Report Name: Microsoft Patch Tuesday, June 2025
Generated: 2025-06-10 23:18:38

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows SMB Client	0.9			1	1		2	Windows component
Windows Win32k	0.9				1		1	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
Chromium	0.8		2	1	7	1	11	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Office	0.8			5			5	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Secure Boot	0.8				1		1	Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM)
Windows App Control for Business	0.8				1		1	Windows component
Windows Common Log File System Driver	0.8				1		1	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows DWM Core Library	0.8				1		1	Windows component
Windows Installer	0.8				2		2	Windows component
Windows KDC Proxy Service (KPSSVC)	0.8			1			1	Windows component
Windows Local Security Authority (LSA)	0.8				2		2	Windows component
Windows Media	0.8				1		1	Windows component
Windows Netlogon	0.8				1		1	Windows component
Windows Recovery Driver	0.8				1		1	Windows component
Windows Remote Access Connection Manager	0.8				1		1	Windows component
Windows Remote Desktop Client	0.8				1		1	Remote Desktop Protocol Client
Windows Remote Desktop Services	0.8			1			1	Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection
Windows Routing and Remote Access Service (RRAS)	0.8			2			2	Windows component
Windows SDK	0.8				1		1	Windows component
Windows Schannel	0.8			1			1	Windows component
Windows Security App	0.8				1		1	Windows component
Windows Shortcut Files	0.8				1		1	Windows component
Windows Standards-Based Storage Management Service	0.8				1		1	Windows component
Windows Storage Management Provider	0.8				13		13	Windows component
Windows Storage Port Driver	0.8				1		1	Windows component
Windows Task Scheduler	0.8				1		1	Windows component
Windows Virtualization-Based Security (VBS)	0.8				1		1	Windows component
libvpx	0.8				1		1	libvpx is a free software video codec library from Google and the Alliance for Open Media (AOMedia)
.NET and Visual Studio	0.7				1		1	.NET and Visual Studio
Microsoft Excel	0.6				2		2	MS Office product
Microsoft Outlook	0.6				2		2	Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites
Microsoft PowerPoint	0.6				1		1	Microsoft PowerPoint
Microsoft Word	0.6				4		4	Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product.
DHCP Server Service	0.5				2		2	DHCP Server Service
Local Security Authority Subsystem Service (LSASS)	0.5				1		1	Local Security Authority Subsystem Service (LSASS)
Microsoft AutoUpdate (MAU)	0.5				1		1	Microsoft AutoUpdate (MAU)
Microsoft Defender for Endpoint	0.5				1		1	Microsoft Defender for Endpoint
Microsoft Edge (Chromium-based) Update	0.5			1			1	Microsoft Edge (Chromium-based) Update
Microsoft SharePoint Server	0.5				3		3	Microsoft SharePoint Server
Nuance Digital Engagement Platform	0.5				1		1	Nuance Digital Engagement Platform
Power Automate	0.5				1		1	Power Automate
Web Distributed Authoring and Versioning (WEBDAV)	0.5		1				1	Web Distributed Authoring and Versioning (WEBDAV)
Visual Studio	0.3				1		1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		1	11	14		26
Authentication Bypass	0.98				1		1
Security Feature Bypass	0.9		1		3		4
Elevation of Privilege	0.85			2	14		16
Information Disclosure	0.83				18		18
Denial of Service	0.7				6		6
Memory Corruption	0.5		1		3		4
Spoofing	0.4				4		4
Unknown Vulnerability Type	0				1	1	2

Source	U	C	H	M	L	A
MS PT Extended		2	2	10	1	15
Qualys		1	10	7		18
Tenable		1	7	2		10
Rapid7		1	5			6
ZDI		1	2	1		4

Urgent (0)

Critical (3)

1. Remote Code Execution - Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025-33053) - Critical [704]

Description: Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability

Qualys: CVE-2025-33053: Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability External control of file name or path flaws in WebDAV allows an unauthenticated attacker to execute code over a network. An attacker must convince a user to open a specially crafted file to execute remote code. CISA added CVE-2025-33053 to its Known Exploited Vulnerabilities Catalog and urged users to patch it before July 1, 2025.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)

Tenable: CVE-2025-33053 | Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability

Tenable: CVE-2025-33053 is a RCE in Web Distributed Authoring and Versioning (WebDAV). It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker could exploit this vulnerability through social engineering, by convincing a target to open a malicious URL or file. Successful exploitation would give the attacker the ability to execute code on the victim’s network.

Tenable: According to Microsoft, it was exploited in the wild as a zero-day. It was reported by researchers at Check Point Research, who have released a blog post discussing the discovery of this zero-day. According to the researchers, CVE-2025-33053 was exploited by Stealth Falcon, an APT group that has been observed using zero-day exploits in espionage attacks.

Rapid7: Remember the WebDAV standard? It has been seven years since Microsoft has published a vulnerability in the Windows implementation of WebDAV, and today’s publication of CVE-2025-33053 is the first zero-day vulnerability on record. Originally dreamed up in the 1990s to support interactivity on the web, WebDAV may be familiar to Exchange admins and users of a certain vintage, since older versions of Exchange, up to and including Exchange Server 2010, supported WebDAV as a means for interacting with mailboxes and public folders.

Rapid7: It will surprise no one that Windows still more or less supports WebDAV, and that turns out to be a bit of a problem. Microsoft acknowledges Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation of CVE-2025-33053 to an APT, which they track as Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and the surrounding area.

ZDI: CVE-2025-33053 – Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability. The ghost of Internet Explorer (IE) haunts us still, as this bug forces Windows to use the deprecated browser in various legacy applications. Microsoft doesn’t give any indication into how widespread these attacks are, but they have taken the extraordinary step of producing patches for platforms that are officially out of support, like Windows 8 and Windows Server 2012. The exploit does require a user to click on a malicious URL, but that’s the only necessary step for code execution. Given that Microsoft produced updates for out-of-support OSes, I would patch this one quickly.

2. Security Feature Bypass - Chromium (CVE-2025-4664) - Critical [663]

Description: Chromium: CVE-2025-4664 Insufficient policy enforcement in Loader

MS PT Extended: CVE-2025-4664 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

3. Memory Corruption - Chromium (CVE-2025-5419) - Critical [651]

Description: Chromium: CVE-2025-5419 Out of bounds read and write in V8

MS PT Extended: CVE-2025-5419 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

High (13)

4. Elevation of Privilege - Microsoft Edge (Chromium-based) Update (CVE-2025-47181) - High [568]

Description: Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-47181 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

5. Elevation of Privilege - Windows SMB Client (CVE-2025-33073) - High [489]

Description: Windows SMB Client Elevation of Privilege Vulnerability

Qualys: CVE-2025-33073: Windows SMB Client Elevation of Privilege Vulnerability Improper access control flaw in Windows SMB may allow an authenticated attacker to elevate network privileges. Upon successful exploitation, an attacker could gain SYSTEM privileges.

Tenable: CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability

Tenable: CVE-2025-33073 is an EoP vulnerability affecting the Windows Server Message Block (SMB) client. It was assigned a CVSSv3 score of 8.8 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to execute a crafted script to force a target device to connect to an attacker-controlled machine using SMB credentials. If successful, the attacker could elevate their privileges to SYSTEM.

Rapid7: Publicly disclosed elevation of privilege (EoP) zero-day vulnerabilities that lead to SYSTEM are always going to be worth a closer look, and CVE-2025-33073 is no exception. The advisory sets out that the easiest path to exploitation simply requires the user to connect to a malicious SMB server controlled by the attacker. It’s not entirely clear from the advisory whether simply connecting is enough to trigger exploitation, or whether successful authentication is required, since there is currently conflicting language in two separate FAQ entries with almost-identical titles: “How could an attacker exploit this/the vulnerability?” It may well be that Microsoft will come back around and clarify this wording, but in the meantime the only safe assumption is that fortune favours the attacker.

ZDI: CVE-2025-33073 – Windows SMB Client Elevation of Privilege Vulnerability. This bug is listed as publicly known, and multiple researchers have been credited for reporting it. It leads to code execution at the SYSTEM level, and it could be triggered by convincing a user to connect to an attacker-controlled malicious application server. The most obvious choice here would be an SMB server. Upon connecting, the malicious server could compromise the affected system and elevate privileges.

6. Remote Code Execution - Chromium (CVE-2025-5280) - High [454]

Description: Chromium: CVE-2025-5280 Out of bounds write in V8

MS PT Extended: CVE-2025-5280 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

7. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-33064) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

8. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-33066) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

9. Remote Code Execution - Microsoft Office (CVE-2025-47162) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-47162: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a heap-based buffer overflow flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.

Rapid7: Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

ZDI: CVE-2025-47162 – Microsoft Office Remote Code Execution Vulnerability. This is one of four(!) Office-related bugs where the Preview Pane is an attack vector. Most of these are also given the highest exploit index rating, which means Microsoft expects public exploitation within 30 days. Since these bugs run without user interaction, they are often paired with a privilege escalation bug to take over a system. And since the Preview Pane is in play, it doesn’t even matter if users don’t click on that dodgy mail. Don’t wait to roll out Office updates this month..

10. Remote Code Execution - Microsoft Office (CVE-2025-47164) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-47953 & CVE-2025-47164: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a use-after-free flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.

Rapid7: Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

11. Remote Code Execution - Microsoft Office (CVE-2025-47167) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-47167: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a type confusion flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.

Rapid7: Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

12. Remote Code Execution - Microsoft Office (CVE-2025-47173) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Tenable: In addition, CVE-2025-47173, another RCE in Microsoft Office was patched this month. It received a CVSSv3 score of 7.8, was rated as important and assessed as “Exploitation Unlikely.” Unlike the other Office vulnerabilities, the preview pane is not an attack vector for CVE-2025-47173.

13. Remote Code Execution - Microsoft Office (CVE-2025-47953) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-47953 & CVE-2025-47164: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a use-after-free flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.

14. Remote Code Execution - Windows KDC Proxy Service (KPSSVC) (CVE-2025-33071) - High [407]

Description: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Qualys: CVE-2025-33071: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability The KDC Proxy Service (KPSSVC) in Windows is a service that allows clients to communicate with KDC servers (Key Distribution Centers) over HTTPS instead of TCP. It acts as a bridge, encapsulating Kerberos requests within HTTPS requests and relaying them to a Domain Controller. Windows KDC Proxy Service (KPSSVC) contains a use-after-free flaw that may allow an unauthenticated attacker to achieve remote code execution.

Tenable: CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Tenable: CVE-2025-33071 is a RCE vulnerability affecting Windows Kerberos Key Distribution Center (KDC) proxy service, an authentication mechanism used for KDC servers over HTTPS. It received a CVSSv3 score of 8.1 and is rated as critical. An unauthenticated attacker could exploit this vulnerability utilizing a crafted application to exploit a cryptographic protocol vulnerability in order to execute arbitrary code. According to the advisory, this only impacts Windows Servers that have been “configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server.” While the advisory does mention that exploitation requires the attacker to win a race condition, this vulnerability was still assessed as “Exploitation More Likely.”

Rapid7: The Windows KDC Proxy Service (KPSSVC) receives a patch today for CVE-2025-33071, which describes a critical unauthenticated RCE vulnerability where exploitation is via abuse of a cryptographic protocol weakness. The good news is that only Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server — happily, this is not enabled as standard configuration for a domain controller — and exploitation requires that the attacker win a race condition. The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network. Patching this vulnerability should be top of mind for affected defenders this month.

15. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-32710) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2025-32710: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS), formerly Terminal Services, is a suite of Microsoft Windows Server features allowing users to access Windows applications and graphical desktops remotely. Windows Remote Desktop Services contains a use-after-free flaw that may allow an unauthenticated attacker to execute code over a network. To exploit the vulnerability, an attacker must win a race condition.

16. Remote Code Execution - Windows Schannel (CVE-2025-29828) - High [407]

Description: Windows Schannel Remote Code Execution Vulnerability

Qualys: CVE-2025-29828: Windows Schannel Remote Code Execution Vulnerability Schannel (Secure Channel) is a Security Support Provider (SSP) used by Windows to implement Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Windows Cryptographic Services contains a missing memory release after an effective lifetime that may allow an unauthenticated attacker to execute code over a network. An attacker may exploit the vulnerability by maliciously using fragmented ClientHello messages to a target server that accepts Transport Layer Security (TLS) connections.

Medium (64)

17. Elevation of Privilege - Windows SMB Client (CVE-2025-32718) - Medium [397]

Description: Windows SMB Client Elevation of Privilege Vulnerability

18. Elevation of Privilege - Windows Win32k (CVE-2025-32712) - Medium [397]

Description: Win32k Elevation of Privilege Vulnerability

19. Authentication Bypass - Chromium (CVE-2025-5067) - Medium [391]

Description: Inappropriate implementation in Tab Strip in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2025-5067 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

20. Remote Code Execution - .NET and Visual Studio (CVE-2025-30399) - Medium [390]

Description: .NET and Visual Studio Remote Code Execution Vulnerability

21. Elevation of Privilege - Power Automate (CVE-2025-47966) - Medium [389]

Description: Power Automate Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-47966 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Qualys: CVE-2025-47966: Power Automate Elevation of Privilege Vulnerability Windows Power Automate is a desktop application within the broader Microsoft Power Platform that allows users to automate tasks on their Windows operating system. Exposure of sensitive information to an unauthenticated actor in Power Automate may allow attackers to elevate network privileges.

22. Memory Corruption - Chromium (CVE-2025-5063) - Medium [389]

Description: Chromium: CVE-2025-5063 Use after free in Compositing

MS PT Extended: CVE-2025-5063 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

23. Elevation of Privilege - Windows Common Log File System Driver (CVE-2025-32713) - Medium [380]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-32713 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-32714 is an elevation of privilege vulnerability in Windows Installer. Improper access control flaw may allow an attacker to gain SYSTEM privileges. CVE-2025-47962 is an elevation of privilege vulnerability in Windows SDK. Improper access control flaw may allow an attacker to gain SYSTEM privileges.

Tenable: CVE-2025-32713 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

Tenable: CVE-2025-32713 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. CVE-2025-32713 was assessed as “Exploitation More Likely.” Successful exploitation would allow an attacker to elevate their privileges to SYSTEM.

24. Elevation of Privilege - Windows Installer (CVE-2025-32714) - Medium [380]

Description: Windows Installer Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-32713 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-32714 is an elevation of privilege vulnerability in Windows Installer. Improper access control flaw may allow an attacker to gain SYSTEM privileges. CVE-2025-47962 is an elevation of privilege vulnerability in Windows SDK. Improper access control flaw may allow an attacker to gain SYSTEM privileges.

25. Elevation of Privilege - Windows Installer (CVE-2025-33075) - Medium [380]

Description: Windows Installer Elevation of Privilege Vulnerability

26. Elevation of Privilege - Windows Media (CVE-2025-32716) - Medium [380]

Description: Windows Media Elevation of Privilege Vulnerability

27. Elevation of Privilege - Windows Netlogon (CVE-2025-33070) - Medium [380]

Description: Windows Netlogon Elevation of Privilege Vulnerability

Qualys: CVE-2025-33070: Windows Netlogon Elevation of Privilege Vulnerability Netlogon is a Remote Procedure Call (RPC) protocol and a service in Windows that facilitates authentication and communication between domain controllers and other devices within a domain. The use of uninitialized resources in Windows Netlogon allows an unauthenticated attacker to elevate privileges over a network.

Tenable: CVE-2025-33070 | Windows Netlogon Elevation of Privilege Vulnerability

Tenable: CVE-2025-33070 is an EoP vulnerability in Windows Netlogon. It was assigned a CVSSv3 score of 8.1 and is rated as critical. An attacker could exploit this vulnerability to gain domain administrator privileges. According to Microsoft, a successful attack requires the attacker to take additional actions in order to prepare a target for exploitation. Despite these requirements, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

ZDI: CVE-2025-33070 – Windows Netlogon Elevation of Privilege Vulnerability. This Critical-rated bug allows threat actors to execute their code on domain controllers simply by sending specially crafted authentication requests to affected domain controllers. Although not specifically stated, one would assume the code would run at the level of the Netlogon service, which does run with elevated privileges. Microsoft also lists this as an “Exploitation more likely” bug, and considering the outcome, it would not surprise me to see this exploited in the coming months.

28. Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2025-47955) - Medium [380]

Description: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

29. Elevation of Privilege - Windows SDK (CVE-2025-47962) - Medium [380]

Description: Windows SDK Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-32713 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-32714 is an elevation of privilege vulnerability in Windows Installer. Improper access control flaw may allow an attacker to gain SYSTEM privileges. CVE-2025-47962 is an elevation of privilege vulnerability in Windows SDK. Improper access control flaw may allow an attacker to gain SYSTEM privileges.

30. Elevation of Privilege - Windows Task Scheduler (CVE-2025-33067) - Medium [380]

Description: Windows Task Scheduler Elevation of Privilege Vulnerability

31. Security Feature Bypass - Chromium (CVE-2025-5064) - Medium [377]

Description: Inappropriate implementation in Background Fetch API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-5064 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

32. Remote Code Execution - Microsoft Excel (CVE-2025-47165) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

33. Remote Code Execution - Microsoft Excel (CVE-2025-47174) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

34. Remote Code Execution - Microsoft Outlook (CVE-2025-47176) - Medium [373]

Description: Microsoft Outlook Remote Code Execution Vulnerability

35. Remote Code Execution - Microsoft PowerPoint (CVE-2025-47175) - Medium [373]

Description: Microsoft PowerPoint Remote Code Execution Vulnerability

36. Remote Code Execution - Microsoft Word (CVE-2025-47168) - Medium [373]

Description: Microsoft Word Remote Code Execution Vulnerability

37. Remote Code Execution - Microsoft Word (CVE-2025-47169) - Medium [373]

Description: Microsoft Word Remote Code Execution Vulnerability

38. Remote Code Execution - Microsoft Word (CVE-2025-47170) - Medium [373]

Description: Microsoft Word Remote Code Execution Vulnerability

39. Remote Code Execution - Microsoft Word (CVE-2025-47957) - Medium [373]

Description: Microsoft Word Remote Code Execution Vulnerability

40. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-47163) - Medium [369]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

41. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-47166) - Medium [369]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

42. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-47172) - Medium [369]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Qualys: CVE-2025-47172: Microsoft SharePoint Server Remote Code Execution Vulnerability Improper neutralization of special elements used in an SQL command in Microsoft Office SharePoint may allow an authenticated attacker to achieve remote code execution.

43. Elevation of Privilege - Windows Recovery Driver (CVE-2025-32721) - Medium [368]

Description: Windows Recovery Driver Elevation of Privilege Vulnerability

44. Memory Corruption - Chromium (CVE-2025-5068) - Medium [365]

Description: Chromium: CVE-2025-5068 Use after free in Blink

MS PT Extended: CVE-2025-5068 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

45. Information Disclosure - Windows Remote Desktop Client (CVE-2025-32715) - Medium [364]

Description: Remote Desktop Protocol Client Information Disclosure Vulnerability

46. Remote Code Execution - Microsoft Outlook (CVE-2025-47171) - Medium [361]

Description: Microsoft Outlook Remote Code Execution Vulnerability

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

47. Denial of Service - Windows Local Security Authority (LSA) (CVE-2025-33056) - Medium [353]

Description: Windows Local Security Authority (LSA) Denial of Service Vulnerability

48. Denial of Service - Windows Standards-Based Storage Management Service (CVE-2025-33068) - Medium [353]

Description: Windows Standards-Based Storage Management Service Denial of Service Vulnerability

49. Security Feature Bypass - Windows App Control for Business (CVE-2025-33069) - Medium [353]

Description: Windows App Control for Business Security Feature Bypass Vulnerability

50. Security Feature Bypass - Windows Shortcut Files (CVE-2025-47160) - Medium [353]

Description: Windows Shortcut Files Security Feature Bypass Vulnerability

51. Information Disclosure - Chromium (CVE-2025-5281) - Medium [352]

Description: Inappropriate implementation in BFCache in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially obtain user information via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-5281 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

52. Information Disclosure - Windows DWM Core Library (CVE-2025-33052) - Medium [352]

Description: Windows DWM Core Library Information Disclosure Vulnerability

53. Information Disclosure - Windows Storage Management Provider (CVE-2025-24065) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

54. Information Disclosure - Windows Storage Management Provider (CVE-2025-24068) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

55. Information Disclosure - Windows Storage Management Provider (CVE-2025-24069) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

56. Information Disclosure - Windows Storage Management Provider (CVE-2025-32719) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

57. Information Disclosure - Windows Storage Management Provider (CVE-2025-32720) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

58. Information Disclosure - Windows Storage Management Provider (CVE-2025-33055) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

59. Information Disclosure - Windows Storage Management Provider (CVE-2025-33058) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

60. Information Disclosure - Windows Storage Management Provider (CVE-2025-33059) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

61. Information Disclosure - Windows Storage Management Provider (CVE-2025-33060) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

62. Information Disclosure - Windows Storage Management Provider (CVE-2025-33061) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

63. Information Disclosure - Windows Storage Management Provider (CVE-2025-33062) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

64. Information Disclosure - Windows Storage Management Provider (CVE-2025-33063) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

65. Information Disclosure - Windows Storage Management Provider (CVE-2025-33065) - Medium [352]

Description: Windows Storage Management Provider Information Disclosure Vulnerability

66. Information Disclosure - Windows Storage Port Driver (CVE-2025-32722) - Medium [352]

Description: Windows Storage Port Driver Information Disclosure Vulnerability

67. Elevation of Privilege - Microsoft Defender for Endpoint (CVE-2025-47161) - Medium [342]

Description: Microsoft Defender for Endpoint Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-47161 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

68. Denial of Service - Windows Local Security Authority (LSA) (CVE-2025-33057) - Medium [341]

Description: Windows Local Security Authority (LSA) Denial of Service Vulnerability

69. Elevation of Privilege - Microsoft AutoUpdate (MAU) (CVE-2025-47968) - Medium [330]

Description: Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability

70. Information Disclosure - Windows Virtualization-Based Security (VBS) (CVE-2025-47969) - Medium [329]

Description: Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability

71. Remote Code Execution - Visual Studio (CVE-2025-47959) - Medium [311]

Description: Visual Studio Remote Code Execution Vulnerability

72. Spoofing - Chromium (CVE-2025-5065) - Medium [311]

Description: Inappropriate implementation in FileSystemAccess API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-5065 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

73. Spoofing - Chromium (CVE-2025-5066) - Medium [311]

Description: Inappropriate implementation in Messages in Google Chrome on Android prior to 137.0.7151.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-5066 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

74. Memory Corruption - libvpx (CVE-2025-5283) - Medium [305]

Description: Chromium: CVE-2025-5283 Use after free in libvpx

MS PT Extended: CVE-2025-5283 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

75. Denial of Service - DHCP Server Service (CVE-2025-32725) - Medium [303]

Description: DHCP Server Service Denial of Service Vulnerability

76. Denial of Service - DHCP Server Service (CVE-2025-33050) - Medium [303]

Description: DHCP Server Service Denial of Service Vulnerability

77. Denial of Service - Local Security Authority Subsystem Service (LSASS) (CVE-2025-32724) - Medium [303]

Description: Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

78. Spoofing - Windows Security App (CVE-2025-47956) - Medium [276]

Description: Windows Security App Spoofing Vulnerability

79. Spoofing - Nuance Digital Engagement Platform (CVE-2025-47977) - Medium [250]

Description: Nuance Digital Engagement Platform Spoofing Vulnerability

80. Unknown Vulnerability Type - Secure Boot (CVE-2025-3052) - Medium [216]

Description: {'ms_cve_data_all': 'Cert CC: CVE-2025-3052 InsydeH2O Secure Boot Bypass', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

Low (1)

81. Unknown Vulnerability Type - Chromium (CVE-2025-4609) - Low [133]

Description: {'ms_cve_data_all': 'Chromium: CVE-2025-4609 Incorrect handle provided in unspecified circumstances in Mojo', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2025-4609 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Exploitation in the wild detected (3)

Remote Code Execution (1)

• Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025-33053)

Qualys: CVE-2025-33053: Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability External control of file name or path flaws in WebDAV allows an unauthenticated attacker to execute code over a network. An attacker must convince a user to open a specially crafted file to execute remote code. CISA added CVE-2025-33053 to its Known Exploited Vulnerabilities Catalog and urged users to patch it before July 1, 2025.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)

Tenable: CVE-2025-33053 | Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability

Tenable: CVE-2025-33053 is a RCE in Web Distributed Authoring and Versioning (WebDAV). It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker could exploit this vulnerability through social engineering, by convincing a target to open a malicious URL or file. Successful exploitation would give the attacker the ability to execute code on the victim’s network.

Tenable: According to Microsoft, it was exploited in the wild as a zero-day. It was reported by researchers at Check Point Research, who have released a blog post discussing the discovery of this zero-day. According to the researchers, CVE-2025-33053 was exploited by Stealth Falcon, an APT group that has been observed using zero-day exploits in espionage attacks.

Rapid7: Remember the WebDAV standard? It has been seven years since Microsoft has published a vulnerability in the Windows implementation of WebDAV, and today’s publication of CVE-2025-33053 is the first zero-day vulnerability on record. Originally dreamed up in the 1990s to support interactivity on the web, WebDAV may be familiar to Exchange admins and users of a certain vintage, since older versions of Exchange, up to and including Exchange Server 2010, supported WebDAV as a means for interacting with mailboxes and public folders.

Rapid7: It will surprise no one that Windows still more or less supports WebDAV, and that turns out to be a bit of a problem. Microsoft acknowledges Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation of CVE-2025-33053 to an APT, which they track as Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and the surrounding area.

ZDI: CVE-2025-33053 – Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability. The ghost of Internet Explorer (IE) haunts us still, as this bug forces Windows to use the deprecated browser in various legacy applications. Microsoft doesn’t give any indication into how widespread these attacks are, but they have taken the extraordinary step of producing patches for platforms that are officially out of support, like Windows 8 and Windows Server 2012. The exploit does require a user to click on a malicious URL, but that’s the only necessary step for code execution. Given that Microsoft produced updates for out-of-support OSes, I would patch this one quickly.

Security Feature Bypass (1)

• Chromium (CVE-2025-4664)

MS PT Extended: CVE-2025-4664 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Memory Corruption (1)

• Chromium (CVE-2025-5419)

MS PT Extended: CVE-2025-5419 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Public exploit exists, but exploitation in the wild is NOT detected (1)

Elevation of Privilege (1)

• Microsoft Edge (Chromium-based) Update (CVE-2025-47181)

MS PT Extended: CVE-2025-47181 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Other Vulnerabilities (77)

Elevation of Privilege (15)

• Windows SMB Client (CVE-2025-32718, CVE-2025-33073)

Qualys: CVE-2025-33073: Windows SMB Client Elevation of Privilege Vulnerability Improper access control flaw in Windows SMB may allow an authenticated attacker to elevate network privileges. Upon successful exploitation, an attacker could gain SYSTEM privileges.

Tenable: CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability

Tenable: CVE-2025-33073 is an EoP vulnerability affecting the Windows Server Message Block (SMB) client. It was assigned a CVSSv3 score of 8.8 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to execute a crafted script to force a target device to connect to an attacker-controlled machine using SMB credentials. If successful, the attacker could elevate their privileges to SYSTEM.

Rapid7: Publicly disclosed elevation of privilege (EoP) zero-day vulnerabilities that lead to SYSTEM are always going to be worth a closer look, and CVE-2025-33073 is no exception. The advisory sets out that the easiest path to exploitation simply requires the user to connect to a malicious SMB server controlled by the attacker. It’s not entirely clear from the advisory whether simply connecting is enough to trigger exploitation, or whether successful authentication is required, since there is currently conflicting language in two separate FAQ entries with almost-identical titles: “How could an attacker exploit this/the vulnerability?” It may well be that Microsoft will come back around and clarify this wording, but in the meantime the only safe assumption is that fortune favours the attacker.

ZDI: CVE-2025-33073 – Windows SMB Client Elevation of Privilege Vulnerability. This bug is listed as publicly known, and multiple researchers have been credited for reporting it. It leads to code execution at the SYSTEM level, and it could be triggered by convincing a user to connect to an attacker-controlled malicious application server. The most obvious choice here would be an SMB server. Upon connecting, the malicious server could compromise the affected system and elevate privileges.

• Windows Win32k (CVE-2025-32712)
• Power Automate (CVE-2025-47966)

MS PT Extended: CVE-2025-47966 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Qualys: CVE-2025-47966: Power Automate Elevation of Privilege Vulnerability Windows Power Automate is a desktop application within the broader Microsoft Power Platform that allows users to automate tasks on their Windows operating system. Exposure of sensitive information to an unauthenticated actor in Power Automate may allow attackers to elevate network privileges.

• Windows Common Log File System Driver (CVE-2025-32713)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-32713 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-32714 is an elevation of privilege vulnerability in Windows Installer. Improper access control flaw may allow an attacker to gain SYSTEM privileges. CVE-2025-47962 is an elevation of privilege vulnerability in Windows SDK. Improper access control flaw may allow an attacker to gain SYSTEM privileges.

Tenable: CVE-2025-32713 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

Tenable: CVE-2025-32713 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. CVE-2025-32713 was assessed as “Exploitation More Likely.” Successful exploitation would allow an attacker to elevate their privileges to SYSTEM.

• Windows Installer (CVE-2025-32714, CVE-2025-33075)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-32713 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-32714 is an elevation of privilege vulnerability in Windows Installer. Improper access control flaw may allow an attacker to gain SYSTEM privileges. CVE-2025-47962 is an elevation of privilege vulnerability in Windows SDK. Improper access control flaw may allow an attacker to gain SYSTEM privileges.

• Windows Media (CVE-2025-32716)
• Windows Netlogon (CVE-2025-33070)

Qualys: CVE-2025-33070: Windows Netlogon Elevation of Privilege Vulnerability Netlogon is a Remote Procedure Call (RPC) protocol and a service in Windows that facilitates authentication and communication between domain controllers and other devices within a domain. The use of uninitialized resources in Windows Netlogon allows an unauthenticated attacker to elevate privileges over a network.

Tenable: CVE-2025-33070 | Windows Netlogon Elevation of Privilege Vulnerability

Tenable: CVE-2025-33070 is an EoP vulnerability in Windows Netlogon. It was assigned a CVSSv3 score of 8.1 and is rated as critical. An attacker could exploit this vulnerability to gain domain administrator privileges. According to Microsoft, a successful attack requires the attacker to take additional actions in order to prepare a target for exploitation. Despite these requirements, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

ZDI: CVE-2025-33070 – Windows Netlogon Elevation of Privilege Vulnerability. This Critical-rated bug allows threat actors to execute their code on domain controllers simply by sending specially crafted authentication requests to affected domain controllers. Although not specifically stated, one would assume the code would run at the level of the Netlogon service, which does run with elevated privileges. Microsoft also lists this as an “Exploitation more likely” bug, and considering the outcome, it would not surprise me to see this exploited in the coming months.

• Windows Remote Access Connection Manager (CVE-2025-47955)
• Windows SDK (CVE-2025-47962)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-32713 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-32714 is an elevation of privilege vulnerability in Windows Installer. Improper access control flaw may allow an attacker to gain SYSTEM privileges. CVE-2025-47962 is an elevation of privilege vulnerability in Windows SDK. Improper access control flaw may allow an attacker to gain SYSTEM privileges.

• Windows Task Scheduler (CVE-2025-33067)
• Windows Recovery Driver (CVE-2025-32721)
• Microsoft Defender for Endpoint (CVE-2025-47161)

MS PT Extended: CVE-2025-47161 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

• Microsoft AutoUpdate (MAU) (CVE-2025-47968)

Remote Code Execution (25)

• Chromium (CVE-2025-5280)

MS PT Extended: CVE-2025-5280 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

• Windows Routing and Remote Access Service (RRAS) (CVE-2025-33064, CVE-2025-33066)

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

• Microsoft Office (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47173, CVE-2025-47953)

Qualys: CVE-2025-47162: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a heap-based buffer overflow flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: CVE-2025-47953 & CVE-2025-47164: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a use-after-free flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: CVE-2025-47167: Microsoft Office Remote Code Execution Vulnerability Microsoft Office contains a type confusion flaw that could allow an unauthenticated attacker to achieve remote code execution.

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability

Tenable: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.

Tenable: In addition, CVE-2025-47173, another RCE in Microsoft Office was patched this month. It received a CVSSv3 score of 7.8, was rated as important and assessed as “Exploitation Unlikely.” Unlike the other Office vulnerabilities, the preview pane is not an attack vector for CVE-2025-47173.

Rapid7: Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

ZDI: CVE-2025-47162 – Microsoft Office Remote Code Execution Vulnerability. This is one of four(!) Office-related bugs where the Preview Pane is an attack vector. Most of these are also given the highest exploit index rating, which means Microsoft expects public exploitation within 30 days. Since these bugs run without user interaction, they are often paired with a privilege escalation bug to take over a system. And since the Preview Pane is in play, it doesn’t even matter if users don’t click on that dodgy mail. Don’t wait to roll out Office updates this month..

• Windows KDC Proxy Service (KPSSVC) (CVE-2025-33071)

Qualys: CVE-2025-33071: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability The KDC Proxy Service (KPSSVC) in Windows is a service that allows clients to communicate with KDC servers (Key Distribution Centers) over HTTPS instead of TCP. It acts as a bridge, encapsulating Kerberos requests within HTTPS requests and relaying them to a Domain Controller. Windows KDC Proxy Service (KPSSVC) contains a use-after-free flaw that may allow an unauthenticated attacker to achieve remote code execution.

Tenable: CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Tenable: CVE-2025-33071 is a RCE vulnerability affecting Windows Kerberos Key Distribution Center (KDC) proxy service, an authentication mechanism used for KDC servers over HTTPS. It received a CVSSv3 score of 8.1 and is rated as critical. An unauthenticated attacker could exploit this vulnerability utilizing a crafted application to exploit a cryptographic protocol vulnerability in order to execute arbitrary code. According to the advisory, this only impacts Windows Servers that have been “configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server.” While the advisory does mention that exploitation requires the attacker to win a race condition, this vulnerability was still assessed as “Exploitation More Likely.”

Rapid7: The Windows KDC Proxy Service (KPSSVC) receives a patch today for CVE-2025-33071, which describes a critical unauthenticated RCE vulnerability where exploitation is via abuse of a cryptographic protocol weakness. The good news is that only Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server — happily, this is not enabled as standard configuration for a domain controller — and exploitation requires that the attacker win a race condition. The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network. Patching this vulnerability should be top of mind for affected defenders this month.

• Windows Remote Desktop Services (CVE-2025-32710)

Qualys: CVE-2025-32710: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS), formerly Terminal Services, is a suite of Microsoft Windows Server features allowing users to access Windows applications and graphical desktops remotely. Windows Remote Desktop Services contains a use-after-free flaw that may allow an unauthenticated attacker to execute code over a network. To exploit the vulnerability, an attacker must win a race condition.

• Windows Schannel (CVE-2025-29828)

Qualys: CVE-2025-29828: Windows Schannel Remote Code Execution Vulnerability Schannel (Secure Channel) is a Security Support Provider (SSP) used by Windows to implement Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Windows Cryptographic Services contains a missing memory release after an effective lifetime that may allow an unauthenticated attacker to execute code over a network. An attacker may exploit the vulnerability by maliciously using fragmented ClientHello messages to a target server that accepts Transport Layer Security (TLS) connections.

• .NET and Visual Studio (CVE-2025-30399)
• Microsoft Excel (CVE-2025-47165, CVE-2025-47174)
• Microsoft Outlook (CVE-2025-47171, CVE-2025-47176)

Qualys: Microsoft June 2025 Patch Tuesday Mitigations We have Qualys-created mitigations for the following vulnerabilities: CVE-2025-33064, CVE-2025-33066, CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, CVE-2025-47167, CVE-2025-47171, and CVE-2025-33053. For Microsoft Office vulnerabilities, where the Preview Pane is an attack vector, we automate their configuration by modifying registry keys and, where applicable, Office policy files. These mitigations work for MS Outlook, Word, Excel, PowerPoint, etc. Another release of this mitigation set involves disabling and executing Windows shortcuts (.lnk) files by modifying specific Registry settings. Qualys TruRisk Mitigate product customers receive these scripts as part of the Patch Tuesday signature set. The next Patch Tuesday falls on July 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

• Microsoft PowerPoint (CVE-2025-47175)
• Microsoft Word (CVE-2025-47168, CVE-2025-47169, CVE-2025-47170, CVE-2025-47957)
• Microsoft SharePoint Server (CVE-2025-47163, CVE-2025-47166, CVE-2025-47172)

Qualys: CVE-2025-47172: Microsoft SharePoint Server Remote Code Execution Vulnerability Improper neutralization of special elements used in an SQL command in Microsoft Office SharePoint may allow an authenticated attacker to achieve remote code execution.

• Visual Studio (CVE-2025-47959)

Authentication Bypass (1)

• Chromium (CVE-2025-5067)

MS PT Extended: CVE-2025-5067 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Memory Corruption (3)

• Chromium (CVE-2025-5063, CVE-2025-5068)

MS PT Extended: CVE-2025-5068 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

MS PT Extended: CVE-2025-5063 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

• libvpx (CVE-2025-5283)

MS PT Extended: CVE-2025-5283 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

Security Feature Bypass (3)

• Chromium (CVE-2025-5064)

MS PT Extended: CVE-2025-5064 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

• Windows App Control for Business (CVE-2025-33069)
• Windows Shortcut Files (CVE-2025-47160)

Information Disclosure (18)

• Windows Remote Desktop Client (CVE-2025-32715)
• Chromium (CVE-2025-5281)

MS PT Extended: CVE-2025-5281 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

• Windows DWM Core Library (CVE-2025-33052)
• Windows Storage Management Provider (CVE-2025-24065, CVE-2025-24068, CVE-2025-24069, CVE-2025-32719, CVE-2025-32720, CVE-2025-33055, CVE-2025-33058, CVE-2025-33059, CVE-2025-33060, CVE-2025-33061, CVE-2025-33062, CVE-2025-33063, CVE-2025-33065)
• Windows Storage Port Driver (CVE-2025-32722)
• Windows Virtualization-Based Security (VBS) (CVE-2025-47969)

Denial of Service (6)

• Windows Local Security Authority (LSA) (CVE-2025-33056, CVE-2025-33057)
• Windows Standards-Based Storage Management Service (CVE-2025-33068)
• DHCP Server Service (CVE-2025-32725, CVE-2025-33050)
• Local Security Authority Subsystem Service (LSASS) (CVE-2025-32724)

Spoofing (4)

• Chromium (CVE-2025-5065, CVE-2025-5066)

MS PT Extended: CVE-2025-5065 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

MS PT Extended: CVE-2025-5066 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09

• Windows Security App (CVE-2025-47956)
• Nuance Digital Engagement Platform (CVE-2025-47977)

Unknown Vulnerability Type (2)

• Secure Boot (CVE-2025-3052)
• Chromium (CVE-2025-4609)

MS PT Extended: CVE-2025-4609 was published before June 2025 Patch Tuesday from 2025-05-14 to 2025-06-09