[ad_1]
Microsoft as we speak launched safety updates to repair not less than 67 vulnerabilities in its Windows working techniques and software program. Redmond warns that one of many flaws is already below lively assault, and that software program blueprints exhibiting find out how to exploit a pervasive Windows bug patched this month at the moment are public.
The sole zero-day flaw this month is CVE-2025-33053, a distant code execution flaw within the Windows implementation of WebDAV — an HTTP extension that lets customers remotely handle information and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialised techniques nonetheless makes it a related goal, mentioned Seth Hoyt, senior safety engineer at Automox.
Adam Barnett, lead software program engineer at Rapid7, mentioned Microsoft’s advisory for CVE-2025-33053 doesn’t point out that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in sensible phrases signifies that the WebClient service not begins by default.
“The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control,” Barnett mentioned. “Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.”
Microsoft warns that an “elevation of privilege” vulnerability within the Windows Server Message Block (SMB) consumer (CVE-2025-33073) is prone to be exploited, on condition that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS danger rating of 8.8 (out of 10), and exploitation of the flaw results in the attacker gaining “SYSTEM” degree management over a susceptible PC.
“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” mentioned Alex Vovk, co-founder and CEO of Action1. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.”
Beyond these highlights, 10 of the vulnerabilities mounted this month have been rated “critical” by Microsoft, together with eight distant code execution flaws.
Notably absent from this month’s patch batch is a repair for a newly found weak point in Windows Server 2025 that permits attackers to behave with the privileges of any consumer in Active Directory. The bug, dubbed “BadSuccessor,” was publicly disclosed by researchers at Akamai on May 21, and a number of other public proof-of-concepts at the moment are accessible. Tenable’s Satnam Narang mentioned organizations which have not less than one Windows Server 2025 area controller ought to evaluate permissions for principals and restrict these permissions as a lot as attainable.
Adobe has launched updates for Acrobat Reader and 6 different merchandise addressing not less than 259 vulnerabilities, most of them in an replace for Experience Manager. Mozilla Firefox and Google Chrome each just lately launched safety updates that require a restart of the browser to take impact. The newest Chrome replace fixes two zero-day exploits within the browser (CVE-2025-5419 and CVE-2025-4664).
For an in depth breakdown on the person safety updates launched by Microsoft as we speak, take a look at the Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 has a breakdown of patches from Microsoft and a raft of different software program distributors releasing fixes this month. As at all times, please again up your system and/or information earlier than patching, and be happy to drop a observe within the feedback should you run into any issues making use of these updates.