In Cupertino, they updated everything under the sun — and yet remained vulnerable.
The June Patch Tuesday update from Microsoft fixed 66 vulnerabilities. Among them, one was already actively exploited by attackers, while another was publicly disclosed before an official patch was released. Additionally, ten vulnerabilities were classified as critical — eight of which allowed remote code execution, and two were related to privilege escalation.
Here’s the detailed breakdown of the vulnerabilities by type: 13 for privilege escalation, 3 for security feature bypass, 25 for remote code execution, 17 for information disclosure, 6 for denial of service, and 2 for spoofing. This list does not include vulnerabilities that were fixed earlier this month in Mariner, Microsoft Edge, and Power Automate.
One of the most dangerous issues fixed this month was the CVE-2025-33053 vulnerability in the Windows Web Distributed Authoring and Versioning (WEBDAV) component. It allowed a remote attacker to execute arbitrary code on the target system if the user followed a specially crafted WebDAV link.
The vulnerability was discovered by the Check Point Research team, who reported that the attack was carried out by manipulating the working directory of a built-in Windows tool. In March 2025, this flaw was used in an attempted cyberattack on a defense company in Turkey, reportedly carried out by the APT group Stealth Falcon. Microsoft officially assigned the identifier CVE-2025-33053 to the vulnerability and included it in the June 10, 2025, update. The discovery was credited to Alexandra Gofman and David Dricker from Check Point Research.
The second vulnerability, CVE-2025-33073, affects the SMB client in Windows and was publicly disclosed before the update was released. It allows an authenticated attacker to gain SYSTEM privileges through network interaction. The issue lies in improper access control implementation in the SMB protocol, allowing a vulnerable machine to be forced to connect to an attacker’s server and authenticate.
Microsoft has not disclosed who published the details of this vulnerability, but according to Born City, DFN-CERT issued a warning from RedTeam Pentesting a few days before the patch. A temporary mitigation is to enforce SMB signing on the server via Group Policy. Several specialists were involved in discovering the vulnerability, including Keisuke Hirata from CrowdStrike, teams from Synacktiv and RedTeam Pentesting GmbH, Stefan Walter from SySS GmbH, and James Forshaw from Google Project Zero.
In addition to Microsoft updates, other major vendors released their own bulletins in June. For example, Adobe patched vulnerabilities in InCopy, Experience Manager, Commerce, InDesign, Substance 3D Sampler, Acrobat Reader, and Substance 3D Painter.
Google, in its June security update for Android, fixed several vulnerabilities, including an actively exploited zero-day in the Chrome browser. Hewlett Packard Enterprise released security updates for eight vulnerabilities in its StoreOnce solution, and Ivanti patched three vulnerabilities with hardcoded keys in Workspace Control (IWC).
Qualcomm’s report deserves special mention, highlighting the patching of three zero-days in the Adreno GPU driver, which were used in targeted attacks. A fix was also released for a critical vulnerability in the Roundcube email client, which allowed remote code execution and was already being exploited. SAP updated many of its products, including a fix for a critical authorization bypass issue in SAP NetWeaver Application Server for ABAP.
The June updates underscore the high level of cyber threat activity and the need for prompt patching to protect systems — especially considering the active exploitation of multiple zero-day vulnerabilities.
