Microsoft

Blogs

Fake ChatGPT Desktop App used to deliver PipeMagic Malware

Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability

The PipeMagic campaign a malware to technical threat exploiting trust globally

As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.  

PipeMagic’s evolution from malware to technical threat exploiting trust globally

The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.

Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.

PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.

The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.

Pipemagic’s technique of attack

PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.

By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.

Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.

PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.

The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.

The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.

The malware self-updates by storing these modules in memory using a series of doubly linked lists.

These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.

By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.

Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).

Security Advisory

Microsoft IIS Web Deploy RCE Vulnerability Allows Authenticated Remote Code Execution 

Summary of Vulnerability in Microsoft Web Deploy 4.0 (CVE-2025-53772) revels critical security flaw that could be exploited by authenticated attackers to execute code on affected systems. This is the bug disclosed on August 12, 2025, with a CVSS score of 8.8, indicating high severity.

Severity High 
CVSS Score 8.8 
CVEs CVE-2025-53772 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A vulnerability in Microsoft Web Deploy 4.0 (CVE-2025-53772) allows authenticated attackers to remotely execute arbitrary code on affected systems.

The issue arises from the insecure deserialization of untrusted data. Due to its low privilege requirements and lack of user interaction, this flaw poses a significant threat, especially in enterprise deployment environments. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Web Deploy Remote Code Execution via Deserialization  CVE-2025-53772 Microsoft Web Deploy 4.0  High  10.0.2001 or later 

Technical Summary 

The vulnerability stems from insecure deserialization of untrusted data (CWE-502), allowing remote attackers to craft malicious HTTP requests that trigger code execution on the web server. This flaw enables remote code execution (RCE) under specific conditions, where the attacker must have authenticated access and network connectivity.

The attack is network-based, requires only low-privilege access and does not rely on user interaction. Successful exploitation can result in a high impact on confidentiality, integrity and availability of the affected system. As of the time of publication, no public exploit has been reported and the exploit maturity is considered unproven. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-53772 8.8 Microsoft Web Deploy 4.0 Web Deploy deserializes untrusted input, allowing remote attackers to execute arbitrary code. Remote Code Execution 

Recommendations: 

Here are some recommendations below 

  • Apply Microsoft Web Deploy version 10.0.2001 or latest version. 
  • Limit access to Web Deploy endpoints to trusted IP ranges or internal networks only. 
  • Audit logs for unusual HTTP POST activity to Web Deploy endpoints. 

Conclusion: 
While CVE-2025-53772 has not yet been publicly exploited, the nature of the flaw and the ease of attack (low privileges, no user interaction) significantly increases the risk of widespread exploitation, particularly in enterprise deployment environments.

Organizations using Microsoft Web Deploy 4.0 should update and apply the latest patch without delay.

This vulnerability affects Web Deploy 4.0 and requires low privileges to exploit, making it particularly concerning for organizations that use this deployment tool in their infrastructure. The vulnerability allows an authenticated attacker to exploit the system via low-complexity network-based attacks. 

References

Security Advisory

Microsoft Patch Tuesday August Patches 119 Vulnerabilities; Publicly Disclosed Kerberos Zero‑Day

Microsoft Patch Tuesday : Key points:

119 vulnerabilities discovered & 13 are classified as Critical rating meaning as per Microsoft’ they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

CVE-2025-53779 is Windows Kerberos Elevation of Privilege Vulnerability

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-08-12 
No. of Patches  119 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 119 vulnerabilities in the August 2025 Patch Tuesday cycle, including one publicly disclosed zero-day in Windows Kerberos. Of these, 13 are classified as Critical, covering a wide range of products such as Windows components, Office, Azure, Exchange and SharePoint. 

  • 111 Microsoft CVEs addressed 
  • 8 non-Microsoft CVEs addressed 

Breakdown of August 2025 Vulnerabilities 

  • 44 Elevation of Privilege Vulnerabilities 
  • 35 Remote Code Execution Vulnerabilities 
  • 18 Information Disclosure Vulnerabilities 
  • 9 Spoofing Vulnerabilities 
  • 4 Denial of Service Vulnerabilities 
  • 1 Tampering vulnerabilities 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kerberos Elevation of Privilege Vulnerability CVE-2025-53779 Windows Server 2025 High 7.2 

Technical Summary 

The August 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-53779 in Windows Kerberos.

This elevation of privilege flaw, related to improper path handling in domain-managed service accounts (dMSA), could allow a local attacker to gain domain administrator privileges.

Microsoft also patched several critical Remote Code Execution (RCE) vulnerabilities across Windows Graphics, GDI+, Office, DirectX, and Hyper-V. Many of these vulnerabilities require minimal or no user interaction, such as simply opening a file in the preview pane or processing crafted image or network messages, making them high-risk for enterprise environments. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-53779 Microsoft Windows Server 2025 Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. Privilege escalation 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE202550165 and CVE202553766: Graphics-related RCEs, particularly vulnerable due to their ability to execute code without user interaction and potential wormable behavior. 
  • CVE202553792: Azure Portal, privilege escalation vulnerability, critical impact on cloud administration surface. 
  • CVE202550171: Remote Desktop Server, allows remote code execution over RDP. 
  • CVE202553778: Windows NTLM, elevation of privilege exploitation includes lateral movement across enterprise networks. 
  • CVE202553786: Microsoft Exchange Server, hybrid environment vulnerability with potential for cloud environment hijacking. 

Key Affected Products and Services 

The vulnerabilities addressed in August 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Core and Authentication Systems 

Includes fixes in Windows Server (Kerberos), Windows Graphics Component, GDI+, DirectX Graphics Kernel, NTLM, Hyper‑V, MSMQ, Remote Desktop and more. 

  • Microsoft Office Suite and Productivity Tools 

Microsoft Office and Word, notably through Preview Pane RCE flaws, as well as SharePoint (RCE and EoP), Exchange Server (Privilege Escalation in hybrid setups) and Teams. 

  • Cloud and Azure Ecosystem 

Critical issues in Azure Virtual Machines (spoofing and info disclosure), Azure Stack Hub and potentially Azure Portal. 

  • Virtualization and Hypervisor Technologies 

Updates include vulnerabilities in Hyper‑V (RCE and privilege escalation) and DirectX graphics kernel components relevant to virtualization. 

  • Development Tools 

Fixes include vulnerabilities affecting Visual Studio and GitHub Copilot, reinforcing development environments. 

  • Messaging and Queuing Services 

Includes a critical RCE in Microsoft Message Queuing (MSMQ). 

  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the August 2025 security updates immediately to mitigate risks. 

Conclusion: 

Microsoft’s August 2025 Patch Tuesday, disclosed zero-day CVE-2025-53779 is another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services.

References

Blogs Security Advisory

Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix.

Kaspersky’s Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020.

IntruceptLabs have published the security advisory https://intruceptlabs.com/2025/07/toolshell-zero-day-exploits-in-microsoft-sharepoint-enable-full-remote-takeover/ on 21st July 2025.

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. 

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

Share point Vulnerabilities a major cyber threat

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid
active exploitation. Kaspersky Security Network showed exploitation attempts worldwide,
including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed.

Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit.

This suggests that the CVE-2025- 53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago.
The connection to CVE-2020-1147 became evident following the discovery of CVE-2025- 49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload.

Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771.

The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come.

“Many high-profile vulnerabilities remain actively exploited years after discovery —
ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today.

We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit
will soon appear in popular penetration testing tools, ensuring prolonged use by attackers,”
said Boris Larin, principal security researcher at Kaspersky GReAT.

Do connect with us for any queries https://intruceptlabs.com/contact/

(Source: Read full report on Read the full report on Securelist.com)

Security Advisory

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover 

Summary : Security Advisory


Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM Microsoft 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-53770, CVE-2025-53771 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

                   Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SharePoint Server Remote Code CVE-2025-53770 SharePoint Server (on-prem) Critical 9.8 
Execution Vulnerability CVE-2025-53771 SharePoint Server (on-prem) Medium 6.3 

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-53770 SharePoint 2016, 2019 Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads Remote Code Execution, full system compromise 
CVE-2025-53771 SharePoint 2016, 2019 Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques Persistent access without credentials 

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

  1. Apply Security Updates: 
  • SharePoint Subscription Edition: KB5002768 
  1. Enable AMSI Protection: 
  • Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 
  • AMSI was turned on by default in Sept 2023 updates for 2016/2019. 
  1. Rotate Cryptographic Keys: 
  • Use Update-SPMachineKey (PowerShell) or Central Admin. 
  • Restart IIS using iisreset.exe after key rotation. 
  1. Deploy Endpoint Protection: 
  • Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type Value (Obfuscated/Generalized) Description 
IP Address 107.191.58[.]76, 104.238.159[.]149 Observed in initial and second attack waves 
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string seen in exploitation requests 
URL Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx Exploit entry point targeting ToolPane 

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References

Security Advisory

Microsoft Plug 140 Vulnerabilities in July Patch Tuesday; SQL Server Zero-Day Disclosed 

Summary : July Patch Tuesday

The July 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-49719 in Microsoft SQL Server.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-07-08 
No. of Patches  140 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 140 vulnerabilities as part of July 2025 Patch Tuesday, including one publicly disclosed zero-day vulnerability affecting Microsoft SQL Server. Fourteen(14) of the vulnerabilities are classified as Critical, with ten(10) enabling Remote Code Execution (RCE).

Microsoft products impacted span across Windows, SQL Server, Microsoft Office, SharePoint, Hyper-V, Visual Studio and Azure services 

  • 130 Microsoft CVEs addressed 
  • 10 non-Microsoft CVEs addressed 

Breakdown of July 2025 Vulnerabilities 

  • 41 Remote Code Execution (RCE) 
  • 18 Information Disclosure 
  • 53 Elevation of Privilege (EoP) 
  • 5 Denial of Service (DoS)  
  • 8 Security Feature Bypass 
  • 4 Spoofing 
  • 1 Data Tampering 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SQL Server Information Disclosure CVE-2025-49719 Microsoft SQL Server High 7.5 

Technical Summary 

The information disclosure flaw arises from improper input validation, enabling a remote unauthenticated attacker to access data from uninitialized memory.

Microsoft also resolved a significant number of critical RCE vulnerabilities, particularly in Microsoft Office, SharePoint and Windows core components like Hyper-V and KDC Proxy. Several vulnerabilities can be triggered through minimal user interaction, such as viewing a document in the preview pane or interacting with network services. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-49719 Microsoft SQL Server Publicly disclosed information disclosure via improper input validation; attackers may access uninitialized memory Unauthorized data disclosure 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE-2025-49701 and CVE-2025-49704: Microsoft SharePoint, RCE over the Internet via authenticated access (CVSS 8.8) 
  • CVE-2025-49735: Windows KDC Proxy Service, Use-after-free vulnerability allowing unauthenticated RCE (CVSS 8.1) 
  • CVE-2025-47981: SPNEGO Extended Negotiation, Heap buffer overflow enabling RCE through crafted messages (CVSS 9.8) 
  • CVE-2025-48822: Hyper-V Discrete Device Assignment (DDA), RCE via PCI passthrough flaw in virtual environments (CVSS 8.6) 
  • CVE-2025-49717: Microsoft SQL Server, Heap-based buffer overflow enabling authenticated RCE (CVSS 8.5) 
  • CVE-2025-49695 to CVE-2025-49703: Microsoft Office/Word, Multiple RCEs via heap overflow, out-of-bounds read, type confusion (CVSS 8.4 & 7.8) 
  • CVE-2025-36357: AMD L1 Data Queue, Side-channel transient execution attack. 
  • CVE-2025-36350: AMD Store Queue, Speculative execution side-channel leak. 

Key Affected Products and Services 

The vulnerabilities addressed in July 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Components: 
    Windows Kernel, BitLocker, SSDP Service, Hyper-V, KDC Proxy and Routing and Remote Access Service (RRAS). 
  • Microsoft Office Suite: 
    Excel, Word, PowerPoint, and SharePoint with several vulnerabilities enabling Remote Code Execution (RCE) or Elevation of Privilege (EoP). 
  • Cloud and Enterprise Services: 
    Azure Monitor Agent, Microsoft Intune and Microsoft SQL Server. 
  • Development Tools: 
    Visual Studio and the Python extension for Visual Studio Code. 
  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the July 2025 security updates immediately to mitigate risks. 

Conclusion: 

The July 2025 Patch Tuesday reflects a large-scale update effort from Microsoft, addressing both known and undisclosed security risks. The zero-day (CVE-2025-49719) highlights ongoing concerns with SQL Server, while critical vulnerabilities in Office, SharePoint and core Windows services demand urgent patching.

Organizations should prioritize deployment of these patches and remain vigilant for any post-patch exploitation attempts, especially in externally facing applications. 

References

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Blogs Cybersecurity News Security Advisory

Cyber Security News at a Glance; May 2025

For the month of May 2025 here are the Top News including Security Advisory & Blogs

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.

11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.

5 non-Microsoft CVEs included

78 Microsoft CVEs addressed

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

CISA is officially changing the way it disseminates online security updates and guidance.

CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.

Updates on May 13

Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.

“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”

Social Media & emails as Medium to disperse Cybersecurity alerts; CISA

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 
Security Advisory

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

May 2025 Patch Tuesday by Microsoft

Continue Reading
Scroll to top