Microsoft rolled out its Patch Tuesday update on June 10th, and this one feels a bit lighter—just 70 security issues that need attention. Among them, two zero-day vulnerabilities are on the radar.
The first big issue is CVE-2025-33053, a remote code execution flaw in WebDAV. The second, CVE-2025-33073, is an elevation-of-privilege vulnerability in the SMB Client. Both vulnerabilities score an 8.8 on the severity scale.
Microsoft reported that the first flaw is already being exploited, though proof-of-concept code isn’t available. The blame for this CVE falls on Alexandra Gofman and David Driker from Check Point Research. In contrast, CVE-2025-33073 is attributed to researchers from CrowdStrike, Synacktiv, SySS GmbH, and Google Project Zero.
CVE-2025-33053 needs urgent attention. It affects legacy systems, including versions of Windows dating back to 8 and Server 2012. The problem arises when users click on malicious URLs, allowing attackers to execute code remotely. Mike Walters from Action1 highlights that the vulnerability affects many tools still using the outdated Internet Explorer for file sharing.
“This flaw is particularly worrying because many businesses enable WebDAV without fully grasping the security risks. Millions are at risk, with about 70 to 80% of enterprises possibly vulnerable, especially those lacking proper URL filtering or user training,” Walters noted.
Regarding CVE-2025-33073, Ben Hopkins from Immersive explained that it allows attackers to gain elevated privileges. Once an attacker gets inside a system—often through phishing or another vulnerability—they can exploit this flaw to take control. With higher permissions, they could disable security measures, access sensitive data, or install malware.
Amid this, June’s Patch Tuesday also brought ten critical flaws. Four hit Microsoft Office and one each for SharePoint Server, Power Automate, KDC Proxy Service, Netlogon, Remote Desktop Services, and Schannel. Eight of these are remote code execution vulnerabilities, with two enabling privilege escalation.
Kev Breen, a threat researcher at Immersive, emphasized the need to prioritize Office vulnerabilities. “These flaws let attackers craft malicious documents. If opened, they can run commands on a victim’s computer,” he explained.
Microsoft pointed out that even viewing an attachment in the Preview Pane could trigger the exploit. What’s concerning is that no updates for Microsoft 365 were available at release, and customers will be notified with a revision. While there’s no active exploitation right now, past instances show that attackers can quickly reverse-engineer patches to create new exploits.