Microsoft Fixes 66 Bugs, Including Active 0-Day

Microsoft Fixes 66 Bugs, Including Active 0-Day

Microsoft’s June Patch Tuesday update has landed, bringing security fixes for 66 vulnerabilities across its product line. Among the patched flaws is one that was already being exploited in real-world attacks, making this month’s updates particularly important for both enterprises and individual users.

One Zero-Day Actively Exploited

The standout fix addresses CVE-2025-33053, a vulnerability in the WebDAV component of Windows. This flaw could allow attackers to execute code remotely if exploited correctly. Since it was already being used in attacks before today’s patch release, it falls into the “zero-day” category.

The WebDAV vulnerability affects both Windows 10 and Windows 11, along with related server versions. While Microsoft has not disclosed the full details of the attacks, they have confirmed that the bug was found in use in the wild.

10 Critical Issues Fixed

In addition to the zero-day, Microsoft patched 10 vulnerabilities rated Critical, which generally means they allow remote code execution or elevation of privilege without much user interaction. These include four bugs in Microsoft Office, which continue to be a regular target for attackers looking to send malicious documents through email.

Other products receiving fixes include Microsoft Edge, Power Automate, .NET, and components of Windows itself. While none of the other issues were reported as actively exploited, several are marked as more likely to be targeted in the near term.

Windows Update Details

The updated packages are available now and include:

  • Windows 11: KB5060842 (22H2 and 23H2)
  • Windows 10: KB5060533 and KB5060999
  • Windows Server versions: Also updated, depending on the build in use.

Admins should check their update management systems to confirm rollout and assess any compatibility concerns that may arise from the latest patches.

Why This Month Matters

The quick exploitation of CVE-2025-33053 once again shows how fast attackers move when new vulnerabilities are disclosed. While zero days often make headlines, the other fixes should not be ignored. Several of this month’s bugs involve components often exposed to the internet or frequently used in enterprise environments.

Companies that delay patching are not just risking data theft but also the cost of recovery from ransomware, which often begins with bugs like the ones patched today.

Nick Carroll, cyber incident response manager at Nightwing, the intelligence solutions company divested from RTX, commented on the Patch Tuesday event, stating, There are a couple of vulnerabilities for the Windows Common Log File System (CVE-2025-32701 and CVE-2025-32706) which are Priv Esc vulnerabilities. Those aren’t critical, which means some organizations won’t prioritize patching them as quickly as they probably should. And if you look at what tends to get a lot of attention, critical vulnerabilities catch all the buzz,” noted Nick.

But we see real world attacks abusing that Windows Log File subsystem pretty regularly. In fact, Nightwing has defended against exploits in the Windows Common Log File System in real world attacks last month related to the recently patched CVE-2025-29824 where the threat actors were abusing Living-off-the-Land tactics in conjunction with the exploit,” he added.

What to Do Now

  • Apply all available June updates as soon as possible, especially for systems using WebDAV
  • Review your Office file handling policies, especially if users frequently receive documents from outside the organization
  • Monitor network traffic for signs of suspicious activity linked to WebDAV or other patched services
  • Test in staging environments before rolling out company-wide, especially in environments with older or customized software stacks

Microsoft’s full advisory can be found on its official security update guide. Patching quickly remains one of the simplest and most effective defences against many forms of cyberattacks.




Source link