Patch Tuesday, June 2025 Version – Krebs on Safety – Cyber Tech

Microsoft at this time launched safety updates to repair at the least 67 vulnerabilities in its Home windows working techniques and software program. Redmond warns that one of many flaws is already beneath energetic assault, and that software program blueprints exhibiting methods to exploit a pervasive Home windows bug patched this month are actually public.

The only zero-day flaw this month is CVE-2025-33053, a distant code execution flaw within the Home windows implementation of WebDAV — an HTTP extension that lets customers remotely handle information and directories on a server. Whereas WebDAV isn’t enabled by default in Home windows, its presence in legacy or specialised techniques nonetheless makes it a related goal, mentioned Seth Hoyt, senior safety engineer at Automox.

Adam Barnett, lead software program engineer at Rapid7, mentioned Microsoft’s advisory for CVE-2025-33053 doesn’t point out that the Home windows implementation of WebDAV is listed as deprecated since November 2023, which in sensible phrases implies that the WebClient service now not begins by default.

“The advisory additionally has assault complexity as low, which implies that exploitation doesn’t require preparation of the goal atmosphere in any manner that’s past the attacker’s management,” Barnett mentioned. “Exploitation depends on the person clicking a malicious hyperlink. It’s not clear how an asset can be instantly weak if the service isn’t working, however all variations of Home windows obtain a patch, together with these launched because the deprecation of WebClient, like Server 2025 and Home windows 11 24H2.”

Microsoft warns that an “elevation of privilege” vulnerability within the Home windows Server Message Block (SMB) consumer (CVE-2025-33073) is more likely to be exploited, provided that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS danger rating of 8.8 (out of 10), and exploitation of the flaw results in the attacker gaining “SYSTEM” degree management over a weak PC.

“What makes this particularly harmful is that no additional person interplay is required after the preliminary connection—one thing attackers can typically set off with out the person realizing it,” mentioned Alex Vovk, co-founder and CEO of Action1. “Given the excessive privilege degree and ease of exploitation, this flaw poses a big danger to Home windows environments. The scope of affected techniques is in depth, as SMB is a core Home windows protocol used for file and printer sharing and inter-process communication.”

Past these highlights, 10 of the vulnerabilities mounted this month had been rated “essential” by Microsoft, together with eight distant code execution flaws.

Notably absent from this month’s patch batch is a repair for a newly found weak point in Home windows Server 2025 that enables attackers to behave with the privileges of any person in Lively Listing. The bug, dubbed “BadSuccessor,” was publicly disclosed by researchers at Akamai on Could 21, and a number of other public proof-of-concepts are actually obtainable. Tenable’s Satnam Narang mentioned organizations which have at the least one Home windows Server 2025 area controller ought to evaluation permissions for principals and restrict these permissions as a lot as potential.

Adobe has launched updates for Acrobat Reader and 6 different merchandise addressing at the least 259 vulnerabilities, most of them in an replace for Expertise Supervisor. Mozilla Firefox and Google Chrome each just lately launched safety updates that require a restart of the browser to take impact. The newest Chrome replace fixes two zero-day exploits within the browser (CVE-2025-5419 and CVE-2025-4664).

For an in depth breakdown on the person safety updates launched by Microsoft at this time, try the Patch Tuesday roundup from the SANS Web Storm Heart. Motion 1 has a breakdown of patches from Microsoft and a raft of different software program distributors releasing fixes this month. As at all times, please again up your system and/or knowledge earlier than patching, and be at liberty to drop a observe within the feedback if you happen to run into any issues making use of these updates.