June 2025’s Patch Tuesday fixed 67 Microsoft vulnerabilities, including two zero-days, one of which is being actively exploited. Compared to last month, that’s an improvement, but there is still plenty to cover.

Let’s start by looking at the one that’s actively being exploited.

CVE-2025-33053 (CVSS score 8.8 out of 10): a Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution (RCE) vulnerability, which Microsoft summarizes as:

External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network.

WEBDAV is an HTTP extension that lets users remotely manage files and directories on a server, which is not enabled by default.

For successful exploitation, it requires the target to click on a specially crafted URL. This vulnerability was exploited in an attack scenario where the cybercriminals used a .url file to execute malware from a WebDAV server controlled by the attacker.

Also noteworthy is a publicly disclosed zero-day vulnerability tracked as CVE-2025-33073 (CVSS score 8.8 out of 10), a vulnerability as a result of improper access control in Windows Server Message Block (SMB) which allows an authorized attacker to elevate privileges over a network.

SMB is the protocol that is implemented in most office and home networks to share files, printers, and other resources with each other.

Since there is a publicly available proof-of-concept (PoC), it is reasonable to assume that this elevation of privilege (EoP) vulnerability is likely to be exploited. To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Other vendors

Adobe released security updates for

• Adobe InCopy 
• Adobe Experience Manager 
• Adobe Commerce
• Adobe InDesign 
• Adobe Substance 3D Sampler 
• Adobe Acrobat Reader 
• Adobe Substance 3D Painter 

Google released its June 2025 Android security bulletin and fixed an actively exploited vulnerability in the Chrome browser.

Qualcomm released security updates for three actively exploited zero-day vulnerabilities.

SAP released the June 2025 Security updates.