Patch Tuesday June 2025: Active WebDAV Exploitation and Unpatched BadSuccessor Allows Active Directory Compromise

June’s Patch Tuesday delivers another substantial batch of vulnerability fixes, with system administrators and MSPs facing urgent patching decisions around an actively exploited zero-day vulnerability, critical Office vulnerabilities, and an unpatched vulnerability that potentially exists in all Domains with a Windows Server 2025 as a domain controller. Organizations will need to prioritize deployment schedules carefully this month, as the actively exploited WebDAV vulnerability demands immediate attention while multiple Office remote code execution flaws require swift remediation to prevent potential breach scenarios across enterprise environments.

Microsoft Vulnerabilities

Microsoft’s June 2025 Patch Tuesday addresses 66 vulnerabilities across its product portfolio, with 11 rated as critical and nine marked as Exploitation More Likely. The patch batch includes one actively exploited zero-day vulnerability and one publicly disclosed vulnerability, marking another month where threat actors have successfully weaponized Microsoft software flaws before patches became available.

The most pressing concern is CVE-2025-33053, a remote code execution vulnerability in Windows Web Distributed Authoring and Versioning (WebDAV). This zero-day vulnerability has been actively exploited by the APT group «Stealth Falcon» in targeted attacks against defense companies, according to Check Point Research. The vulnerability allows unauthorized attackers to execute code over a network when users click on specially crafted WebDAV URLs. While WebDAV isn’t enabled by default in Windows, its presence in legacy systems makes it a relevant attack vector that requires immediate patching attention.

The second zero-day vulnerability is CVE-2025-33073, an elevation of privilege vulnerability in the Windows Server Message Block (SMB) client. This publicly disclosed flaw allows authenticated attackers to elevate privileges over a network by executing crafted scripts that force target devices to connect to attacker-controlled machines using SMB credentials. The vulnerability has a CVSS score of 8.8 with multiple researchers receiving acknowledgement from Microsoft. This is one more tally mark in a long list of reasons why SMB is a challenge for defenders to deal with.

For Microsoft Office vulnerability landscape this month there are multiple remote code execution flaws affecting core applications. CVE-2025-47167, CVE-2025-47164, and CVE-2025-47162 are three critical Office RCE vulnerabilities that stem from type confusion, use-after-free, and heap-based buffer overflow conditions respectively. These vulnerabilities can be triggered through the Preview Pane, making them particularly dangerous as many users routinely preview attachments. Additionally, CVE-2025-32717 represents another critical Word RCE vulnerability that can be exploited through malicious RTF files.

Critical infrastructure components also received attention this month. CVE-2025-33071 affects the Windows KDC Proxy Service (KPSSVC), allowing unauthenticated attackers to leverage cryptographic protocol vulnerabilities in Kerberos to achieve remote code execution. Similarly, CVE-2025-33070 represents a critical Windows Netlogon elevation of privilege vulnerability that could allow unauthorized network-based privilege escalation.

Emerging Active Directory Threats: The BadSuccessor Challenge

While Microsoft’s June Patch Tuesday addressed numerous immediate threats, a significant vulnerability in Windows Server 2025 remains unpatched and poses substantial risks to Active Directory environments worldwide. The «BadSuccessor» vulnerability, discovered by Akamai researcher Yuval Gordon, exploits the delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025.

This privilege escalation vulnerability allows attackers to compromise any user in Active Directory, including Domain Administrators, by manipulating the dMSA migration process. The attack works by creating malicious dMSAs that inherit permissions from targeted accounts through the manipulation of a single attribute that the Key Distribution Center relies upon. 

The vulnerability is particularly concerning because it functions with default configurations and doesn’t require the organization to actively use dMSAs. As long as a single Windows Server 2025 domain controller exists in the environment, the attack vector becomes available. Microsoft has acknowledged the issue but currently assesses it as moderate severity and has not committed to an immediate patch timeline, creating a significant gap between vendor assessment and security community concern.

Organizations deploying Windows Server 2025 should immediately implement restrictive permissions around dMSA creation, monitor for new dMSA objects, and track authentication events associated with these accounts. The vulnerability represents a fundamental shift in Active Directory attack techniques and highlights the importance of thoroughly evaluating new features before deployment in production environments.

Other Vendor Vulnerabilities

Adobe

Adobe’s June 2025 security release addresses 254 vulnerabilities across seven products, with Adobe Experience Manager dominating the batch at 225 vulnerabilities (88.6% of total fixes) consisting almost entirely of cross-site scripting (XSS) flaws affecting both cloud service and on-premises deployments. The most critical issue is CVE-2025-47110 in Adobe Commerce with a CVSS score of 9.1, a reflected XSS vulnerability enabling arbitrary code execution alongside four other Commerce/Magento vulnerabilities.

Google

Google’s June 2025 Android security update addresses 34 high-severity vulnerabilities, with the most serious affecting the Android System component. CVE-2025-26443 could enable local privilege escalation without requiring additional execution privileges, though user interaction is required for exploitation. The update includes fixes across Android Runtime, Framework, and System components.

Google also addressed CVE-2025-4664, a high-severity Chrome vulnerability that has been actively exploited in the wild. This flaw stems from insufficient policy enforcement in Chrome’s Loader component and can be triggered through maliciously crafted HTML pages to leak cross-origin data for account takeover attacks.

Qualcomm

Qualcomm released security updates for three zero-day vulnerabilities in the Adreno Graphics Processing Unit (GPU) driver that are being exploited in limited, targeted attacks. CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 represent memory corruption vulnerabilities that could result from unauthorized command execution in GPU microcode. Google’s Threat Analysis Group identified these vulnerabilities as being Under Active Exploitation.

SAP

SAP’s June 2025 Security Patch Day included fixes for 14 new security notes, with a critical missing authorization check vulnerability in SAP NetWeaver Application Server for ABAP receiving particular attention. This vulnerability allows attackers to bypass authorization checks and potentially escalate privileges within SAP environments.

Fortinet

Fortinet released security updates for OS command injection vulnerabilities in FortiManager, FortiAnalyzer, and FortiAnalyzer-BigData products. These vulnerabilities could allow attackers to execute arbitrary operating system commands on affected systems, potentially leading to full system compromise.

Vulnerability Prioritization

This month’s patch cycle demands careful prioritization given the mix of actively exploited vulnerabilities and critical infrastructure impacts. Organizations should focus their immediate attention on CVE-2025-33053, the actively exploited WebDAV zero-day, particularly in environments where legacy systems or specialized applications might have WebDAV components enabled.

The multiple critical Microsoft Office vulnerabilities require rapid deployment scheduling, especially CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-32717, given their exploitation potential through the Preview Pane. Consider disabling Preview Pane functionality in high-risk environments until patches can be fully deployed and tested, or permanently disabling if the Preview Pane functionality isn’t needed for workflows.

The publicly disclosed SMB vulnerability CVE-2025-33073 warrants immediate attention in environments with significant SMB traffic or where SMB signing is not enforced. Network segmentation and SMB signing enforcement provide additional protection layers while patches are deployed. While not under active exploitation expect it to quickly become part of threat actor arsenals.

BadSuccessor Vulnerability Priority

The unpatched BadSuccessor vulnerability demands immediate risk assessment and mitigation planning, despite the absence of a Microsoft security update. Organizations with Windows Server 2025 domain controllers face potential complete domain compromise through this Active Directory attack vector, making it a critical priority regardless of traditional patch management timelines. IT professionals should immediately audit permissions for dMSA creation rights, as Akamai’s research shows 91% of tested environments contained users outside domain admin groups with sufficient privileges to execute BadSuccessor attacks.

Priority actions include restricting dMSA creation permissions to trusted administrators only, implementing comprehensive logging for dMSA-related authentication events, and deploying monitoring solutions to detect suspicious dMSA object creation or modification. Organizations should treat BadSuccessor mitigation with the same urgency as Actively Exploited vulnerabilities, given the technique’s potential for complete domain takeover and the current lack of vendor patches. MSPs managing multiple client environments should prioritize BadSuccessor risk assessments across their entire customer base, as a single compromised domain controller can enable lateral movement across the entire business network infrastructure.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available 

Summary

As organizations look to strengthen their cyber resilience, they should integrate third-party patching priorities into their existing patch management routines, ensuring that traditionally Microsoft-focused processes expand to address the multi-vendor threat landscape that characterizes modern environments. The convergence of Actively Exploited vulnerabilities across multiple platforms underscores the importance of comprehensive, risk-based patch management strategies that extend beyond severity ratings to encompass real-world exploitation patterns and business-critical system exposure.

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling into your Patch Management routines for patches related to zero-day vulnerabilities, vulnerabilities with Detected Exploitations, and those with a higher likelihood of exploitation. The convergence of Actively Exploited vulnerabilities across multiple vendors underscores the need for comprehensive, risk-based approaches that extend beyond traditional Microsoft-focused patch management to address the multi-vendor reality of modern business networks.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd