activities are largely focused on the Middle East and Africa, with high-profile government and defense targets observed in Turkey, Qatar, Egypt, and Yemen. The group’s history of using sophisticated custom-built payloads, as detailed in earlier research from ESET, underscores its advanced capabilities.
More Than Just Zero-Days: A Broader Set of Critical Flaws
Beyond the zero-days, the June update addresses a significant number of other high-severity vulnerabilities. Among the ten ‘Critical’ flaws are several that could have a major impact on enterprises. A review from Zero Day Initiative highlights CVE-2025-33070, a critical elevation of privilege flaw in Windows Netlogon that could allow an attacker to gain control of domain controllers.
Microsoft SharePoint Server is also a focus, with a patch for what Action1 highlights as a critical SQL injection vulnerability (CVE-2025-47172) that can lead to remote code execution. Furthermore, four separate RCE vulnerabilities in Microsoft Office could be exploited simply by a user opening a malicious file or viewing it in Outlook’s preview pane, a notoriously dangerous attack vector.
Security experts have noted that the widespread use of the WebDAV protocol in corporate environments for file sharing makes its vulnerability particularly concerning for organizations that lack strict URL filtering or robust user training against phishing threats.
A Busy Month for System Administrators
Microsoft’s substantial patch release does not exist in a vacuum. It arrives during a busy month for security teams, with other major vendors also issuing significant updates. Adobe released a massive set of patches addressing 254 CVEs across its product suite, with the bulk of them affecting Experience Manager.
SAP also released its June patches, fixing 14 issues, including a critical vulnerability in SAP NetWeaver with a CVSS score of 9.6 that could allow an attacker to bypass authorization checks. This broader context illustrates the complex and demanding threat landscape facing organizations, where vulnerabilities in various interconnected systems create a constant stream of risk.
The June 2025 Patch Tuesday is a clear signal that sophisticated threat actors continue to find and exploit high-impact vulnerabilities in core enterprise software. The active exploitation of the WebDAV flaw by a known espionage group serves as a stark reminder of the ongoing cat-and-mouse game between attackers and defenders. For organizations, this month’s updates are not merely routine maintenance but a critical defense against active and credible threats, reinforcing the need for rapid and comprehensive patch management.
June 2025 Patch Tuesday Security Updates List
| Product | CVE ID | CVE Title | Severity |
| .NET and Visual Studio | CVE-2025-30399 | .NET and Visual Studio Remote Code Execution Vulnerability | Important |
| App Control for Business (WDAC) | CVE-2025-33069 | Windows App Control for Business Security Feature Bypass Vulnerability | Important |
| Microsoft AutoUpdate (MAU) | CVE-2025-47968 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Important |
| Microsoft Local Security Authority Server (lsasrv) | CVE-2025-33056 | Windows Local Security Authority (LSA) Denial of Service Vulnerability | Important |
| Microsoft Office | CVE-2025-47164 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2025-47167 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2025-47162 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2025-47173 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2025-47165 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-47174 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2025-47171 | Microsoft Outlook Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2025-47176 | Microsoft Outlook Remote Code Execution Vulnerability | Important |
| Microsoft Office PowerPoint | CVE-2025-47175 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-47172 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2025-47166 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-47163 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-47170 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-47957 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-47169 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-47168 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Nuance Digital Engagement Platform | CVE-2025-47977 | Nuance Digital Engagement Platform Spoofing Vulnerability | Important |
| Remote Desktop Client | CVE-2025-32715 | Remote Desktop Protocol Client Information Disclosure Vulnerability | Important |
| Visual Studio | CVE-2025-47959 | Visual Studio Remote Code Execution Vulnerability | Important |
| WebDAV | CVE-2025-33053 | Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-32713 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Cryptographic Services | CVE-2025-29828 | Windows Schannel Remote Code Execution Vulnerability | Critical |
| Windows DHCP Server | CVE-2025-33050 | DHCP Server Service Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2025-32725 | DHCP Server Service Denial of Service Vulnerability | Important |
| Windows DWM Core Library | CVE-2025-33052 | Windows DWM Core Library Information Disclosure Vulnerability | Important |
| Windows Hello | CVE-2025-47969 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability | Important |
| Windows Installer | CVE-2025-33075 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2025-32714 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows KDC Proxy Service (KPSSVC) | CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability | Critical |
| Windows Kernel | CVE-2025-33067 | Windows Task Scheduler Elevation of Privilege Vulnerability | Important |
| Windows Local Security Authority (LSA) | CVE-2025-33057 | Windows Local Security Authority (LSA) Denial of Service Vulnerability | Important |
| Windows Local Security Authority Subsystem Service (LSASS) | CVE-2025-32724 | Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Important |
| Windows Media | CVE-2025-32716 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Netlogon | CVE-2025-33070 | Windows Netlogon Elevation of Privilege Vulnerability | Critical |
| Windows Recovery Driver | CVE-2025-32721 | Windows Recovery Driver Elevation of Privilege Vulnerability | Important |
| Windows Remote Access Connection Manager | CVE-2025-47955 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2025-32710 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-33064 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-33066 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important |
| Windows SDK | CVE-2025-47962 | Windows SDK Elevation of Privilege Vulnerability | Important |
| Windows Secure Boot | CVE-2025-3052 | Cert CC: CVE-2025-3052 InsydeH2O Secure Boot Bypass | Important |
| Windows Security App | CVE-2025-47956 | Windows Security App Spoofing Vulnerability | Important |
| Windows Shell | CVE-2025-47160 | Windows Shortcut Files Security Feature Bypass Vulnerability | Important |
| Windows SMB | CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability | Important |
| Windows SMB | CVE-2025-32718 | Windows SMB Client Elevation of Privilege Vulnerability | Important |
| Windows Standards-Based Storage Management Service | CVE-2025-33068 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-32719 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-24065 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-24068 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33055 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-24069 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33060 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33059 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33062 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33061 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33058 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-32720 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33065 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Management Provider | CVE-2025-33063 | Windows Storage Management Provider Information Disclosure Vulnerability | Important |
| Windows Storage Port Driver | CVE-2025-32722 | Windows Storage Port Driver Information Disclosure Vulnerability | Important |
| Windows Win32K – GRFX | CVE-2025-32712 | Win32k Elevation of Privilege Vulnerability | Important |
