Microsoft has released a sweeping security update addressing 67 vulnerabilities across its software ecosystem. This includes a critical zero-day vulnerability in Web Distributed Authoring and Versioning (WebDAV) that is currently being exploited in real-world attacks.
Breakdown of June 2025 Patch Tuesday Update
The June 2025 update categorizes 11 vulnerabilities as Critical and 56 as Important. Among the issues patched are:
- 26 Remote Code Execution (RCE) flaws
- 17 Information Disclosure bugs
- 14 Privilege Escalation vulnerabilities
In addition to these, Microsoft resolved 13 security issues in its Chromium-based Edge browser since the last Patch Tuesday.
Zero-Day Exploitation: CVE-2025-33053 in WebDAV
One of the most significant threats patched this month is a remote code execution flaw in WebDAV, tracked as CVE-2025-33053 with a CVSS score of 8.8. The flaw can be exploited by tricking users into clicking a specially crafted URL, which triggers malware execution via a remote server.
This zero-day, the first ever reported in the WebDAV protocol, was discovered by Check Point researchers Alexandra Gofman and David Driker. According to Check Point, the flaw enables attackers to manipulate the working directory to execute code remotely.
Stealth Falcon’s Targeted Campaign
Cybersecurity researchers have attributed the exploitation of CVE-2025-33053 to Stealth Falcon, also known as FruityArmor, a threat actor known for leveraging Windows zero-days. In a recent attack targeting a Turkish defense contractor, Stealth Falcon deployed a malicious shortcut file in a phishing email, which launched a sophisticated malware delivery chain.
The attack began with a .url file exploiting the WebDAV flaw to run `iediagcmd.exe`, a legitimate Internet Explorer diagnostics tool. This tool then launched Horus Loader, which served a decoy PDF document while loading Horus Agent, a custom implant built using the Mythic command-and-control framework.
Written in C++, Horus Agent is an evolution of the group’s previous implant, *Apollo*, and incorporates stealth enhancements such as string encryption and control flow flattening. It connects to a remote server to fetch commands such as system enumeration, file access, and shellcode injection.
New Tools in the Threat Actor’s Arsenal
Check Point’s analysis also identified previously undocumented tools used in the campaign, including:
- Credential Dumper, which extracts credentials from compromised Domain Controllers
- Passive Backdoor, which listens for incoming C2 requests and executes shellcode
- Keylogger, which is custom-built in C++ to record keystrokes into a temporary file, lacking direct C2 capability
These tools are protected with commercial obfuscation software and customized to avoid reverse engineering.
CISA Response and Industry Concerns
Due to the active exploitation of CVE-2025-33053, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch the flaw by July 1, 2025.
Mike Walters, President of Action1, emphasized that the flaw is particularly dangerous due to WebDAV’s widespread use in enterprise environments for file sharing and collaboration, often without a full understanding of the security implications.
Other High-Impact Vulnerabilities
Among the most critical issues resolved is a privilege escalation flaw in Microsoft Power Automate (CVE-2025-47966), which scored 9.8 on the CVSS scale. Microsoft confirmed no user action is needed for this patch.
Other notable vulnerabilities include:
- CVE-2025-32713 – Elevation of privilege in Common Log File System Driver
- CVE-2025-33070 – Privilege escalation in Windows Netlogon
- CVE-2025-33073 – A publicly known vulnerability in Windows SMB Client, which researchers revealed is in fact an authenticated RCE via a reflective Kerberos relay attack
Security researcher Ben McCarthy noted that the CLFS vulnerability is a low-complexity heap overflow that has drawn attention from ransomware actors in recent months.
Meanwhile, CVE-2025-33073, reported by multiple research teams including Google Project Zero and Synacktiv, allows attackers to achieve SYSTEM-level command execution by exploiting improperly configured SMB signing.
KDC Proxy Flaw and Secure Boot Bypasses
CVE-2025-33071, a remote code execution vulnerability in Windows KDC Proxy, involves a cryptographic race condition. According to Rapid7’s Adam Barnett, it is likely to be exploitable in real-world scenarios due to the nature of KDC proxy exposure in enterprise networks.
Additionally, Microsoft patched a Secure Boot bypass vulnerability (CVE-2025-3052), discovered by Binarly. The issue affects UEFI applications signed with Microsoft’s third-party UEFI certificate and allows malicious code to execute before the operating system loads.
CERT/CC explained that the root cause lies in how DT Research’s UEFI apps handle NVRAM variables. Improper access control allows an attacker to modify critical firmware structures, enabling persistence and system compromise at the firmware level.
Hydroph0bia: Another Secure Boot Bypass Left Unpatched by Microsoft
Though not affecting Microsoft directly, another Secure Boot bypass (CVE-2025-4275), dubbed Hydroph0bia, was also disclosed. This vulnerability stems from unsafe use of an unprotected NVRAM variable in InsydeH2O firmware, allowing attackers to inject their own trusted digital certificates and execute arbitrary firmware during early boot.
Needless to say, organizations are urged to prioritize the newly patched vulnerabilities, especially those under active exploitation like CVE-2025-33053.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: