Microsoft tackles WebDAV zero-day in June 2025 patch update

Microsoft has released fixes for 67 vulnerabilities as part of the June 2025 Patch Tuesday, covering a range of issues including two zero-day exploits and eight critical remote code execution vulnerabilities.

Of the vulnerabilities this month, Microsoft confirmed evidence of active exploitation in the wild for one, which has been reflected in the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities catalogue. In addition, Microsoft noted that public details exist for another new vulnerability, although neither of these zero-days is rated as critical severity at the time of release.

Two browser vulnerabilities that Microsoft disclosed earlier in June are not part of the 67 vulnerabilities in this total.

Zero-day in WebDAV

This month marks the first recorded zero-day vulnerability in Microsoft's implementation of the WebDAV standard. CVE-2025-33053 is notable as it is the first WebDAV vulnerability published by Microsoft in seven years. WebDAV was designed in the 1990s to enable web interactivity and was used in older versions of Exchange Server for mailbox and public folder interaction.

While WebDAV has been deprecated—Microsoft announced in November 2023 that the WebClient service, associated with WebDAV, would no longer start by default—the standard is still supported in Windows. This ongoing support provides an attack surface for exploitation, especially as all currently supported Windows versions, including new releases such as Server 2025 and Windows 11 24H2, have received the patch. On systems like Server 2025, administrators can still install the WebDAV Redirector server feature, which enables the WebClient service.

The CVE-2025-33053 advisory, with a low attack complexity rating, states that exploitation requires a user to click a malicious link. Adam Barnett, Lead Software Engineer at Rapid7, highlighted the risks and acknowledged the attribution by Check Point Research:

"It will surprise no one that Windows still more or less supports WebDAV, and that turns out to be a bit of a problem. Microsoft acknowledges Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation of CVE-2025-33053 to an APT, which they track as Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and the surrounding area."

Although the deprecated service should not be running by default, the presence of the patch for all versions suggests Microsoft is taking a broad approach to mitigating potential risk.

Zero-day in SMB client

A second zero-day, CVE-2025-33073, involves an elevation of privilege (EoP) vulnerability in the SMB client. The vulnerability, which was publicly disclosed, could enable an attacker to gain SYSTEM-level privileges. According to Microsoft, exploitation can occur if a user connects to an attacker-controlled malicious SMB server.

Barnett commented on the advisory's ambiguity:

"It's not entirely clear from the advisory whether simply connecting is enough to trigger exploitation, or whether successful authentication is required, since there is currently conflicting language in two separate FAQ entries with almost-identical titles: 'How could an attacker exploit this/the vulnerability?' It may well be that Microsoft will come back around and clarify this wording, but in the meantime the only safe assumption is that fortune favours the attacker."

Windows KDC Proxy vulnerability

Among eight critical remote code execution vulnerabilities, CVE-2025-33071 affects the Windows KDC Proxy Service. This issue is described as an unauthenticated remote code execution vulnerability resulting from a cryptographic protocol weakness. The vulnerability only applies to Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server—a role not enabled by default in typical domain controller setups.

Despite this, Microsoft believes exploitation is more likely. The risk is considered significant as KDC proxy servers manage Kerberos requests from untrusted to trusted networks and can be exposed to external threats. The vulnerability also requires the attacker to win a race condition to successfully exploit the system.

Barnett advised vigilance:

"Patching this vulnerability should be top of mind for affected defenders this month."

Office preview pane vulnerabilities

This release cycle also addressed three critical remote code execution vulnerabilities in Office: CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167. All three were discovered by the same researcher, and each uses the Office Preview Pane as a vector for exploitation. Microsoft believes successful exploitation of these flaws is more likely.

Administrators of Microsoft 365 Apps for Enterprise—labelled as "Microsoft 365 for Office" in some advisories—must note that patches for these vulnerabilities are not yet available for this version.

Product lifecycle updates

Microsoft reported no major product lifecycle changes this June. The next significant changes, such as the end of the SQL Server 2012 Extended Security Updates programme and support for Visual Studio 2022 17.8 LTSC, are scheduled for July 2025.