Microsoft patched 68 vulnerabilities in the June Patch Tuesday roundup. The most high-profile CVE this month is CVE-2025-33053, which had already been exploited; Check Point Research discovered it has been used by Stealth Falcon, an advanced threat actor group, which had used it to spy on a defense company in Turkey and other defense organizations in the Middle East.
WebDAV flaw actively exploited for targeted espionage
CVE-2025-33053 spreads through a malicious URL or file delivered through social engineering. Check Point Research discovered it in March and disclosed the vulnerability’s use of a previously unknown method of executing files on a Web Distributed Authoring and Versioning (WebDAV) server. Using WebDAV, a deprecated HTTP extension, the attackers executed a malicious file through a PDF document.
“Given the active exploitation of this vulnerability, this is the update that should be prioritized this month,” said Tyler Reguly, associate director of Security R&D at Forta, in an email to TechRepublic. “It is important to note that there may be multiple updates to install on older versions of Windows.”
This flaw is unlikely to affect organizations outside the targeted groups.
“It is rare to hear of a zero-day reported during Patch Tuesday as being leveraged widely,” said Satnam Narang, senior staff research engineer at Tenable, in an email to TechRepublic. “We typically expect these types of zero-days to be used sparingly, with an intention to remain undetected for as long as possible.”
Proof-of-concept exploit for Windows SMB client vulnerability found in the wild
CVE-2025-33073 is a vulnerability in the Windows SMB client, a protocol used for network file sharing. It has a relatively high CVE score (8.8) because the proof-of-concept exploit code – the ‘blueprint’ for how to launch an attack with it – has been made public. This vulnerability could enable elevation-of-privilege attacks across a network via improper access controls in Windows SMB.
“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” said Alex Vovk, CEO and co-founder of Action1, in an email to TechRepublic. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments.”
A set of remote code execution vulnerabilities targets Microsoft Office
Action1 noted that four of the vulnerabilities could enable remote code execution in Microsoft Office. CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-47953 can be exploited by opening Office attachments in emails, downloading documents from the web, visiting compromised websites, or simply by receiving an email in Outlook.
“Organizations should treat all four vulnerabilities with equal urgency due to their identical critical ratings and CVSS scores,” said Mike Walters, president and co-founder of Action1, in an email to TechRepublic.
At the moment, there are no patches for Microsoft 365 for Office against these vulnerabilities. Microsoft said, “Updates will be released as soon as possible.”
“With patches for Microsoft 365 delayed, it’s crucial to apply interim mitigations, such as disabling Outlook’s Preview Pane and enforcing strict attachment filtering, to reduce risk until official fixes are released,” Walters said.
