June Patch Tuesday resolves Windows zero-day

Microsoft patches Windows zero-day

Microsoft resolved a Windows zero-day undergoing active exploitation in the wild.

A Web Distributed Authoring and Versioning (WebDAV) remote code execution vulnerability (CVE-2025-33053) rated important with a CVSS score of 8.8 affects Windows Server and client OSes.

The attack requires user interaction, such as clicking on a specially crafted link, to exploit the vulnerability. This would then enable the threat actor to run malware on the network from the WebDAV servers.

"Risk-based prioritization would treat it as critical because it's actively exploited," said Chris Goettl, vice president of product management for security products at Ivanti.

Newer supported Windows systems can resolve the flaw with the cumulative update, but older systems that receive security-only fixes need both an OS update and the Internet Explorer (IE) patch to remediate vulnerabilities in the MSHTML platform and scripting engine. 

SMB public disclosure addressed

Microsoft corrected a Windows Server Message Block (SMB) client elevation-of-privilege vulnerability (CVE-2025-33073) rated important with a CVSS score of 8.8.

A successful exploit gives an authenticated attacker the ability to elevate privileges over the network to elevate their permissions to system-level. No user interaction is required for this attack.

"To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege," Microsoft wrote in its CVE FAQ.

Microsoft Office hit with multiple vulnerabilities

Most of the June Patch Tuesday updates focus on the Windows OS, but quite a few significant security flaws also affect applications in the Microsoft Office suite. 

Admins who manage SharePoint Server will want to prioritize deploying patches for three remote-code execution vulnerabilities (CVE-2025-47163, CVE-2025-47166, CVE-2025-47172) for that platform. 

Each has a CVSS rating of 8.8, but CVE-2025-47172 is rated critical -- possibly due to more straightforward exploitation via SQL injection -- while the others are designated important. A successful attack lets an authorized malicious actor run code over the network.

Admins should also focus on four remote-code execution vulnerabilities in Microsoft Office (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953), all rated critical with a CVSS rating of 8.4.

No user interaction is required in the attack. The preview pane is an attack vector for all the vulnerabilities.

BadSuccessor vulnerability remains unpatched

Admins expecting a fix for a Windows Server 2025 vulnerability will have to wait a little longer. 

Last month, Akamai security researchers said they informed Microsoft of a flaw affecting Windows Server 2025 domain controllers through the new delegated Managed Service Accounts (dMSAs) feature in Active Directory.

DMSAs automate password rotation for service accounts and use Credential Guard to tighten security.   

Akamai found a bug that could let an attacker with minimal permissions exploit dMSAs and gain control over any security principal within the Active Directory domain.

"All an attacker needs to perform this attack is a benign permission on any organizational unit (OU) in the domain -- a permission that often flies under the radar," wrote security researcher Yuval Gordon.

As of publication, Microsoft did not issue a CVE designation for this vulnerability. Akamai said Microsoft acknowledged the issue April 1 and planned to produce a patch. 

"At the moment, it's being overhyped, but when does something overhyped turn into a real serious problem?" Goettl said. 

In the meantime, he said admins will have to lock down their environments with layered defensive security measures and proactively monitor the Windows Server 2025 domain controllers. 

Microsoft recommends Windows Server time change

Outside of the June Patch Tuesday news, Microsoft recently issued a recommendation to customers using Windows Server 2016 and newer to disable Secure Time Seeding (STS) to avoid problems with time-sensitive workloads. 

The company said it had been fielding reports from customers about timekeeping issues that had been affecting domain controllers, VM hosts and servers that require accurate time for specific functionality. On May 30, Microsoft said organizations should switch off STS on all Windows Server deployments, including domain controllers. 

Admins will have to follow instructions from Microsoft that explain how to change either the registry or adjust Group Policy settings to disable STS. The operation will require a system reboot to take effect. 

Goettl said beyond the time synchronization problem, turning off STS could benefit overall security in the environment.

"You can abuse time in a variety of different ways. When it comes to a networked environment, you could use it as a denial of service," he said.

Tom Walat is the site editor for Informa TechTarget's Search Windows Server site.