June Patch Tuesday brings a lighter load for defenders

Microsoft’s newest Patch Tuesday replace landed on schedule round teatime on 10 June, with admins dealing with a a lot lighter load heading into the summer time – no less than lighter than of late – with barely 70 safety flaws awaiting consideration and simply two potential zero-day widespread vulnerabilities and exposures (CVEs) in scope.

The 2 most urgent points for patching this month are CVE-2025-33053, a distant code execution (RCE) flaw in Net Distributed Authoring and Versioning (WEBDAV), and CVE-2025-33073, an elevation of privilege (EoP) vulnerability in Home windows Server Message Block (SMB) Consumer. Each carry a CVSS rating of 8.8.

Microsoft revealed it has proof that the primary of those CVEs is already being exploited within the wild, though proof-of-concept code will not be publicly obtainable, whereas for the second, the other is true. It credited the RCE flaw to Alexandra Gofman and David Driker of Examine Level Analysis, and the second to researchers with CrowdStrike, Synacktiv, SySS GmbH, and Google Challenge Zero.

Of those two, CVE-2025-33053 most likely presents probably the most urgent patching want. It is because in apply, the problem impacts varied instruments that also incorporate the defunct Web Explorer browser in a legacy capability, therefore Microsoft has been pressured into the place of manufacturing patches for lengthy out-of-support platforms, relationship again so far as Home windows 8 and Server 2012.

“This vulnerability permits attackers to execute distant code on affected methods when customers click on on malicious URLs,” defined Mike Walters, president and co-founder of patch administration specialist Action1.

“The exploit takes benefit of WebDAV’s file dealing with capabilities to run arbitrary code within the context of the present person. If the person holds administrative privileges, the affect may be extreme.  

“What makes this flaw significantly regarding is the widespread use of WebDAV in enterprise environments for distant file sharing and collaboration. Many organisations allow WebDAV for reliable enterprise wants – usually with out absolutely understanding the safety dangers it introduces,” stated Walters.

“The potential affect is intensive, with thousands and thousands of organisations worldwide in danger. An estimated 70 to 80% of enterprises might be weak – particularly these missing strict URL filtering or person coaching on phishing threats,” he added.

In the meantime, Ben Hopkins, cyber risk intelligence researcher at Immersive, ran the rule over the second potential zero-day, CVE-2023-33073.

“It’s categorized as an Elevation of Privilege vulnerability, which signifies {that a} profitable exploit would permit an attacker to realize higher-level permissions on a compromised system,” defined Hopkins.

“Menace actors extremely search out vulnerabilities of this nature. As soon as an attacker has gained an preliminary foothold on a machine, usually by way of strategies like phishing or exploiting one other vulnerability, they’ll leverage privilege escalation flaws to realize deeper management.”

He continued: “With elevated privileges, an attacker may probably disable safety instruments, entry and exfiltrate delicate knowledge, set up persistent malware, or transfer laterally throughout the community to compromise further methods.

“Given the excessive severity ranking and the essential position of SMB in Home windows networking, organisations ought to prioritise making use of the required safety patches to mitigate the danger posed by this vulnerability.”