June Patch Tuesday digs into 67 bugs – Sophos Information

.Microsoft on Tuesday released 67 patches affecting 12 product households. Ten of the addressed points, 5 involving 365 and Workplace and one involving SharePoint, are thought-about by Microsoft to be of Critical severity, and 17 have a CVSS base rating of 8.0 or greater. One, an Necessary-severity RCE in Home windows associated to WEBDAV (CVE-2025-33053), is identified to be underneath energetic exploitation within the wild. An extra Necessary-severity SMB difficulty has been publicly disclosed, however just isn’t at present identified to be underneath exploit. 

At patch time, 9 extra CVEs are extra more likely to be exploited within the subsequent 30 days by the corporate’s estimation, not together with the WEBDAV difficulty talked about above. Varied of this month’s points are amenable to direct detection by Sophos protections, and we embrace info on those in a desk beneath. This most definitely consists of CVE-2025-33053, by which Sophos itself has taken a specific curiosity – and, apparently, vice versa.

Along with these patches, ten Adobe Reader fixes, 4 of them thought-about to be of Vital severity, are included within the launch. These are listed in Appendix D beneath. That appendix additionally contains info on two Edge-related vulnerabilities and a Vital-severity Energy Automate difficulty that was addressed earlier this month, in addition to restricted info on a Vital-severity bug in Copilot for which an advisory was launched the next day (Wednesday). The periodically launched Servicing Stack updates are additionally accessible.  

We’re as all the time together with on the finish of this put up extra appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix overlaying the advisory-style updates; and a breakout of the patches affecting the varied Home windows Server platforms nonetheless in help.  

By the numbers

• Whole CVEs: 67
• Publicly disclosed: 1
• Exploit detected: 1
• Severity
  • Vital: 10
  • Necessary: 57
• Influence
  • Distant Code Execution: 26
  • Info Disclosure: 17
  • Elevation of Privilege: 13
  • Denial of Service: 6
  • Safety Characteristic Bypass: 3
  • Spoofing: 2
• CVSS base rating 9.0 or better: 0*
• CVSS base rating 8.0 or later: 18

 * One difficulty, affecting Energy Automate for Desktop however patched by Microsoft on June 5, has been assigned a 9.8 CVSS base rating. Because it was mitigated previous to launch, we’re treating that info as advisory-only and don’t embrace it on this month’s statistics. Likewise, the Copilot advisory launched on June 11 has a CVSS base rating of 9.3, however doesn’t determine into these tallies or charts.

Determine 1: A proportionally heavier-than-usual ten Vital-severity patches had been launched in June,  although unusually six of these happen in 365, Workplace, or SharePoint slightly than the extra customary Home windows. (Two Edge updates lined this month will not be launched with full influence info and thus don’t seem on this chart; we’re additionally excluding the Energy Automate patch as mentioned above) 

Merchandise 

• Home windows: 45*
• 365: 15
• Workplace: 14
• SharePoint: 5
• Visible Studio: 2
• Phrase: 2
• .NET: 1
• Excel: 1
• Microsoft AutoUpdate for Macintosh: 1
• Nuance Digital Engagement Platform: 1
• Outlook: 1
• PowerPoint: 1

* One Home windows SDK patch (CVE-2025-47962) and one patch affecting the Home windows Safety App part (CVE-2025-47956) are included within the Home windows counts for reader comfort, although neither impacts particular variations of the consumer or server platforms.  

As is our customized for this listing, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. We notice that CVE names don’t all the time replicate affected product households intently. Particularly, some CVEs names within the Workplace household might point out merchandise that don’t seem within the listing of merchandise affected by the CVE, and vice versa.

Determine 2: Twelve product households determine in Might’s Patch Tuesday launch; the Nuance medical-product household returns to the charts for a second month, this time addressing a spoofing difficulty in its Digital Engagement Platform 

Notable June updates 

Along with the problems mentioned above, a number of particular objects benefit consideration.  

CVE-2025-33053 — Internet Distributed Authoring and Versioning (WebDAV) Distant Code Execution Vulnerability 

The one patched difficulty at present identified to be underneath exploit within the wild is an Necessary-severity flaw in Internet Distributed Authoring and Versioning code, which has been underpinning a lot of the web for the reason that IE period. That’s the issue; this patch touches the MSHTML, EdgeHTML, and scripting platforms, that are all nonetheless supported. Which means that these Microsoft prospects at present taking Safety Solely updates want to put in the IE Cumulative updates to correctly guard towards this vulnerability – one thing right here for everybody, in different phrases. 

The adversaries exploiting that vulnerability apparently discovered Sophos protections vexing.  Endpoint safety scans new packages earlier than they run—however after launch, scanning drops off. Attackers exploit this by delivering packages with encrypted our bodies that evade static scanning and AI fashions. As soon as working, the code decrypts itself, masses implants, and executes totally in reminiscence—by no means touching disk. 

Sophos counters this with Dynamic Shellcode Safety, which limits how a lot executable reminiscence a course of can allocate. That restriction breaks stealthy in-memory assaults, forcing adversaries to revert to noisier, extra detectable strategies like distant injection—the place they’re a lot simpler to catch. 

 After that the attackers would have run into a number of extra Sophos layers of blacklist, antimalware signatures, and different defenses — however it’s fascinating to us to see ourselves mirrored in an adversary’s code as a very powerful nut to crack. In any case, we suggest as all the time that defenders prioritize higher-profile patches equivalent to this one. 

CVE-2025-33073 – Home windows SMB Shopper Elevation of Privilege Vulnerability 

It’s not identified to be underneath energetic exploitation but, and Microsoft signifies that they assume it’s much less more likely to be exploited inside the subsequent 30 days, however this Necessary-severity EoP is the one June CVE identified to have been publicly disclosed thus far. The problem comes all the way down to improper entry controls, and it impacts all supported Home windows consumer and server variations. 

CVE-2025-47166 — Microsoft SharePoint Server Distant Code Execution Vulnerability 

After debuting in Might, “zcgonvh’s cat Vanilla” makes a direct return look on the finder roster – that’s proper, the cat got here again the very subsequent Patch Tuesday. 

CVE-2025-32711 — M365 Copilot Info Disclosure Vulnerability 

Lastly, one CVE that was not launched within the Tuesday assortment, however merited the discharge of an advisory the next day: a Vital-severity, CVSS-base 9.3, information-disclosure error that made it potential for an unauthorized attacker to make use of command injection to reveal info from the AI device. The vulnerability was responsibly disclosed to Microsoft and the corporate said early Wednesday that the patch is already pushed to prospects.  

Determine 3: As we wrap up the primary half of the 12 months, the proportion of Vital-severity RCEs over the previous six months is eye-catching 

Determine 4: Evaluating first-half totals for 2024 and 2025, we see that the excessive variety of Vital-severity RCEs stands out much more strongly when in comparison with the 12 months earlier than – 40, in contrast with simply 9 for the primary half of the 12 months earlier than. A couple of different traits stand out as nicely, together with giant year-over-year will increase in info disclosure CVEs (44 in 1H24, 77 thus far in 2025) and denial of service points (34 in 1H24, 57 thus far in 2025) 

Sophos protections 

CVE-2025-33053 additionally has an relevant detection of notice, Troj/UrlRun-B, along with the XSG signature famous above. 

As you’ll be able to each month, for those who don’t wish to wait in your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal in your particular system’s structure and construct quantity. 

Appendix A: Vulnerability Influence and Severity 

It is a listing of June patches sorted by influence, then sub-sorted by severity. Every listing is additional organized by CVE.  

Distant Code Execution (25 CVEs) 

Info Disclosure (17 CVEs) 

Elevation of Privilege (13 CVEs) 

Denial of Service (6 CVEs) 

Safety Characteristic Bypass (3 CVEs) 

Spoofing (2 CVEs) 

Appendix B: Exploitability and CVSS 

It is a listing of the June CVEs judged by Microsoft to be both underneath exploitation within the wild or extra more likely to be exploited within the wild inside the first 30 days post-release. The listing is additional organized by CVE. The three Workplace objects extra more likely to be exploited within the subsequent 30 days (CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167) are all exploitable by way of Preview Pane. 

It is a listing of June’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or greater. They’re organized by rating and additional sorted by CVE. For extra info on how CVSS works, please see our sequence on patch prioritization schema.  

Appendix C: Merchandise Affected 

It is a listing of June’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of instances, as soon as for every product household. Sure important points for which advisories have been issued are lined in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made accessible by Microsoft; for additional info on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft. 

Home windows (45 CVEs) 

365 (14 CVEs) 

Workplace (14 CVEs) 

SharePoint (5 CVEs) 

Visible Studio (2 CVEs) 

Phrase (2 CVEs) 

.NET (1 CVE) 

Excel (1 CVE) 

Microsoft AutoUpdate for Macintosh (1 CVE) 

Nuance Digital Engagement Platform (1 CVE) 

Outlook (1 CVE) 

PowerPoint (1 CVE) 

Appendix D: Advisories and Different Merchandise 

There are 10 Adobe Reader advisories in June’s launch, APSB25-57. Since there’s some selection in severity ranges on this month’s set, we’re together with that info as nicely. 

There are extra Microsoft advisories and informational releases that deserve consideration. The Energy Automate patch is attention-grabbing – a Vital-severity EoP with a CVSS base rating of 9.8 – however the patch itself was issued practically every week in the past, and so the knowledge offered beneath is principally FYI. In extra, Internet elders are hereby reassured that the “Blink” concerned in CVE-2025-5068 pertains to the Chromium rendering engine, not the erstwhile markup tag finest described as Devil’s eyelash. 

As famous above, on Wednesday Microsoft launched an advisory regarding CVE-2025-32711, “M365 Copilot Info Disclosure Vulnerability,” a Vital-severity information-disclosure bug in Copilot. Although technically not included in Patch Tuesday’s haul, we embrace acknowledgement of that launch as a courtesy to the reader. 

Appendix E: Affected Home windows Server variations 

It is a desk of the CVEs within the June launch affecting 9 Home windows Server variations, 2008 via 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Vital-severity points are marked in crimson; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity, as every reader’s state of affairs, particularly because it considerations merchandise out of mainstream help, will range. For particular Data Base numbers, please seek the advice of Microsoft.