Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)

For June 2025 Patch Tuesday, Microsoft has fixed 66 new CVEs, including a zero-day exploited in the wild (CVE-2025-33053).

Also, Adobe Commerce and Magento Open Source users are urged to update quickly.

About CVE-2025-33053

CVE-2025-33053 is a remote code execution vulnerability in Web Distributed Authoring and Versioning (WebDAV), which is a protocol for extending HTTP protocol functionality for interacting with files.

Flagged by Check Point researchers, the vulnerability has been exploited in March 2025 to deliver a custom-built espionage tool (Horus Agent) to a major defense organization in Turkey, by an APT group known as Stealth Falcon.

“The attack began with what looked like a standard shortcut file — a .url file disguised as a PDF document related to military equipment damage,” the researchers shared.

The file was likely delivered via a phishing email and, once run, it would exploit the zero-day to execute malware from an actor-controlled WebDAV server.

“The attackers manipulated the Windows file execution search order. They tricked a built-in Windows utility into executing a malicious program hosted on their remote server,” the researchers explained.

“This technique allowed Stealth Falcon to run their code without needing to drop files on the first stage of the infection chain directly onto the victim’s computer. It also helped them evade detection by relying on legitimate, trusted Windows components to carry out the attack.”

And while WebDAV isn’t enabled by default (because it has been deprecated in 2023), Microsoft has nonetheless decided to patch the flaw in both newly released Windows and Windows Server versions and some legacy ones.

Other Microsoft patches

CVE-2025-33073, a vulnerability in the Windows SMB Client that could be used for privilege escalation if attackers can convince a victim to connect to an attacker controlled SMB server, is publicly disclosed but Microsoft says it’s less likely to be exploited.

Among the vulnerabilities that are more likely to be exploited are:

CVE-2025-33070, a Windows Netlogon that could allow attackers to gain domain administrator privileges by sending a specially crafted authentication requests to the domain controller

CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167 – RCE flaws in Microsoft Office (that have yet to be fixed in Microsoft 365 Apps for Enterprise)

CVE-2025-32717, a Microsoft Word RCE vulnerability that could be exploited via a malicious RTF file, which the victim would open or just view in the preview pane

CVE-2025-33071, a use after free flaw in Windows KDC Proxy Service (KPSSVC), which could allow an unauthenticated attacker to execute code over a network.

As Rapid7 researchers explained, “The good news is that only Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server — happily, this is not enabled as standard configuration for a domain controller — and exploitation requires that the attacker win a race condition. The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network.”

Microsoft has also addresed CVE-2025-3052, a memory corruption vulnerability in 14 modules signed with Microsoft’s third-party UEFI certificate, which could allow attackers to run unsigned code during the boot process (i.e., before the operating system loads) and install bootkits.

“This month, Microsoft did not patch BadSuccessor, a zero-day elevation of privilege vulnerability, despite its disclosure by researchers at Akamai on May 21 and the subsequent release of public proof-of-concepts, including a .NET implementation dubbed SharpSuccessor, and its inclusion in NetExec and BloodyAD,” noted Satnam Narang, senior staff research engineer at Tenable.

“BadSuccesor only affects domains that have at least one Windows Server 2025 domain controller, a rare configuration that we’ve observed in just 0.7% of AD domains based on a subset of our telemetry data. Nonetheless, we know that Microsoft intends to fix the flaw, but not this month. Organizations that do have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.”

Adobe security updates

Adobe has released security updates for InCopy, Experience Manager, InDesign, Substance 3D Sampler, Substance 3D Painter, Acrobat Reader, Commerce and Magento Open Source, which fix a veritable avalanche (250+) of CVE-numbered flaws.

Among those updates, Adobe advises prioritizing the last one: while most of the five fixed vulnerabilities can be exploited only by attackers who have previously attained administrative privileges and while Adobe is not aware of any exploits in the wild for any of these issues, these vulnerabilities “have a higher risk of being targeted”. The company urged administrators to install the update within 72 hours.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!