Microsoft addressed 175 vulnerabilities affecting its core products and underlying systems, including two actively exploited zero-days, the company said in its latest security update. It’s the largest assortment of defects disclosed by the tech giant this year.

The zero-day vulnerabilities — CVE-2025-24990 affecting Agere Windows Modem Driver and CVE-2025-59230 affecting Windows Remote Access Connection Manager — both have a CVSS rating of 7.8. The Cybersecurity and Infrastructure Security Agency added both zero-days to its known exploited vulnerabilities catalog Tuesday.

Microsoft said the third-party Agere Modem drive that ships with supported Windows operating systems has been removed in the October security update. Fax modem hardware that relies on the driver will no longer work on Windows, the company said.

Attackers can achieve administrator privileges by exploiting CVE-2025-24990. “All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used,” Microsoft said in its summary of the defect.

The improper access control vulnerability affecting Windows Remote Access Connection manager can be exploited by an authorized attacker to elevate privileges locally and gain system privileges, Microsoft said. 

Windows Remote Access Connection Manager, a service used to manage remote network connections through virtual private networks and dial-up networks, is a “frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022,” Satnam Narang, senior staff research engineer at Tenable, said in an email. “This is the first time we’ve seen it exploited in the wild as a zero day.”

The most severe vulnerabilities disclosed this month include CVE-2025-55315 affecting ASP.NET core and CVE-2025-49708 affecting Microsoft Graphics Component. Microsoft said exploitation of the defects is less likely, but both have a CVSS rating of 9.9.

Microsoft flagged 14 defects as more likely to be exploited this month, including a pair of critical vulnerabilities with CVSS ratings of 9.8 — CVE-2025-59246 affecting Azure Entra ID and CVE-2025-59287 affecting Windows Server Update Service.

The vendor disclosed five critical and 121 high-severity vulnerabilities this month. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s Patch Tuesday fixes 175 vulnerabilities, including two actively exploited zero-days appeared first on CyberScoop.

The company plans to triple its engineering and go‑to‑market teams and to accelerate its agentic AI platform.

The post Zania Raises $18 Million for AI-Powered GRC Platform appeared first on SecurityWeek.

Mondoo has raised more than $32 million in total, with the latest funding round led by HV Capital. 

The post Mondoo Raises $17.5 Million for Vulnerability Management Platform appeared first on SecurityWeek.

The cybersecurity industry has long debated whether prevention or detection is more important. The AV-Comparatives EPR Comparative Report 2025 settles the debate. By measuring both, it reveals that prevention-first is the winning strategy—stronger, simpler, and more cost-effective. Bitdefender GravityZone didn’t just participate in the evaluation; it led across the board. Bitdefender achieved the highest detection rate among all participating vendors and the lowest Total Cost of Ownership (TCO), underscoring a commitment to both security efficacy and operational efficiency. The evaluation also proves that modern security means blocking threats before they disrupt business.  

Videos from SecurityWeek's Attack Surface Management Virtual Summit are now available to watch on demand.

The post Watch Now: Attack Surface Management Summit – All Sessions Available appeared first on SecurityWeek.

RegScale has raised a total of more than $50 million, with the latest investment being used to enhance its platform and expand.

The post RegScale Raises $30 Million for GRC Platform appeared first on SecurityWeek.

Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation. 

Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.

Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.

None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.

Apple previously issued an emergency software update to customers last month to patch a zero-day vulnerability — CVE-2025-43300 — that was “exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a series of updates for iOS, iPadOS and macOS.

The company has addressed five actively exploited zero-days this year, including defects previously disclosed in January, February, March and April. Seven Apple vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog this year. 

Unlike many vendors, Apple doesn’t provide details about the severity of vulnerabilities it addresses in software updates. Childs noted it would be helpful if Apple issued some sort of initial severity indicator alongside the vulnerabilities it patches — even if it doesn’t follow the Common Vulnerability Scoring System.

A pair of vulnerabilities patched in macOS — CVE-2025-43298, which affects PackageKit, and CVE-2025-43304, which affects StorageKit — are concerning because exploitation could allow an attacker to gain root privileges, Childs said. 

“On the iOS side, I don’t see anything that makes me sweat immediately but there are a lot of bugs addressed,” he added.

Apple also patched seven defects in Safari 26, 19 vulnerabilities in watchOS 26, 18 bugs in visionOS 26 and five defects in Xcode 26. 

More information about the vulnerabilities and latest software versions are available on Apple’s security releases site.

The post Apple addresses dozens of vulnerabilities in latest software for iPhones, iPads and Macs appeared first on CyberScoop.

Microsoft addressed 81 vulnerabilities affecting its enterprise products and underlying Windows systems, but none have been actively exploited, the company said in its latest security update. 

The company’s monthly bundle of patches includes one high-severity vulnerability and eight critical defects, including three designated as more likely to be exploited. 

The most severe defect disclosed this month — CVE-2025-55232 — is a deserialization of untrusted data vulnerability affecting Microsoft High Performance Compute Pack with a CVSS rating of 9.8. Microsoft said exploitation is less likely, but researchers warned organizations to prioritize patching.

“A remote, unauthenticated attacker could achieve code execution on affected systems without user interaction, which makes this potentially wormable between systems with the HPC pack installed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post. 

Childs noted that Microsoft has disclosed about 100 more vulnerabilities at this point in the year than it did in 2024. “We’ll see if this level of patches remains high throughout the rest of the year,” he added. 

Of the critical defects addressed this month, researchers are particularly concerned about CVE-2025-54918 and CVE-2025-55234 — elevation of privilege vulnerabilities with 8.8 CVSS ratings. While not actively exploited, Microsoft said exploitation is more likely for both of the improper authentication defects.

CVE-2025-55234 affects the Windows Server Message Block protocol, allowing hackers to perform relay attacks and subject users to elevation of privilege attacks. Proof-of-concept exploit code exists for this defect, according to Action1, but exploitation requires user interaction and network access.

“At its core, the vulnerability exists because SMB sessions can be established without properly validating the authentication context when key hardening measures, such as SMB signing and extended protection for authentication, are not in place,” Mike Walters, president and co-founder of Action1, said in an email.

“The potential impact is massive,” he added. “Virtually all medium to large enterprises that rely on Active Directory and Windows Server infrastructure could be affected, which amounts to hundreds of thousands of organizations worldwide.”

CVE-2025-54918 affects Windows New Technology LAN Manager (NTLM), which are security protocols for user identity authentication. “This privilege escalation allows an authenticated threat actor to escalate to SYSTEM on affected systems over the network,” Childs said.

“While not a scope change, going from a standard Windows user to SYSTEM is handy. Microsoft also notes that exploit complexity is low, so expect to see threat actors target this one,” he added.

Alex Vovk, CEO and co-founder of Action1, said the defect allows attackers to bypass and potentially undermine security controls, presenting substantial risk in sophisticated attack scenarios. “After compromising one system, attackers could use it to move laterally through networks with elevated access,” Vovk said.

“Threat actors could exploit it to deploy ransomware across multiple systems. Its high confidentiality impact means it could be used in sophisticated data theft operations,” he added. “The elevated privileges gained could also allow attackers to install backdoors or establish persistent access.”

Microsoft flagged eight defects as more likely to be exploited this month, including three that affected the Windows Kernel. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday addresses 81 vulnerabilities, none actively exploited appeared first on CyberScoop.

WINDOWS By Mary Branscombe There is a natural trade-off between saving power and keeping your screen on, especially when you want to think something through before you continue. Windows is very keen to save you power and keep your account secure by turning off the screen and locking your account when your PC has been […]

Apple rushed an emergency software update to its customers Wednesday to address an actively exploited zero-day vulnerability affecting the software powering the company’s most popular devices. The out-of-bounds write defect — CVE-2025-43300 — allows attackers to process a malicious image file resulting in memory corruption. 

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a series of security updates for iOS, iPadOS and macOS.

The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Thursday.

Apple did not say how many active exploits it’s aware of or how many people are impacted. The company did not respond to a request for comment. 

Apple typically shares limited details about in-the-wild exploitation of zero-days, yet it has used stronger language in at least five vulnerability disclosures this year to indicate when sophisticated attackers are involved or specific people are targeted by these attacks, according to Satnam Narang, senior staff research engineer at Tenable.

“This language suggests that Apple is being purposeful in its external communication,” Narang said in an email. “While the impact to the wider populace is smaller because the attackers exploiting CVE-2025-43300 had a narrow, targeted focus, Apple wants the public to pay attention to the threat and take immediate action.”

Apple said it improved bounds checking to address the vulnerability and advised customers on impacted versions of the affected software to apply the update immediately. The defect affects macOS versions before 13.7 and 15.6, iPadOS versions before 17.7 and iOS and iPadOS versions before 18.6.

“While the possibility of the average user being a target is low,” Narang said, “it’s never zero.”

The vulnerability marks the fifth zero-day Apple has addressed this year, including defects previously disclosed and patched in January, February, March and April. Apple defects have made seven appearances on CISA’s known exploited vulnerabilities this year.

More information about the vulnerability is available on Apple’s website.

The post Apple discloses actively exploited zero-day affecting iOS, iPadOS and macOS appeared first on CyberScoop.

FREEWARE SPOTLIGHT By Deanna McElveen The folders containing my pictures are named according to their contents, but I want to rename the photos to include some extra information in the name. Is that too much to ask? Apparently not. FocusOn Renamer by Pintosoft (made portable by OlderGeeks.com) is just what I need! Let me show […]

Cisco disclosed a maximum-severity vulnerability affecting its Secure Firewall Management Center Software that could allow unauthenticated attackers to inject arbitrary shell commands and execute high-privilege commands, the vendor said in a security advisory Thursday. 

The enterprise networking vendor said it discovered the vulnerability — CVE-2025-20265 — during internal security testing. Cisco released a patch for the defect along with a series of 29 vulnerabilities in other Cisco Secure technologies. 

“To date, Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any malicious use or exploitation of this vulnerability, and we strongly urge customers to upgrade to update releases,” a Cisco spokesperson told CyberScoop. “If an immediate upgrade is not feasible, implement a mitigation as outlined in the advisory.”

The disclosure marks yet another vulnerability in a widely used edge technology — a common and persistent point of intrusion for attackers. Edge technologies, including VPNs, firewalls and routers, harbored the four most frequently exploited vulnerabilities in 2024, according to Mandiant’s M-Trends report released earlier this year. 

“Anytime you see ‘remote, unauthenticated command injection,’ you should be concerned,” Nathaniel Jones, VP of security and AI strategy at Darktrace, told CyberScoop. “These are exactly the types of vulnerabilities that pose significant danger because they are highly attractive to nation-state actors like Salt Typhoon — and such groups are likely to move quickly to exploit them.” 

Darktrace hasn’t observed exploitation in the wild, nor is it aware of a proof-of-concept exploit. “But, this type of vulnerability means the clock is ticking. I’d bet a proof-of-concept is available come Monday,” Jones said. 

The remote-code execution vulnerability, which has a CVSS rating of 10, involves improper handling of user input during the authentication phase. “For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS (remote authentication dial-in user service) authentication for the web-based management interface, SSH (secure shell) management, or both,” Cisco said in the advisory.

The vulnerability affects Cisco Secure FMC Software versions 7.0.7 and 7.7.0 with RADIUS authentication enabled. The platform allows customers to configure, monitor, manage and update firewall controls. 

“The vulnerability means that no credential is needed nor proximity, and you can get full privileges,” Jones added. “The improper-input handling could let an attacker craft authentic packets containing malicious payloads that escape the intended command context and run arbitrary OS commands.”

The vendor said there are no workarounds for the vulnerability, and it confirmed the defect does not affect Cisco Secure Firewall Adaptive Security Appliance Software or Cisco Secure Firewall Threat Defense Software.

Jones said the maximum-severity vulnerability accentuates the unflattering security posture of edge devices and their development lifecycles. “It just reinforces why they’re attacked — because they sit at network boundaries where attackers can reach them without stepping inside first, often have high privileges and broad visibility and the gatekeeper can bypass multiple layers of security at once,” he said.

Cisco encouraged customers to determine exposure to CVE-2025-20265 and other vulnerabilities by running the Cisco Software Checker, which identifies vulnerabilities impacting specific software releases.

The post Cisco discloses maximum-severity defect in firewall software appeared first on CyberScoop.

Fortinet warned customers in an advisory Tuesday of a critical vulnerability in FortiSIEM, its security information and event management software, adding that “practical exploit code” for the defect exists in the wild.

The OS command injection vulnerability, CVE-2025-25256, has an initial CVSS score of 9.8 and could allow unauthenticated attackers to escalate privileges and execute code or commands. Active exploitation hasn’t been observed. Fortinet encouraged customers on affected versions of FortiSIEM to upgrade to the latest version available, and advised customers to limit access to the phMonitor port (7900) as a workaround. 

The CVE designation and disclosure arrived on the heels of a GreyNoise threat report alerting defenders to a significant spike in brute-force traffic targeting Fortinet hardware, particularly its secure sockets layer (SSL) VPNs. GreyNoise said it observed more than 780 unique IPs attempting to brute force credentials against Fortinet SSL VPNs earlier this month. 

GreyNoise research shows notable spikes in attacker activity against edge technologies often precede the disclosure of a new CVE in the targeted technology within six weeks. The pattern occurred across 4 in 5 cases analyzed by GreyNoise overall. 

The threat intel company has specifically documented instances where spikes in malicious activity against Fortinet products correlate soon after with CVE disclosures affecting the same product.

“GreyNoise cannot confirm a direct causal link between the brute-force activity against Fortinet SSL VPNs and the disclosure of CVE-2025-25256 affecting FortiSIEM,” Noah Stone, head of content at GreyNoise Intelligence, told CyberScoop. “While the close timing between this spike and the CVE-2025-25256 disclosure is notable, it does not prove the two events are related.”

During the period of heightened activity earlier this month, “the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” Stone said in a blog post. “This was not opportunistic — it was focused activity.”

GreyNoise has observed 55 malicious IPs targeting Fortinet SSL VPNs in the past day. While researchers aren’t currently aware of exploitation, the presence of exploit code suggests that could change soon.

“The public release of practical exploit code typically accelerates exploitation in the wild, as it lowers the barrier for less sophisticated attackers,” Stone said.

Fortinet did not provide any details about the nature of the exploit code, or when and how it became aware of the vulnerability. Yet, in its advisory, the security vendor noted: “the exploitation code does not appear to produce distinctive indicators of compromise.”

Defects in Fortinet products pose a persistent risk for defenders and a recurring pathway for attackers to break into victim networks. The cybersecurity vendor did not respond to a request for comment.

The Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog contains 20 Fortinet defects dating back to 2021, including five so far this year. The majority of those flaws, including three added this year, have been used in ransomware attacks, according to CISA. 

Edge technologies, including VPNs, firewalls and routers, harbored the four most frequently exploited vulnerabilities in 2024, according to Mandiant’s M-Trends report released earlier this year. 

One of those defects, a SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server — CVE-2023-48788 — was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year. 

Researchers at Darktrace said another Fortinet vulnerability — CVE-2024-47575, a defect affecting Fortinet’s network management tool — was among the six-most commonly exploited vulnerabilities it observed last year.

The post Fortinet SIEM issue coincides with spike in brute-force traffic against company’s SSL VPNs appeared first on CyberScoop.

Identity has become the new cybersecurity perimeter. As federal agencies rapidly adopt cloud services, AI-powered tools and hybrid work models, identity security is now central to mission assurance.

However, for many federal leaders, identity management remains a complex puzzle. The abundance of tools — from password managers to identity governance systems — often leads to fragmented environments and operational gaps. Even when agencies understand its importance, aligning identity investments with mission objectives remains a significant hurdle.

Adding to this complexity is a rapidly evolving environment in which cyber threats are becoming more sophisticated. AI-driven attacks mimic human behavior, bypassing traditional defenses with alarming speed. Static controls and perimeter-centric thinking can’t keep up. Identity governance, behavioral analytics and adaptive access controls must work in tandem to stay ahead of AI-enabled threats.

Federal agencies need integrated, adaptive identity architectures that continuously verify users and devices in real time. Implementing these layered protections not only improves security but also enhances user experience by adapting to risk in real time. In addition, agencies that adopt these capabilities are better equipped to defend against emerging threats without sacrificing efficiency.

A trusted partner for identity security

That’s where Optiv + ClearShark makes a difference. We bring a cybersecurity-first approach to identity, helping federal agencies reduce risk, meet compliance and streamline operations. Unlike one-size-fits-all providers, we help agencies optimize their existing investments — whether they use SailPoint, BeyondTrust, Ping or Okta. Our team understands how to integrate these technologies into a framework that fits the federal context. In other words, we tailor solutions to the mission, not the other way around.

In fact, our edge lies in our people. Many of our consultants and engineers are former federal employees with clearances and firsthand experience navigating agency environments. Their insights help bridge the gap between vendor capabilities and federal mission needs.

In the past 18 months, we’ve delivered managed identity services across the defense and intelligence communities. These solutions include secure monitoring and identity operations in highly classified cloud environments, supported through partnerships with AWS, Splunk and others.

By offloading infrastructure and operations to our cleared teams, agencies gained enhanced identity assurance and significant cost savings while maintaining full compliance with federal security standards.

Accelerating modernization with confidence

Modernization doesn’t need to come at the expense of security or compliance. A pilot-driven approach allows agencies to validate identity solutions in their own environments before scaling. This reduces risk, accelerates return on investment and ensures audit readiness.

For example, one civilian agency we supported had invested heavily in identity tools but continued to fail penetration tests and struggled with governance gaps between identity and security teams. By deploying SailPoint and BeyondTrust in a phased, integrated rollout and aligning the solution to compliance and security objectives, we helped the agency pass red team exercises, reduce manual identity processes and establish a scalable identity framework for future growth.

The mission starts with identity

Identity is the most targeted attack surface in federal IT today. Protecting it is not just an IT imperative; it’s a mission-critical requirement. But success requires more than tools. It requires deep expertise, integration and continuous improvement.

With the right strategy and trusted support, agencies can secure their identity infrastructure, meet audit requirements, and modernize with purpose. The stakes have never been higher, and identity has never mattered more in federal cybersecurity.

Learn more about how Optiv + ClearShark takes a cybersecurity-centric approach to identity management for government.

This article was sponsored by Optiv + ClearShark.

The post Why identity is the definitive cyber defense for federal agencies appeared first on CyberScoop.

Palo Alto Networks has agreed to acquire identity security firm CyberArk for approximately $25 billion, marking the cybersecurity giant’s largest acquisition and its formal entry into the identity security market as the industry continues consolidating amid rising cyber threats.

The transaction ranks among the largest technology acquisitions this year and underscores the market’s focus on identity security in an era of increasing artificial intelligence adoption.

CyberArk, founded over two decades ago, specializes in privileged access management technology that helps organizations control and monitor access to critical systems and accounts. The company’s customers include major corporations such as Carnival Corp., Panasonic, and Aflac. Its technology addresses what security experts consider one of the most vulnerable aspects of enterprise security: managing privileged credentials for both human users and machine identities.

The acquisition comes as cybersecurity companies face pressure to offer comprehensive solutions rather than point products, with customers seeking to streamline their vendor relationships following high-profile breaches. Recent cyberattacks, including Microsoft’s SharePoint vulnerabilities that affected over 100 organizations including U.S. government agencies, have heightened focus on identity protection and privileged access management.

For Palo Alto Networks, the acquisition represents a strategic expansion beyond its traditional network security roots. The company has evolved from a next-generation firewall provider into a multi-platform cybersecurity leader, and identity security represents what CEO Nikesh Arora describes as an inflection point in the market.

“The rise of AI and the explosion of machine identities have made it clear that the future of security must be built on the vision that every identity requires the right level of privilege controls,” Arora stated in a release.

The timing reflects broader industry dynamics driven by artificial intelligence adoption. As organizations deploy autonomous AI agents and systems, these technologies require sophisticated privileged access controls similar to human users, but at machine scale. The combined companies position themselves to address what they term “agentic AI” security, applying just-in-time access and least privilege principles to AI systems.

Industry analysts view the acquisition as addressing a gap in Palo Alto Networks’ portfolio while potentially accelerating growth in areas where the company has seen some deceleration. 

“Over the past several years, Palo Alto Networks has been on a mission to become a huge platform player in the security market,” said Allie Mellen, a principal analyst with Forrester. “Given its product portfolio as it stands today, identity security capabilities are a missing piece of that puzzle. This acquisition rounds out its approach, given its existing cloud, network, and endpoint security products.” 

The transaction follows other major cybersecurity consolidations, including Google’s $32 billion acquisition of Israeli startup Wiz earlier this year. This consolidation trend reflects customer preferences for integrated security platforms over managing multiple specialized vendors, particularly as cyber threats have grown more sophisticated and frequent.

Both companies’ boards have unanimously approved the transaction, which remains subject to regulatory clearances and CyberArk shareholder approval. The deal is expected to close during the second half of Palo Alto Networks’ fiscal 2026.

The post Palo Alto Networks to acquire CyberArk for $25 billion appeared first on CyberScoop.

Security is a central challenge in modern application development and maintenance, requiring not just traditional practices but also a deep understanding of application architecture and data flow. While organizations now have access to rich data like logs and telemetry, the real challenge lies in translating this information into actionable insights. This article explores how leveraging those insights can help detect genuine security incidents and prevent their recurrence.

Bitdefender Recognized for a Third Consecutive Year for Its Ability to Execute and Completeness of Vision  Bitdefender is proud to announce that we have been named the only Visionary in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms (EPP). This marks Bitdefender’s third consecutive placement in the Visionary Quadrant—a distinction we believe reflects our unwavering commitment to innovation, customer-centric security, and consistent execution in a rapidly evolving threat landscape. 

In early July 2025, Bitdefender introduced new functionality in v 6.64 of Bitdefender GravityZone, a comprehensive cybersecurity platform that offers prevention, protection, detection, and response capabilities for organizations of all sizes. These features, consistent with our multi-layered security strategy, are intended to ease the workload of security analysts, administrators, and users.  

FREEWARE SPOTLIGHT By Deanna McElveen By now, you probably have dozens — if not hundreds — of passwords saved in your Web browser. Those created by your browser are super strong. But some are a pet’s name with maybe a number or two thrown in. Today we are going to accomplish two things. First, we’ll […]

Microsoft is addressing 67 vulnerabilities this June 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, and that is reflected in CISA KEV. Separately, Microsoft is aware of existing public disclosure for one other freshly published vulnerability. Microsoft’s luck holds for a ninth consecutive Patch Tuesday, since neither of today’s zero-day vulnerabilities are evaluated as critical severity at time of publication. Today also sees the publication of eight critical remote code execution (RCE) vulnerabilities. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Windows WebDAV: zero-day RCE

Remember the WebDAV standard? It has been seven years since Microsoft has published a vulnerability in the Windows implementation of WebDAV, and today’s publication of CVE-2025-33053 is the first zero-day vulnerability on record. Originally dreamed up in the 1990s to support interactivity on the web, WebDAV may be familiar to Exchange admins and users of a certain vintage, since older versions of Exchange, up to and including Exchange Server 2010, supported WebDAV as a means for interacting with mailboxes and public folders.

It will surprise no one that Windows still more or less supports WebDAV, and that turns out to be a bit of a problem. Microsoft acknowledges Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation of CVE-2025-33053 to an APT, which they track as Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and the surrounding area.

Curiously, the Microsoft advisory does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default. The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control. Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2. On Server 2025, for instance, it’s still possible to install the WebDAV Redirector server feature, which then causes the WebClient service to appear.

SMB client: zero-day EoP

Publicly disclosed elevation of privilege (EoP) zero-day vulnerabilities that lead to SYSTEM are always going to be worth a closer look, and CVE-2025-33073 is no exception. The advisory sets out that the easiest path to exploitation simply requires the user to connect to a malicious SMB server controlled by the attacker. It’s not entirely clear from the advisory whether simply connecting is enough to trigger exploitation, or whether successful authentication is required, since there is currently conflicting language in two separate FAQ entries with almost-identical titles: “How could an attacker exploit this/the vulnerability?” It may well be that Microsoft will come back around and clarify this wording, but in the meantime the only safe assumption is that fortune favours the attacker.

Windows KDC Proxy: critical RCE

The Windows KDC Proxy Service (KPSSVC) receives a patch today for CVE-2025-33071, which describes a critical unauthenticated RCE vulnerability where exploitation is via abuse of a cryptographic protocol weakness. The good news is that only Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server — happily, this is not enabled as standard configuration for a domain controller — and exploitation requires that the attacker win a race condition. The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network. Patching this vulnerability should be top of mind for affected defenders this month.

Office preview pane: trio of critical RCEs

Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

Microsoft lifecycle update

June is a quiet month for Microsoft product lifecycle changes. The next batch of significant Microsoft product lifecycle status changes are due in July 2025, when the SQL Server 2012 ESU program draws to a close, along with support for Visual Studio 2022 17.8 LTSC.

Summary tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47977	Nuance Digital Engagement Platform Spoofing Vulnerability	No	No	7.6

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-5419	Chromium: CVE-2025-5419 Out of bounds read and write in V8	No	No	N/A
CVE-2025-5068	Chromium: CVE-2025-5068 Use after free in Blink	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47962	Windows SDK Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-30399	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-47959	Visual Studio Remote Code Execution Vulnerability	No	No	7.1

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47966	Power Automate Elevation of Privilege Vulnerability	No	No	9.8

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47172	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-47163	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-47166	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-47957	Microsoft Word Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47162	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47953	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47164	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47167	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47168	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47169	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47170	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47175	Microsoft PowerPoint Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47176	Microsoft Outlook Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47173	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47165	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47174	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47968	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-47171	Microsoft Outlook Remote Code Execution Vulnerability	No	No	6.7

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-33067	Windows Task Scheduler Elevation of Privilege Vulnerability	No	No	8.4
CVE-2025-29828	Windows Schannel Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-32725	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-33050	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-32721	Windows Recovery Driver Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-32719	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33058	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33059	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33061	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33062	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33063	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33065	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24068	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24069	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24065	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33055	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-47956	Windows Security App Spoofing Vulnerability	No	No	5.5
CVE-2025-33052	Windows DWM Core Library Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33069	Windows App Control for Business Security Feature Bypass Vulnerability	No	No	5.1
CVE-2025-47969	Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability	No	No	4.4

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-33073	Windows SMB Client Elevation of Privilege Vulnerability	No	Yes	8.8
CVE-2025-33064	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-33066	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-33053	Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability	Yes	No	8.8
CVE-2025-32710	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-33070	Windows Netlogon Elevation of Privilege Vulnerability	No	No	8.1
CVE-2025-33071	Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-32718	Windows SMB Client Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-47955	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32716	Windows Media Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32714	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-33075	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32713	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32712	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-33068	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-33056	Windows Local Security Authority (LSA) Denial of Service Vulnerability	No	No	7.5
CVE-2025-32724	Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability	No	No	7.5
CVE-2025-3052	Cert CC: CVE-2025-3052 InsydeH2O Secure Boot Bypass	No	No	6.7
CVE-2025-33057	Windows Local Security Authority (LSA) Denial of Service Vulnerability	No	No	6.5
CVE-2025-32715	Remote Desktop Protocol Client Information Disclosure Vulnerability	No	No	6.5
CVE-2025-32722	Windows Storage Port Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2025-32720	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33060	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-47160	Windows Shortcut Files Security Feature Bypass Vulnerability	No	No	5.4