Introduction
In June 2025 [1] [5], Microsoft addressed two critical zero-day vulnerabilities during its Patch Tuesday release [5], highlighting the persistent threat to Windows infrastructure from sophisticated threat actors [5]. These vulnerabilities, CVE-2025-33053 and CVE-2025-33073 [2] [5] [6], pose significant risks due to their potential for remote code execution and privilege escalation, respectively.
Description
Microsoft addressed two critical zero-day vulnerabilities in June 2025 during its Patch Tuesday release. The first vulnerability, CVE-2025-33053 [1] [2] [3] [4] [5] [6] [7] [8], is an important-rated remote code execution (RCE) flaw in the Windows implementation of the Web Distributed Authoring and Versioning (WebDAV) HTTP extension, with a CVSS v3 base score of 8.8 [5]. This vulnerability affects all supported Windows versions and allows unauthenticated attackers to execute arbitrary code on affected systems by enticing users to click on specially crafted WebDAV URLs. Notably, the APT group “Stealth Falcon” actively exploited this vulnerability against defense companies using social engineering tactics. It was discovered by researchers Alexandra Gofman and David Driker from Check Point Research [1]. Although Microsoft deprecated the Windows WebDAV implementation in November 2023 [5], the service remains enabled in some legacy systems, including outdated platforms such as Windows 8 and Server 2012 [6]. Patches are available for all supported Windows versions [5], and users are strongly encouraged to apply these updates promptly to protect their systems from active exploitation [8]. The updates can be accessed through Windows Update, Microsoft Update [1] [2] [3] [5] [6] [8], and WSUS [8], or manually downloaded from Microsoft’s Update Catalog [8].
The second vulnerability, CVE-2025-33073 [1] [2] [3] [4] [5] [6] [7] [8], is also rated as important and has a CVSS v3 base score of 8.8 [3]. It is an elevation of privilege (EoP) vulnerability in the Windows Server Message Block (SMB) client [2] [3] [4] [6], allowing authenticated attackers to escalate their privileges to SYSTEM level through improper access control. Successful exploitation requires an attacker to execute a crafted script that forces a target device to connect to an attacker-controlled machine using SMB credentials [4]. This vulnerability poses significant risks, as successful exploitation could enable attackers to disable security tools, access sensitive data [6], install malware [6], or move laterally across the network [6]. Unlike CVE-2025-33053 [5] [8], CVE-2025-33073 was publicly disclosed prior to the availability of a patch [4], prompting DFN-CERT to circulate warnings about it. Multiple security researchers [5], including Keisuke Hirata from CrowdStrike [1], the Synacktiv research team [5], Stefan Walter from RedTeam Pentesting GmbH [5], and James Forshaw [5], contributed to its discovery [5]. Microsoft recommends enforcing server-side SMB signing via Group Policy as an interim mitigation for organizations unable to deploy the patch immediately [5].
Both vulnerabilities underscore the ongoing targeting of Windows infrastructure by sophisticated threat actors and highlight the critical need for rapid patch deployment to prevent exploitation in enterprise environments [5]. The SMB protocol’s widespread use for file and printer sharing further amplifies the danger posed by CVE-2025-33073, making it essential for organizations to address these vulnerabilities promptly, especially for systems exposed to the internet [1].
Conclusion
The discovery and exploitation of these vulnerabilities emphasize the critical need for organizations to maintain robust cybersecurity measures and promptly apply patches to mitigate risks. The active exploitation of CVE-2025-33053 by advanced persistent threat groups and the public disclosure of CVE-2025-33073 before patch availability highlight the evolving tactics of threat actors. Organizations must remain vigilant, ensuring that legacy systems are updated and that interim mitigations, such as enforcing server-side SMB signing [5], are implemented where immediate patch deployment is not feasible. The widespread use of protocols like SMB necessitates a proactive approach to cybersecurity to safeguard sensitive data and maintain the integrity of enterprise networks.
References
[1] https://gbhackers.com/microsoft-patch-tuesday-june-2025/
[2] https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/
[3] https://www.infosecurity-magazine.com/news/two-microsoft-zero-days-june-patch/
[4] https://www.tenable.com/blog/microsofts-june-2025-patch-tuesday-addresses-65-cves-cve-2025-33053
[5] https://thesecmaster.com/blog/breaking-down-the-latest-june-2025-patch-tuesday-report
[6] https://www.computerweekly.com/news/366625818/June-Patch-Tuesday-brings-a-lighter-load-for-defenders
[7] https://outpost24.com/blog/microsoft-patch-tuesday-june-2025/
[8] https://cyberinsider.com/windows-11-june-2025-patch-tuesday-fixes-66-flaws-one-zero-day/
