Microsoft Fixes 67 Security Flaws With June 2025 Security Update, Including Two Zero-Day Vulnerabilities

Microsoft has rolled out fixes for several security flaws as part of the June 2025 Patch Tuesday release, including 11 vulnerabilities with a “critical” rating, and 56 others rated as “important”. Two of the flaws patched by Microsoft are categorised as zero-day flaws, one of which was actively exploited before the company rolled out a fix. The Redmond company previously fixed multiple security flaws affecting Microsoft Edge, including a zero-day exploit that also affects the Google Chrome browser.

Microsoft Patches Previously Exploited WebDAV Zero-Day Flaw

According to Microsoft’s release notes, the June 2025 security updates contain fixes for 67 security flaws impacting various products and services. The firm has fixed 14 flaws that could have led to an escalation of privilege, 26 remote code execution vulnerabilities, and 17 other issues that could have led to information disclosure.

The most notable security flaw detected by Microsoft is the CVE-2025-33053, which impacts an HTTP extension called Web Distributed Authoring and Versioning (WebDAV). Microsoft says that this zero-day security flaw has a CVSS score of 8.8, and that it has been actively exploited, by tricking users into clicking on a malicious URL.

This flaw was detected by Check Point researchers David Driker and Alexandra Gofman, and the cybersecurity firm says a known threat actor known as FruityArmor or Stealth Falcon was using the CVE-2025-33053 vulnerability. The security flaw allowed the hackers to remotely execute code on a target’s computer, but making changes to the victim’s working directory.

Microsoft has also patched another zero-day security flaw that affects the Windows SMB (Samba) client, and could allow a malicious user to gain elevated (or system) privileges on devices that are connected to the same local network. The issue was caused due to improper access control in the Windows SMB client, according to Microsoft.

Earlier this month, the company rolled out multiple security fixes for the Microsoft Edge browser, which were previously released by the Chromium project. One of these flaws, identified as CVE-2025-5419, is a zero-day security flaw that was exploited before it was patched by Google. Users who are running on the latest stable release (version 137.0.3296.62) should be protected against these security flaws.