Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention.
Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention.
Microsoft’s latest Patch Tuesday update landed on schedule around teatime on 10 June, with admins facing a much lighter load heading into the summer – at least lighter than of late – with barely 70 security flaws awaiting attention and just two potential zero-day common vulnerabilities and exposures (CVEs) in scope.
The two most pressing issues for patching this month are CVE-2025-33053, a remote code execution (RCE) flaw in Web Distributed Authoring and Versioning (WEBDAV), and CVE-2025-33073, an elevation of privilege (EoP) vulnerability in Windows Server Message Block (SMB) Client. Both carry a CVSS score of 8.8.
Microsoft revealed it has evidence that the first of these CVEs is already being exploited in the wild, although proof-of-concept code is not publicly available, while for the second, the opposite is true. It credited the RCE flaw to Alexandra Gofman and David Driker of Check Point Research, and the second to researchers with CrowdStrike, Synacktiv, SySS GmbH, and Google Project Zero.
Of these two, CVE-2025-33053 probably presents the most pressing patching need. This is because in practice, the issue affects various tools that still incorporate the defunct Internet Explorer browser in a legacy capacity, hence Microsoft has been forced into the position of producing patches for long out-of-support platforms, dating back as far as Windows 8 and Server 2012.
