Microsoft’s June Patch Tuesday: A Lighter Load with Critical Vulnerabilities

On June 10, Microsoft released its latest Patch Tuesday update, providing a welcome respite for system administrators as they head into the summer months. This month’s update is notably lighter than recent ones, addressing just 70 security flaws, including two potential zero-day vulnerabilities. While the workload may be reduced, the urgency for patching certain vulnerabilities remains high.

Key Vulnerabilities to Address

Among the vulnerabilities highlighted in this update, two stand out due to their severity and potential impact:

1. CVE-2025-33053: This remote code execution (RCE) flaw affects Web Distributed Authoring and Versioning (WEBDAV). Microsoft has indicated that this vulnerability is already being exploited in the wild, although proof-of-concept code is not publicly available. The flaw has a CVSS score of 8.8, indicating its critical nature.

2. CVE-2025-33073: This elevation of privilege (EoP) vulnerability exists within the Windows Server Message Block (SMB) Client, also carrying a CVSS score of 8.8. Unlike the first CVE, this one has publicly available proof-of-concept code, making it a significant concern for organizations.

The Urgency of CVE-2025-33053

CVE-2025-33053 poses a particularly pressing threat due to its exploitation of legacy systems that still utilize the outdated Internet Explorer browser. This vulnerability allows attackers to execute remote code on affected systems when users click on malicious URLs. The implications are severe, especially for organizations that rely on WEBDAV for remote file sharing and collaboration.

Mike Walters, president and co-founder of Action1, emphasized the widespread use of WEBDAV in enterprise environments, noting that many organizations enable it for legitimate business needs without fully understanding the associated security risks. With an estimated 70 to 80% of enterprises potentially vulnerable, the urgency for patching this flaw cannot be overstated.

Understanding CVE-2025-33073

The second critical vulnerability, CVE-2025-33073, allows attackers to gain elevated permissions on compromised systems. Cyber threat intelligence researcher Ben Hopkins explained that such vulnerabilities are highly sought after by threat actors. Once an attacker gains initial access—often through phishing or exploiting another vulnerability—they can leverage privilege escalation flaws to gain deeper control over the system.

With elevated privileges, attackers could disable security tools, access sensitive data, install persistent malware, or move laterally across the network to compromise additional systems. Given the critical role of SMB in Windows networking, organizations are urged to prioritize the application of necessary security patches to mitigate the risks associated with this vulnerability.

A Broader Look at June’s Patch Tuesday

In addition to the two zero-day vulnerabilities, the June Patch Tuesday update addresses 10 critical flaws, including four affecting Microsoft Office. Other critical vulnerabilities impact Microsoft SharePoint Server, Power Automate, Windows KDC Proxy Service (KPSSVC), Windows Netlogon, Windows Remote Desktop Services, and Windows Schannel. Among these, eight are RCE issues, while the remaining two enable privilege escalation.

Kev Breen, senior director of threat research at Immersive, highlighted the importance of addressing the Office vulnerabilities, which include use-after-free, heap-based buffer overflow, and type confusion RCE flaws. Attackers could craft malicious documents that, when opened by victims, would allow remote command execution on their computers. Notably, Microsoft has indicated that there are no updates available for Microsoft 365 at the time of release, raising concerns about the potential for threat actors to reverse-engineer patches and create n-day exploits.

Conclusion

While the June Patch Tuesday update offers a lighter load for system administrators, the presence of critical vulnerabilities like CVE-2025-33053 and CVE-2025-33073 underscores the ongoing need for vigilance in cybersecurity. Organizations must prioritize patching these vulnerabilities to safeguard their systems against potential exploitation. As the summer approaches, the importance of maintaining robust security practices remains paramount in the ever-evolving landscape of cyber threats.