June\u2019s Patch Tuesday delivers another substantial batch of vulnerability fixes, with system administrators and MSPs facing urgent patching decisions around an actively exploited zero-day vulnerability, critical Office vulnerabilities, and an unpatched vulnerability that potentially exists in all Domains with a Windows Server 2025 as a domain controller. Organizations will need to prioritize deployment schedules carefully this month, as the actively exploited WebDAV vulnerability demands immediate attention while multiple Office remote code execution flaws require swift remediation to prevent potential breach scenarios across enterprise environments.<\/p>\n
Microsoft’s June 2025 Patch Tuesday addresses\u00a066 vulnerabilities<\/a>\u00a0across its product portfolio, with 11 rated as critical and nine marked as Exploitation More Likely. The patch batch includes one actively exploited zero-day vulnerability and one publicly disclosed vulnerability, marking another month where threat actors have successfully weaponized Microsoft software flaws before patches became available.<\/span><\/p>\n The most pressing concern is\u00a0CVE-2025-33053<\/a>, a remote code execution vulnerability in Windows Web Distributed Authoring and Versioning (WebDAV). This zero-day vulnerability has been actively exploited by the APT group \u00abStealth Falcon\u00bb in targeted attacks against defense companies,\u00a0according to Check Point Research<\/a>. The vulnerability allows unauthorized attackers to execute code over a network when users click on specially crafted WebDAV URLs. While WebDAV isn’t enabled by default in Windows, its presence in legacy systems makes it a relevant attack vector that requires immediate patching attention.<\/span><\/p>\n The second zero-day vulnerability is\u00a0CVE-2025-33073<\/a>, an elevation of privilege vulnerability in the Windows Server Message Block (SMB) client. This publicly disclosed flaw allows authenticated attackers to elevate privileges over a network by executing crafted scripts that force target devices to connect to attacker-controlled machines using SMB credentials. The vulnerability has a CVSS score of 8.8 with multiple researchers receiving acknowledgement from Microsoft. This is one more tally mark in a long list of reasons why SMB is a challenge for defenders to deal with. <\/span><\/p>\n For Microsoft Office vulnerability landscape this month there are multiple remote code execution flaws affecting core applications.\u00a0CVE-2025-47167<\/a>,\u00a0CVE-2025-47164<\/a>, and\u00a0CVE-2025-47162<\/a>\u00a0are three critical Office RCE vulnerabilities that stem from type confusion, use-after-free, and heap-based buffer overflow conditions respectively. These vulnerabilities can be triggered through the Preview Pane, making them particularly dangerous as many users routinely preview attachments. Additionally,\u00a0CVE-2025-32717<\/a>\u00a0represents another critical Word RCE vulnerability that can be exploited through malicious RTF files.<\/span><\/p>\n Critical infrastructure components also received attention this month.\u00a0CVE-2025-33071<\/a>\u00a0affects the Windows KDC Proxy Service (KPSSVC), allowing unauthenticated attackers to leverage cryptographic protocol vulnerabilities in Kerberos to achieve remote code execution. Similarly,\u00a0CVE-2025-33070<\/a>\u00a0represents a critical Windows Netlogon elevation of privilege vulnerability that could allow unauthorized network-based privilege escalation.<\/span><\/p>\n While Microsoft’s June Patch Tuesday addressed numerous immediate threats, a significant vulnerability in Windows Server 2025 remains unpatched and poses substantial risks to Active Directory environments worldwide. The\u00a0\u00abBadSuccessor\u00bb vulnerability<\/a>, discovered by Akamai researcher Yuval Gordon, exploits the delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025.<\/span><\/p>\n This privilege escalation vulnerability allows attackers to compromise any user in Active Directory, including Domain Administrators, by manipulating the dMSA migration process. The attack works by creating malicious dMSAs that inherit permissions from targeted accounts through the manipulation of a single attribute that the Key Distribution Center relies upon.\u00a0<\/span><\/p>\n The vulnerability is particularly concerning because it functions with default configurations and doesn’t require the organization to actively use dMSAs. As long as a single Windows Server 2025 domain controller exists in the environment, the attack vector becomes available. Microsoft has acknowledged the issue but currently assesses it as moderate severity and has not committed to an immediate patch timeline, creating a significant gap between vendor assessment and security community concern.<\/span><\/p>\n Organizations deploying Windows Server 2025 should immediately implement restrictive permissions around dMSA creation, monitor for new dMSA objects, and track authentication events associated with these accounts. The vulnerability represents a fundamental shift in Active Directory attack techniques and highlights the importance of thoroughly evaluating new features before deployment in production environments.<\/span><\/p>\n Adobe’s June 2025 security release addresses 254 vulnerabilities<\/a> across seven products, with Adobe Experience Manager dominating the batch at 225 vulnerabilities (88.6% of total fixes) consisting almost entirely of cross-site scripting (XSS) flaws affecting both cloud service and on-premises deployments. The most critical issue is CVE-2025-47110<\/a> in Adobe Commerce with a CVSS score of 9.1, a reflected XSS vulnerability enabling arbitrary code execution alongside four other Commerce\/Magento vulnerabilities.<\/span><\/p>\n Google’s\u00a0June 2025 Android security update<\/a>\u00a0addresses 34 high-severity vulnerabilities, with the most serious affecting the Android System component.\u00a0CVE-2025-26443<\/a>\u00a0could enable local privilege escalation without requiring additional execution privileges, though user interaction is required for exploitation. The update includes fixes across Android Runtime, Framework, and System components.<\/span><\/p>\n Google also addressed\u00a0CVE-2025-4664<\/a>, a high-severity Chrome vulnerability that has been actively exploited in the wild. This flaw stems from insufficient policy enforcement in Chrome’s Loader component and can be triggered through maliciously crafted HTML pages to leak cross-origin data for account takeover attacks.<\/span><\/p>\n Qualcomm released security updates for\u00a0three zero-day vulnerabilities\u00a0in the Adreno Graphics Processing Unit (GPU) driver that are being exploited in limited, targeted attacks.\u00a0CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038<\/a>\u00a0represent memory corruption vulnerabilities that could result from unauthorized command execution in GPU microcode. Google’s Threat Analysis Group identified these vulnerabilities as being Under Active Exploitation.<\/span><\/p>\n SAP’s\u00a0June 2025 Security Patch Day<\/a>\u00a0included fixes for 14 new security notes, with a critical missing authorization check vulnerability in SAP NetWeaver Application Server for ABAP receiving particular attention. This vulnerability allows attackers to bypass authorization checks and potentially escalate privileges within SAP environments.<\/span><\/p>\n Fortinet released security updates for\u00a0OS command injection vulnerabilities<\/a>\u00a0in FortiManager, FortiAnalyzer, and FortiAnalyzer-BigData products. These vulnerabilities could allow attackers to execute arbitrary operating system commands on affected systems, potentially leading to full system compromise.<\/span><\/p>\n This month’s patch cycle demands careful prioritization given the mix of actively exploited vulnerabilities and critical infrastructure impacts. Organizations should focus their immediate attention on\u00a0CVE-2025-33053<\/a>, the actively exploited WebDAV zero-day, particularly in environments where legacy systems or specialized applications might have WebDAV components enabled.<\/span><\/p>\n The multiple critical Microsoft Office vulnerabilities require rapid deployment scheduling, especially\u00a0CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-32717, given their exploitation potential through the Preview Pane. Consider disabling Preview Pane functionality in high-risk environments until patches can be fully deployed and tested, or permanently disabling if the Preview Pane functionality isn\u2019t needed for workflows.<\/span><\/p>\n The publicly disclosed SMB vulnerability\u00a0CVE-2025-33073\u00a0warrants immediate attention in environments with significant SMB traffic or where SMB signing is not enforced. Network segmentation and SMB signing enforcement provide additional protection layers while patches are deployed. While not under active exploitation expect it to quickly become part of threat actor arsenals. <\/span><\/p>\n The unpatched BadSuccessor vulnerability demands immediate risk assessment and mitigation planning, despite the absence of a Microsoft security update. Organizations with Windows Server 2025 domain controllers face potential complete domain compromise through this Active Directory attack vector, making it a critical priority regardless of traditional patch management timelines. IT professionals should immediately audit permissions for dMSA creation rights, as Akamai’s research shows 91% of tested environments<\/a> contained users outside domain admin groups with sufficient privileges to execute BadSuccessor attacks.<\/span><\/p>\n Priority actions include restricting dMSA creation permissions to trusted administrators only, implementing comprehensive logging for dMSA-related authentication events, and deploying monitoring solutions to detect suspicious dMSA object creation or modification. Organizations should treat BadSuccessor mitigation with the same urgency as Actively Exploited vulnerabilities, given the technique’s potential for complete domain takeover and the current lack of vendor patches. MSPs managing multiple client environments should prioritize BadSuccessor risk assessments across their entire customer base, as a single compromised domain controller can enable lateral movement across the entire business network infrastructure.<\/span><\/p>\n Table Key:\u00a0Severity:\u00a0C = Critical, I = Important, M = Moderate, R = Re-issue;\u00a0Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected,\u00a0EU = Exploitation Unlikely, N\/A = Not Available<\/em>\u00a0<\/span><\/p>\nEmerging Active Directory Threats: The BadSuccessor Challenge<\/span><\/h2>\n
Other Vendor Vulnerabilities<\/span><\/h2>\n
Adobe<\/span><\/h3>\n
Google<\/span><\/h3>\n
Qualcomm<\/span><\/h3>\n
SAP<\/span><\/h3>\n
Fortinet<\/span><\/h3>\n
Vulnerability Prioritization<\/span><\/h2>\n
BadSuccessor Vulnerability Priority<\/span><\/h3>\n