June 2025 Patch Tuesday Fixes 67 Flaws & 2 Zero-Days; Critical Ivanti IWC Updates

[Update] CVE-2025-33073 Added to CISA KEV

Microsoft rolled out its June 2025 Patch Tuesday updates, resolving a total of 67 security vulnerabilities across its product lineup. The breakdown includes:

• 26 Remote Code Execution (RCE) Vulnerabilities
• 17 Information Disclosure Vulnerability
• 14 Elevation of Privilege (EoP) Vulnerabilities
• 6 Denial of Service (DoS) Vulnerability
• 2 Spoofing Vulnerabilities
• 2 Security Feature Bypass Vulnerabilities

Among the disclosed vulnerabilities, two zero-days are particularly notable: CVE-2025-33053, which is currently being actively exploited in the wild, and CVE-2025-33073, which has been publicly disclosed. Both require immediate attention from organizations globally. Additionally, Microsoft has designated nine vulnerabilities as critical, affecting widely used products such as Microsoft Office, SharePoint Server, and essential Windows components.

In this blog, we will go over the most pressing updates from Microsoft’s June 2025 Patch Tuesday, with an emphasis on actionable steps your organization can take to stay ahead.

Zero-Day Vulnerabilities in June 2025 Patch Tuesday

This month’s Patch Tuesday includes patches for two zero-day vulnerabilities. One of these flaws has been actively exploited by a threat group, while the other was publicly disclosed prior to the patch release.

CVE-2025-33053 (CVSS 8.8): Exploited Remote Code Execution in WebDAV

This vulnerability affects Microsoft Windows Web Distributed Authoring and Versioning (WebDAV) and allows remote attackers to execute arbitrary code. Exploitation requires a user to click a specially crafted WebDAV URL, which then enables the attacker to run malicious code on the target system.

Researchers revealed that the advanced persistent threat group “Stealth Falcon” leveraged this zero-day in an attempted attack against a defense contractor in Turkey earlier this year, in March.

The attackers used an innovative technique that manipulated a legitimate Windows tool to run files hosted on a malicious WebDAV server under their control. Following responsible disclosure, Microsoft patched this vulnerability as part of the June 2025 Patch Tuesday updates.

Here are more key details from the exploitation activity:

• Stealth Falcon used a crafted .url file exploiting CVE-2025-33053 to execute malware from their WebDAV server.
• The group primarily targets government and defense sectors in the Middle East and Africa.
• Infection typically begins via spear-phishing emails containing weaponized attachments or links that abuse legitimate Windows tools and LOLBins.
• They deploy a custom implant called Horus Agent, built on the Mythic C2 framework, featuring advanced evasion, target validation, and modular post-exploitation tools such as keyloggers and credential dumpers.
• The infection chain hijacks the working directory of Windows diagnostic utilities to load malicious payloads remotely.
• Horus Agent communicates securely with its C2 server using encrypted channels and executes targeted commands for reconnaissance and payload delivery.
• To evade detection and complicate tracking, Stealth Falcon uses aged, reputable domains to host their infrastructure.

For detailed technical information and Indicators of Compromise (IOCs) related to CVE-2025-33053 exploitation, see the full report here.

CVE-2025-33073 (CVSS 8.8): Privilege Escalation in Windows SMB Client

The second zero-day fixed this month resides in the Windows SMB client and allows an authenticated attacker to elevate privileges to SYSTEM level. The flaw stems from improper access control, permitting an attacker to trick a vulnerable machine into connecting to a malicious SMB server and authenticating, which then grants elevated rights.

While Microsoft’s advisory does not detail how this vulnerability was publicly disclosed, mitigation is possible by enforcing server-side SMB signing via Group Policy.

Notably, cybersecurity expert Jeff McJunkin highlighted the severity of this vulnerability on social platform X, likening it to a “Domain User becomes Domain Admin in one step” scenario if weaponized – though it requires authentication, making it less severe than earlier SMB vulnerabilities like MS17-010.

CVE-2025-33073 Added to CISA KEV

CISA has added the Windows SMB privilege escalation vulnerability (CVE-2025-33073) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation.

The flaw affects Windows 10, 11, and all Windows Server versions, allowing attackers to gain SYSTEM privileges by coercing a target to connect to a malicious SMB server. Unpatched systems remain at risk.

CISA advises all organizations to patch immediately, as SMB vulnerabilities continue to be a frequent entry point for attackers. Federal agencies must apply mitigations by November 10, 2025.

Key Critical Vulnerabilities in Microsoft’s Latest Patch Tuesday

This month’s Patch Tuesday includes nine vulnerabilities marked as critical, affecting key products like Microsoft SharePoint Server, Microsoft Office, and several core Windows services:

• CVE-2025-47172 (CVSS 8.8) – Microsoft SharePoint Server Remote Code Execution Vulnerability
• CVE-2025-47164 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-47167 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-47162 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-47953 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-29828 (CVSS 8.1) – Windows Schannel Remote Code Execution Vulnerability
• CVE-2025-33071 (CVSS 8.1) – Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability
• CVE-2025-33070 (CVSS 8.1) – Windows Netlogon Elevation of Privilege Vulnerability
• CVE-2025-32710 (CVSS 8.1) – Windows Remote Desktop Services Remote Code Execution Vulnerability

These critical flaws primarily involve RCE and elevation of privilege. If exploited, they could allow attackers to execute arbitrary code or gain elevated access on vulnerable systems.

Applying these patches promptly is essential to safeguard your organization from potential breaches.

To reduce your organization’s exposure to vulnerability risks, you can rely on SOCRadar’s Cyber Threat Intelligence module. Its Vulnerability Intelligence feature delivers real-time context and prioritization, enabling your team to keep ahead of critical flaws by tracking exploitation trends and patch urgency before attackers can strike.

Which Vulnerabilities Are Most Likely to Be Exploited?

Several vulnerabilities from this Patch Tuesday update have a higher potential for exploitation and warrant close attention. This includes some critical flaws listed in the previous section, such as CVE-2025-33070, CVE-2025-33071, CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167, and also the following:

• CVE-2025-32717 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-32713 (CVSS 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability
• CVE-2025-32714 (CVSS 7.8) – Windows Installer Elevation of Privilege Vulnerability
• CVE-2025-47962 (CVSS 7.8) – Windows SDK Elevation of Privilege Vulnerability

Due to their high severity and exploitability, and the lack of available workarounds, prioritizing patches for these vulnerabilities is essential to reduce your risk of compromise.

To explore the full list of vulnerabilities and get detailed technical information, be sure to check Microsoft’s official June 2025 Patch Tuesday release notes.

Ivanti Fixes High-Severity Vulnerabilities in Workspace Control

In another significant vulnerability disclosure, Ivanti has released important security updates to fix three high-severity flaws in its Workspace Control (IWC) solution. IWC is a widely used enterprise tool that manages desktops and applications by enforcing policies and configuring user workspaces dynamically.

The recently patched vulnerabilities stem from the use of hardcoded cryptographic keys, which cannot be changed. Exploiting these flaws could allow local authenticated attackers to escalate privileges and compromise systems by decrypting sensitive credentials stored within the application. Specifically:

• CVE-2025-5353 (CVSS 8.8): Allows local attackers to decrypt stored SQL credentials
• CVE-2025-22455 (CVSS 8.8): Enables decryption of SQL credentials by local authenticated users
• CVE-2025-22463 (CVSS 7.3): Permits local attackers to decrypt environment passwords

Ivanti has addressed these issues in version 10.19.10.0 of Workspace Control. Fortunately, there is no evidence these vulnerabilities have been exploited in the wild prior to disclosure, as confirmed by the company’s responsible disclosure program.

Organizations using IWC should promptly apply the updates, as guided in the advisory, to mitigate potential risks. It’s also worth noting that Ivanti plans to retire Workspace Control by the end of 2026, after which security support and patches will no longer be available.

Gain Complete Visibility with SOCRadar Attack Surface Management

In order to truly protect your organization, you need clear visibility into both vulnerabilities and your exposed assets. SOCRadar’s Attack Surface Management (ASM) continuously scans your external environment, helping your team:

• Discover vulnerable systems and outdated software
• Identify misconfigured services and exposed ports
• Detect shadow IT and hidden attack paths

Paired with SOCRadar’s Vulnerability Intelligence, your team also gains:

• Real-time alerts on new CVEs and exploit trends
• Contextual information to prioritize patching
• Faster response to zero-day and critical vulnerabilities

Together, these tools provide the insight and intelligence your organization needs to reduce risk and defend against evolving threats.