Full Report
Today is Microsoft's June 2025 Patch Tuesday, which includes security updates for 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed. [...]
Analysis Summary
# Vulnerability: Actively Exploited WEBDAV RCE and SMB EoP Zero-Days (June 2025)
## CVE Details
- CVE ID: CVE-2025-33053, CVE-2025-33073 (and others listed below)
- CVSS Score: Not explicitly provided for individual vulnerabilities, but the update batch includes ten "Critical" vulnerabilities.
- CWE: *(Not specified for the zero-days in the provided text)*
## Affected Systems
- Products: Microsoft Windows (specific OS versions not detailed, but pertaining to affected components listed below).
- Versions: Unknown specific vulnerable versions provided.
- Configurations:
- **CVE-2025-33053 (WEBDAV RCE):** Requires the user to click on a specially crafted WebDav URL.
- **CVE-2025-33073 (SMB EoP):** Requires an attacker to coerce the victim machine to connect back to an attack system using SMB and authenticate.
## Vulnerability Description
This Patch Tuesday addresses 66 flaws, including two zero-days:
1. **CVE-2025-33053 (WEBDAV RCE):** A remote code execution vulnerability in Microsoft Windows Web Distributed Authoring and Versioning (WEBDAV). Successful exploitation allows a remote attacker to execute arbitrary code.
2. **CVE-2025-33073 (Windows SMB EoP):** An improper access control vulnerability in Windows SMB that allows an authorized attacker to elevate privileges to SYSTEM over a network by coercing a connection to an attacker-controlled system.
The update also addresses numerous other vulnerabilities across various components, including Windows Storage Management Provider (Information Disclosure) and Win32K (Elevation of Privilege).
## Exploitation
- Status:
- **CVE-2025-33053:** Actively exploited in the wild.
- **CVE-2025-33073:** Publicly disclosed (warnings circulated by DFN-CERT/RedTeam Pentesting).
- Complexity: Low (for the WEBDAV RCE, as it relies on user interaction via a crafted URL).
- Attack Vector: Network (Remote Code Execution/Elevation of Privilege over the network).
## Impact
Based on the nature of the reported flaws (RCE and SYSTEM-level EoP):
- Confidentiality: High/Critical (especially RCE)
- Integrity: High/Critical (ability to execute arbitrary code or gain SYSTEM access)
- Availability: High (in the case of RCE/DoS)
## Remediation
### Patches
- Microsoft June 2025 Security Updates (Addressing all 66 flaws, including the zero-days). Specific patch versions are not listed in the source text but correspond to the release date of June 2025 Patch Tuesday.
### Workarounds
- **CVE-2025-33073 (SMB EoP):** Mitigation is possible by **enforcing server-side SMB signing via Group Policy**.
## Detection
Detection methods specific to the zero-days were not explicitly detailed, but general indicators would involve:
- Monitoring for unusual outbound SMB connections initiated by victim machines to untrusted external systems (relevant to CVE-2025-33073).
- Analysis of network traffic related to attempts to load specially crafted WebDav resources (relevant to CVE-2025-33053).
## References
- Vendor Advisory for CVE-2025-33053: http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33053
- Vendor Advisory for CVE-2025-33073: http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073
- Check Point Research Advisory: https://advisories.checkpoint.com/defense/advisories/public/2025/cpai-2025-0319.html
- Born City Report: https://www.borncity.com/blog/2025/06/10/juni-2025-patchday-soll-schwachstelle-cve-2025-33073-in-windows-schliessen/
- Microsoft SMB Signing Documentation: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing