June Patch Tuesday digs into 67 bugs

.Microsoft on Tuesday released 67 patches affecting 12 product families. Ten of the addressed issues, five involving 365 and Office and one involving SharePoint, are considered by Microsoft to be of Critical severity, and 17 have a CVSS base score of 8.0 or higher. One, an Important-severity RCE in Windows related to WEBDAV (CVE-2025-33053), is known to be under active exploitation in the wild. An additional Important-severity SMB issue has been publicly disclosed, but is not currently known to be under exploit. 

At patch time, nine additional CVEs are more likely to be exploited in the next 30 days by the company’s estimation, not including the WEBDAV issue mentioned above. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below. This most certainly includes CVE-2025-33053, in which Sophos itself has taken a particular interest – and, apparently, vice versa.

In addition to these patches, ten Adobe Reader fixes, four of them considered to be of Critical severity, are included in the release. Those are listed in Appendix D below. That appendix also contains information on two Edge-related vulnerabilities and a Critical-severity Power Automate issue that was addressed earlier this month, as well as limited information on a Critical-severity bug in Copilot for which an advisory was released the following day (Wednesday). The periodically released Servicing Stack updates are also available.  

We are as always including at the end of this post additional appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family; an appendix covering the advisory-style updates; and a breakout of the patches affecting the various Windows Server platforms still in support.  

By the numbers

• Total CVEs: 67
• Publicly disclosed: 1
• Exploit detected: 1
• Severity
  • Critical: 10
  • Important: 57
• Impact
  • Remote Code Execution: 26
  • Information Disclosure: 17
  • Elevation of Privilege: 13
  • Denial of Service: 6
  • Security Feature Bypass: 3
  • Spoofing: 2
• CVSS base score 9.0 or greater: 0*
• CVSS base score 8.0 or later: 18

 * One issue, affecting Power Automate for Desktop but patched by Microsoft on June 5, has been assigned a 9.8 CVSS base score. Since it was mitigated prior to release, we are treating that information as advisory-only and do not include it in this month’s statistics. Likewise, the Copilot advisory released on June 11 has a CVSS base score of 9.3, but does not figure into these tallies or charts.

Figure 1: A proportionally heavier-than-usual ten Critical-severity patches were released in June,  though unusually six of those occur in 365, Office, or SharePoint rather than the more customary Windows. (Two Edge updates covered this month are not released with full impact information and thus do not appear in this chart; we are also excluding the Power Automate patch as discussed above) 

Products 

• Windows: 45*
• 365: 15
• Office: 14
• SharePoint: 5
• Visual Studio: 2
• Word: 2
• .NET: 1
• Excel: 1
• Microsoft AutoUpdate for Macintosh: 1
• Nuance Digital Engagement Platform: 1
• Outlook: 1
• PowerPoint: 1

* One Windows SDK patch (CVE-2025-47962) and one patch affecting the Windows Security App component (CVE-2025-47956) are included in the Windows counts for reader convenience, though neither affects specific versions of the client or server platforms.  

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: Twelve product families figure in May’s Patch Tuesday release; the Nuance medical-product family returns to the charts for a second month, this time addressing a spoofing issue in its Digital Engagement Platform 

Notable June updates 

In addition to the issues discussed above, several specific items merit attention.  

CVE-2025-33053 — Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability 

The only patched issue currently known to be under exploit in the wild is an Important-severity flaw in Web Distributed Authoring and Versioning code, which has been underpinning much of the internet since the IE era. That’s the problem; this patch touches the MSHTML, EdgeHTML, and scripting platforms, which are all still supported. This means that those Microsoft customers currently taking Security Only updates need to install the IE Cumulative updates to properly guard against this vulnerability – something here for everyone, in other words. 

The adversaries exploiting that vulnerability apparently found Sophos protections vexing.  Endpoint protection scans new programs before they run—but after launch, scanning drops off. Attackers exploit this by delivering programs with encrypted bodies that evade static scanning and AI models. Once running, the code decrypts itself, loads implants, and executes entirely in memory—never touching disk. 

Sophos counters this with Dynamic Shellcode Protection, which limits how much executable memory a process can allocate. That restriction breaks stealthy in-memory attacks, forcing adversaries to revert to noisier, more detectable techniques like remote injection—where they’re much easier to catch. 

 After that the attackers would have run into several more Sophos layers of blacklist, antimalware signatures, and other defenses — but it’s fascinating to us to see ourselves reflected in an adversary’s code as a particularly tough nut to crack. In any case, we recommend as always that defenders prioritize higher-profile patches such as this one. 

CVE-2025-33073 – Windows SMB Client Elevation of Privilege Vulnerability 

It’s not known to be under active exploitation yet, and Microsoft indicates that they think it’s less likely to be exploited within the next 30 days, but this Important-severity EoP is the one June CVE known to have been publicly disclosed so far. The issue comes down to improper access controls, and it affects all supported Windows client and server versions. 

CVE-2025-47166 — Microsoft SharePoint Server Remote Code Execution Vulnerability 

After debuting in May, “zcgonvh’s cat Vanilla” makes an immediate return appearance on the finder roster – that’s right, the cat came back the very next Patch Tuesday. 

CVE-2025-32711 — M365 Copilot Information Disclosure Vulnerability 

Finally, one CVE that was not released in the Tuesday collection, but merited the release of an advisory the following day: a Critical-severity, CVSS-base 9.3, information-disclosure error that made it possible for an unauthorized attacker to use command injection to disclose information from the AI tool. The vulnerability was responsibly disclosed to Microsoft and the company stated early Wednesday that the patch is already pushed to customers.  

Figure 3: As we wrap up the first half of the year, the proportion of Critical-severity RCEs over the past six months is eye-catching 

Figure 4: Comparing first-half totals for 2024 and 2025, we see that the high number of Critical-severity RCEs stands out even more strongly when compared to the year before – 40, compared with just 9 for the first half of the year before. A few other trends stand out as well, including large year-over-year increases in information disclosure CVEs (44 in 1H24, 77 so far in 2025) and denial of service issues (34 in 1H24, 57 so far in 2025) 

Sophos protections 

CVE-2025-33053 also has an applicable detection of note, Troj/UrlRun-B, in addition to the XSG signature noted above. 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number. 

Appendix A: Vulnerability Impact and Severity 

This is a list of June patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.  

Remote Code Execution (25 CVEs) 

Information Disclosure (17 CVEs) 

Elevation of Privilege (13 CVEs) 

Denial of Service (6 CVEs) 

Security Feature Bypass (3 CVEs) 

Spoofing (2 CVEs) 

Appendix B: Exploitability and CVSS 

This is a list of the June CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is further arranged by CVE. The three Office items more likely to be exploited in the next 30 days (CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167) are all exploitable via Preview Pane. 

This is a list of June’s CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.  

Appendix C: Products Affected 

This is a list of June’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain significant issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft. 

Windows (45 CVEs) 

365 (14 CVEs) 

Office (14 CVEs) 

SharePoint (5 CVEs) 

Visual Studio (2 CVEs) 

Word (2 CVEs) 

.NET (1 CVE) 

Excel (1 CVE) 

Microsoft AutoUpdate for Macintosh (1 CVE) 

Nuance Digital Engagement Platform (1 CVE) 

Outlook (1 CVE) 

PowerPoint (1 CVE) 

Appendix D: Advisories and Other Products 

There are 10 Adobe Reader advisories in June’s release, APSB25-57. Since there’s some variety in severity levels in this month’s set, we’re including that information as well. 

There are additional Microsoft advisories and informational releases that deserve attention. The Power Automate patch is interesting – a Critical-severity EoP with a CVSS base score of 9.8 – but the patch itself was issued nearly a week ago, and so the information presented below is mainly FYI. In additional, Web elders are hereby reassured that the “Blink” involved in CVE-2025-5068 relates to the Chromium rendering engine, not the erstwhile markup tag best described as Satan’s eyelash. 

As noted above, on Wednesday Microsoft released an advisory concerning CVE-2025-32711, “M365 Copilot Information Disclosure Vulnerability,” a Critical-severity information-disclosure bug in Copilot. Though technically not included in Patch Tuesday’s haul, we include acknowledgement of that release as a courtesy to the reader. 

Appendix E: Affected Windows Server versions 

This is a table of the CVEs in the June release affecting nine Windows Server versions, 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.