Microsoft Addresses 67 Vulnerabilities, Including Active WEBDAV Zero-Day Exploit

On June 11, 2025, Microsoft unveiled patches for 67 security vulnerabilities, among which is a zero-day flaw in Web Distributed Authoring and Versioning (WebDAV) that has been actively exploited. Of these vulnerabilities, 11 are classified as Critical, while 56 are deemed Important. The update addresses 26 remote code execution issues, 17 information disclosure vulnerabilities, and 14 privilege escalation risks. Additionally, the patches follow the resolution of 13 vulnerabilities in the Chromium-based Edge browser since last month’s Patch Tuesday. The zero-day exploit, designated CVE-2025-33053 (CVSS score: 8.8), allows remote code execution through deceptive URLs. Microsoft credited Check Point researchers Alexandra Gofman and David Driker for identifying and reporting this critical vulnerability. Notably, CVE-2025-33053 marks the first zero-day vulnerability…

Microsoft Addresses 67 Security Vulnerabilities, Including Actively Exploited WebDAV Zero-Day

On June 11, 2025, Microsoft announced a significant security update aimed at patching 67 identified vulnerabilities, among which is a concerning zero-day exploit related to Web Distributed Authoring and Versioning (WebDAV). This specific vulnerability has been reportedly exploited in the wild, raising alarms within the cybersecurity community. The latest updates highlight a total of 11 vulnerabilities designated as Critical and 56 deemed Important, a categorization that underscores the potential impact on users and systems.

Of the vulnerabilities addressed in this release, 26 pertain to remote code execution, 17 to information disclosure, and 14 to privilege escalation. The emergence of these flaws emphasizes Microsoft’s ongoing challenges in maintaining robust security for its suite of products. This update builds upon a previous announcement where 13 vulnerabilities were resolved in its Chromium-based Edge browser during last month’s Patch Tuesday.

The zero-day vulnerability, identified as CVE-2025-33053, has a CVSS score of 8.8, indicating a high level of severity. Attackers can exploit this flaw by tricking users into clicking on a maliciously crafted URL, which can lead to remote code execution on affected systems. Such an exploit presents significant risks, particularly for organizations that may fall victim to social engineering tactics aimed at compromising their security.

The detection and reporting of this vulnerability were credited to Check Point researchers Alexandra Gofman and David Driker, whose vigilance underscores the importance of collaboration in the cybersecurity field. Their work highlights the critical need for organizations to stay informed and vigilant against potential threats.

Given the nature of the attack vector associated with CVE-2025-33053, it is likely that tactics from the MITRE ATT&CK framework were employed by adversaries. Initial access may have been achieved through enticing users with phishing attempts, leading to exploitation. Following this, persistence techniques could have been utilized, allowing attackers to maintain control post-exploitation. The privilege escalation paths could also have been leveraged, taking advantage of weaknesses to gain elevated access to resources typically protected.

For business owners, this update serves as a crucial reminder of the necessity to prioritize cybersecurity measures, including regular patch management and user education. The real-world exploitation of vulnerabilities like CVE-2025-33053 reinforces the idea that proactive defenses and timely responses are essential components in safeguarding critical data and infrastructure.

As organizations navigate the evolving landscape of cybersecurity threats, understanding the mechanisms of such vulnerabilities and the tactics employed by adversaries can enhance their ability to protect against potential attacks. This latest patch release from Microsoft is a call to action for businesses to remain vigilant and adaptable in their cybersecurity strategies.

Source link

Related Posts

China-Linked Cyber Espionage Group Targets Over 70 Organizations Across Diverse Sectors

June 9, 2025
Government Security / Cyber Espionage

Recent reconnaissance efforts against American cybersecurity firm SentinelOne are part of a larger wave of intrusions affecting various targets between July 2024 and March 2025. “The victims include a South Asian government agency, a European media outlet, and over 70 organizations spanning numerous sectors,” noted SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel in a recent report. Affected sectors include manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics firm was compromised while managing equipment logistics for SentinelOne staff during the breach in early 2025. This malicious activity has been confidently linked to threat actors associated with China, with some attacks attributed to a cluster known as PurpleHaze, which overlaps with recognized Chinese cyber espionage groups labeled APT15.

CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.