Microsoft's June 2025 Patch Tuesday addresses 66 vulnerabilities across its product suite, including a high-severity zero-day in the WebDAV service that is currently being exploited in the wild.
The most critical flaws this month impact core Windows services, remote access components, and Microsoft Office products.
The zero-day vulnerability, tracked as CVE-2025-33053, is a remote code execution flaw in Web Distributed Authoring and Versioning (WebDAV), a legacy extension of HTTP used for collaborative editing and file management. Researchers Alexandra Gofman and David Driker from Check Point Research discovered and reported the issue. Microsoft confirmed exploitation in the wild, classifying the vulnerability as “Important” with a CVSS score of 8.8.
The vulnerability stems from an ‘external control of file name or path' problem, allowing attackers to craft malicious URLs that, when clicked, lead to arbitrary code execution on the target system. The attack requires no special privileges but does involve user interaction. All supported versions of Windows are affected. Although Microsoft has deprecated Internet Explorer and Edge Legacy, the underlying MSHTML and WebBrowser control components remain exposed and require patching via IE Cumulative Updates for full protection.
Beyond the zero-day, several other high-severity issues were addressed:
- CVE-2025-47966 (CVSS 9.8) in Power Automate, enabling remote code execution over the network without user interaction or privileges.
- CVE-2025-33064 & CVE-2025-33066 (CVSS 8.8) in Windows Routing and Remote Access Service (RRAS), both allowing attackers to execute code remotely with low complexity.
Multiple vulnerabilities in Windows SMB, Remote Desktop Services, Windows Kernel, and Office components (Word, Excel, PowerPoint, Outlook) were also patched, with CVSS scores ranging from 7.5 to 8.8.
Several flaws were flagged as “more likely to be exploited,” including:
- CVE-2025-32713 and CVE-2025-32714, both local privilege escalation vulnerabilities in the Common Log File System Driver and Windows Installer, respectively.
- CVE-2025-33070 and CVE-2025-33071, affecting Windows Netlogon and KDC Proxy Service, both scoring 8.1, pose serious risks in enterprise network environments.
Windows 11 version 24H2 receives its latest cumulative update under KB5060842. In addition to security fixes, it includes functional improvements introduced in late May via KB5058499. Notably, System Restore now retains restore points for up to 60 days, improving recovery options. A fix for Windows Hello for Business also resolves issues with sign-ins using self-signed certificates under the Key Trust model.
A known issue persists related to CJK (Chinese, Japanese, Korean) text rendering when displayed at 96 DPI in Chromium-based browsers. The problem, introduced in March 2025 with the adoption of Noto fonts, causes blurry characters at default scaling. Microsoft recommends increasing display scaling to 125% or higher as a temporary workaround while a permanent fix is investigated.
The June 2025 updates are available via Windows Update, Microsoft Update, and WSUS (Windows Server Update Services). The security updates can also be manually downloaded from Microsoft's Update Catalog. Users are strongly encouraged to apply these patches as soon as possible to protect their systems from active exploitation.
Regular users can apply the update on Windows 11 through Settings → Windows Update, and clicking ‘Check for Updates.' The process will start automatically, and a system reboot will be required for the patches to apply.
Before starting the update process, make sure to take backups of the most important data, as problems can occur that may render the system irrecoverable.
Leave a Reply