Microsoft’s Patch Tuesday updates for June 2025 include fixes for an actively exploited zero-day vulnerability and nine additional flaws at high risk of exploitation.
In all, the Microsoft Patch Tuesday June 2025 release note included fixes for 68 vulnerabilities, plus three non-Microsoft CVEs affecting Windows Secure Boot and Chromium-based Edge.
The highest-rated vulnerability included in the update – a 9.8-severity Power Automate Elevation of Privilege vulnerability (CVE-2025-47966) – was fixed earlier this month.
Microsoft Patch Tuesday June 2025: Zero-Day, High-risk Flaws
The exploited zero-day – CVE-2025-33053, an 8.8-rated Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution vulnerability – was reported by Check Point researchers, who discovered the flaw being used in an attempted cyberattack against a defense company in Turkey.
In the attack, the advanced persistent threat (APT) group Stealth Falcon used a .url file that exploited the zero-day vulnerability to execute malware from a threat actor-controlled WebDAV server, the researchers said.
The nine vulnerabilities designated “Exploitation More Likely” by Microsoft include:
- CVE-2025-32713, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. It’s the third straight Patch Tuesday with at least one high-risk CLFS vulnerability, following the April and May updates.
- CVE-2025-32714, a 7.8-rated Windows Installer Elevation of Privilege vulnerability
- CVE-2025-32717, an 8.4-severity Microsoft Word Remote Code Execution vulnerability
- CVE-2025-33070, an 8.1-rated Windows Netlogon Elevation of Privilege vulnerability
- CVE-2025-33071, an 8.1-severity Windows Kerberos Key Distribution Center Proxy Service (KPSSVC) Remote Code Execution vulnerability
- CVE-2025-47162, an 8.4-rated Microsoft Office Remote Code Execution vulnerability (Heap-based Buffer Overflow)
- CVE-2025-47164, which is also an 8.4-rated Microsoft Office Remote Code Execution vulnerability (Use After Free)
- CVE-2025-47167, another 8.4-severity Microsoft Office Remote Code Execution vulnerability (Type Confusion)
- CVE-2025-47962, a 7.8-rated Windows SDK Elevation of Privilege vulnerability
Other Vendors Issuing Patch Tuesday Fixes
Microsoft isn’t the only vendor issuing fixes on the second Tuesday of each month, as many others have taken up the practice too.
Other noteworthy patch announcements were issued by:
- Ivanti, which patched three Ivanti Workspace Control flaws
- SAP, which included a 9.6-severity NetWeaver Application Server for ABAP Missing Authorization Check vulnerability (CVE-2025-42989)
- Fortinet, which fixed an OS Command Injection vulnerability
