Patch Newsday June 2025 - Critical Microsoft Security Patches Released for Multiple Code Execution and Privilege Escalation Vulnerabilities


Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.
CVE-2025-33053 - 8.8 - Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability
The top priority for patching in this cycle is a remote code execution vulnerability in WebDAV. With a CVSS score of 8.8, Microsoft flags this vulnerability as “Exploitation Detected,” meaning that a threat actor or group has leveraged it to exploit an organization.
WebDAV is an extension of HTTP that allows users to manage and edit files on a remote server, in the windows operating system this capability exists in Internet Explorer and Edge browser.
Microsoft does not provide much information on this specific vulnerability other than to say “External control of filename or path in WebDAV allows an unauthorized attacker to execute code over a network” and that a user would have to click on a specially crafted URL to be compromised.
Putting these statements together, we can infer that an attacker could create a malicious WebDAV server under their control and then use social engineering techniques to send the links to target victims in emails or social messages. If a user interacts with these links, then the attacker is able to execute code remotely.
The best mitigation against this vulnerability is to patch. As this vulnerability has been exploited in the wild, it would also be beneficial for security teams to take a more proactive approach and threat hunt for suspicious WEBDav activity in their logs.
Microsoft Office Remote Code Execution Vulnerability CVE-2025-47167, CVE-2025-47164, CVE-2025-47162
Also high on the list of items to patch is a trio of CVEs, “More Likely to be Exploited,” affecting Microsoft Office. Listed as a Use After Free, heap-based buffer overflow, and Type Confusion Remote Code Execution, these vulnerabilities would allow an attacker to craft a malicious document that, if sent and opened by a victim, would give the attacker access to run commands on the victim's computer remotely. Microsoft also says that “The Preview Pane” is an attack vector, meaning that simply viewing the attachment in something like Outlook could be enough to trigger the exploit.
More concerning is that Microsoft says there are no updates available for Microsoft 365 at the time of release, and customers will be notified via a revision to this notice.
While this CVE is not actively being exploited, the risk remains high as threat actors have been known to quickly reverse engineer patches to create n-day exploits before organizations have a chance to roll out patches.
For proactive defense, Modern SIEMs and EDRs will typically have rules and alerts looking for suspicious activity from Office, for example, MS Office processes connecting out to the internet or spawning CMD and PowerShell commands, key indicators of Office being exploited.
CVE-2025-32713 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
Another vulnerability has been discovered in the Common Log File System (CLFS) driver — a component that has been increasingly targeted by threat actors. Earlier this year, this driver was actively exploited by threat groups worldwide. Over the past several months, the CLFS driver has become a consistent focus for both threat actors and security researchers due to its exploitation in multiple ransomware operations.
The newly disclosed vulnerability has been classified by Microsoft as “Exploitation More Likely”, indicating a strong possibility of in-the-wild exploitation. It is categorized as a heap-based buffer overflow — a type of memory corruption vulnerability. The attack complexity is considered low, and successful exploitation allows an attacker to escalate privileges.
Heap-based buffer overflows enable attackers to overwrite memory regions adjacent to the heap-allocated buffer, potentially gaining access to sensitive data or control over critical system functions. When such overflows occur in a kernel-mode driver like CLFS, the consequences can be severe, as attackers may corrupt kernel memory objects. This can lead to full system compromise.
CVE-2025-33071 - 8.1 - Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability
A newly disclosed remote code execution (RCE) vulnerability affects Windows servers configured as Kerberos Key Distribution Centers (KDCs)—though notably, domain controllers are not impacted in this case.
The vulnerability stems from a flaw in the cryptographic protocol used by the service. An attacker can craft a malicious application to interact with the vulnerable service and exploit this cryptographic weakness. While several vulnerabilities have previously been discovered in the KDC service, this one stands out due to its multi-stage nature, which involves exploiting a cryptographic flaw, triggering a race condition, and ultimately reaching a use-after-free state.
Use-after-free vulnerabilities are particularly dangerous in complex, multi-threaded systems like the KDC, where managing object lifecycles, memory cleanup, and concurrent threads introduces opportunities for exploitation. In this case, the attacker leverages the unpredictable timing of object deallocation to execute code within the vulnerable service, potentially leading to full remote code execution.
CVE-2025-47962 - 7.8 - Windows SDK Elevation of Privilege Vulnerability
The Windows SDK for Windows 11 includes the latest headers, libraries, metadata, and tools for building Windows applications. It supports development for both Universal Windows Platform (UWP) and Win32 applications, targeting Windows 11 version 24H2 and earlier versions. However, a newly discovered vulnerability in the SDK introduces a serious improper access control flaw, potentially impacting a wide range of applications worldwide.
Because the SDK is widely used across the software development ecosystem, this issue presents a significant supply chain risk. Any software built with the vulnerable SDK components could unknowingly inherit the flaw, leaving countless organizations exposed to exploitation. Microsoft has rated the vulnerability as “Exploitation More Likely,” reinforcing the need for immediate attention.
Based on current public information, the precise scope of the vulnerability remains unclear, making it difficult to assess how broadly it may affect existing applications. As such, it is strongly recommended that developers and organizations apply the latest patches immediately.
Critically, successful exploitation could grant an attacker SYSTEM-level privileges, effectively giving them full control over the targeted operating system—a worst-case scenario in many threat models.
CVE-2025-33073 - 8.8 - Windows SMB Client Elevation of Privilege Vulnerability
A critical elevation of privilege vulnerability, identified as CVE-2025-33073, has been discovered in the Windows Server Message Block (SMB) client. This vulnerability carries a high severity score of 8.8.
It’s classified as an "Elevation of Privilege" vulnerability, which indicates that a successful exploit would allow an attacker to gain higher-level permissions on a compromised system.
Threat actors highly seek out vulnerabilities of this nature. Once an attacker has gained an initial foothold on a machine, often through methods like phishing or exploiting another vulnerability, they can leverage privilege escalation flaws to gain deeper control. With elevated privileges, an attacker could potentially disable security tools, access and exfiltrate sensitive data, install persistent malware, or move laterally across the network to compromise additional systems.
Given the high severity rating and the critical role of SMB in Windows networking, organizations should prioritize applying the necessary security patches to mitigate the risk posed by this vulnerability.
Trusted by top
companies worldwide
Customer
Insights
Ready to Get Started?
Get a Live Demo.
Simply complete the form to schedule time with an expert that works best for your calendar.