Microsoft Addresses 67 Security Flaws, Including WEBDAV Zero-Day Threat

Microsoft has announced the release of critical patches addressing 67 security vulnerabilities, including a zero-day exploit in the Web Distributed Authoring and Versioning (WEBDAV) protocol, which has been actively exploited by the threat group known as Stealth Falcon. The updates, released as part of Microsoft's monthly Patch Tuesday on June 11, 2025, are vital for enhancing enterprise security and protecting sensitive information across various sectors.

The WEBDAV vulnerability, identified as CVE-2025-33053, has been assigned a CVSS score of 8.8, indicating its severity. This flaw allows remote code execution (RCE) by deceiving users into clicking on a specially crafted URL, posing significant risks to organizations that rely on WEBDAV for remote file sharing and collaboration. The vulnerability is particularly concerning given the widespread use of this protocol in enterprise environments.

According to Mike Walters, President and Co-Founder of Action1, "Many organizations enable WebDAV for legitimate business needs—often without fully understanding the security risks it introduces." This sentiment underscores the need for heightened awareness and proactive security measures among enterprises.

In addition to the WEBDAV zero-day, Microsoft’s patch release addresses 11 critical vulnerabilities and 56 deemed important. These include 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation vulnerabilities. Notably, the most severe vulnerability corrected is a privilege escalation flaw in Power Automate (CVE-2025-47966), which holds a CVSS score of 9.8.

The discovery and reporting of the WEBDAV vulnerability have been credited to Check Point researchers Alexandra Gofman and David Driker. The cybersecurity firm also linked the exploitation of CVE-2025-33053 to Stealth Falcon, a group known for its targeted attacks on high-profile entities, including a recent espionage campaign against organizations in Qatar and Saudi Arabia. Check Point stated, "The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server."

The attack chain initiated against a defense company in Turkey involved sophisticated techniques, including the use of a backdoor named Horus Agent, designed to gather extensive system information and execute commands remotely. The Horus Agent represents an evolution of the previously utilized Apollo implant by Stealth Falcon, reflecting the group’s ongoing adaptation to enhance the stealth and efficacy of their operations.

Moreover, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-33053 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch agencies apply the necessary fixes by July 1, 2025. "The active exploitation of this vulnerability emphasizes the critical need for organizations to implement the patches promptly to mitigate potential risks," stated a CISA spokesperson.

In addition to the WEBDAV vulnerability, Microsoft’s recent updates include patches for several high-risk vulnerabilities across its operating systems, such as CVE-2025-33071 in the Windows KDC Proxy Service and CVE-2025-3052, a secure boot bypass vulnerability. These vulnerabilities could allow attackers to execute malicious code before the operating system loads, posing grave risks to system integrity and security.

Experts warn that the ongoing exploitation of vulnerabilities like CVE-2025-33053 highlights the evolving landscape of cybersecurity threats. Adam Barnett, lead software engineer at Rapid7, noted, "Exploitation is more likely, especially given the KDC proxy's function of facilitating Kerberos requests from untrusted networks."

As Microsoft continues to roll out patches to address these vulnerabilities, the necessity for organizations to remain vigilant in their cybersecurity practices is paramount. The tech giant's proactive measures aim to reinforce defenses against emerging threats, ensuring that their software remains secure against increasingly sophisticated attacks.

In conclusion, the release of patches for these vulnerabilities serves as a critical reminder of the importance of cybersecurity vigilance. Organizations must prioritize the implementation of these updates to mitigate risks and protect sensitive information in an increasingly hostile cyber environment.