Microsoft fixes 66 bugs in latest Patch Tuesday, 10 rated ‘critical’

Microsoft gave administrators something of a summer break with the release of a relatively light load of 66 Patch Tuesday security fixes.

The June edition of the monthly security update release sees Microsoft patch 10 flaws rated as "critical," two which are either publicly known or under active exploit.

Administrators will want to take particular note of CVE-2025-33053 and CVE-2025-33073, the former of which is under active exploitation and the latter having a public exploit in circulation. Both flaws have a CVSS 8.8 score and are classified by Microsoft as "important" threats.

CVE-2025-33053 is a remote code execution (RCE) vulnerability in the Web Distributed Authoring and Versioning (WEBDAV) component of Windows. An attacker with local network access could trick a user into executing code which in turn exploits a file path-handling error in WEBDAV to give the attacker remote takeover capability. Microsoft did not give details on the number of confirmed attacks or for how long the exploit has been active.

CVE-2025-22073, meanwhile, has seen exploit code released but has yet to have any confirmed attacks in the wild. That flaw is an elevation of privilege condition in Windows SMB Client caused by an improper access control error.

Dustin Childs, head of research at the Trend Micro Zero Day Initiative, said that a likely exploit scenario would involving duping a target into connecting with a malicious server.

“It leads to code execution at the SYSTEM level, and it could be triggered by convincing a user to connect to an attacker-controlled malicious application server,” Childs explained.

“The most obvious choice here would be an SMB server. Upon connecting, the malicious server could compromise the affected system and elevate privileges.”

Moving on to the 10 critical-rated vulnerabilities, four are present in Office. CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 could allow for RCE via buffer overflow errors.

Other critical flaws include RCE bugs in Sharepoint Server (CVE-2025-47172) and Windows Remote Desktop (CVE-2025-32710). An elevation of privilege flaw in Windows Netlogon (CVE-2025-33070) was deemed a critical risk, as was one in Power Automate (CVE-2025-47966).

Of the remaining 54 patches, 52 are for vulnerabilities Microsoft has deemed as "important" level issues. The other two were for "high" and "medium" level issues, respectively. While those bugs might not have the highest level severity rating or CVSS scores, administrators would be well-advised to patch them along with the others as they can often be chained together with other vulnerabilities to create a high-severity attack chain.

“There are a couple of vulnerabilities for the Windows Common Log File System (CVE-2025-32701 and CVE-2025-32706) which are Priv Esc vulnerabilities. Those aren't criticals, which means some organizations won't prioritize patching them as quickly as they probably should,” noted Nick Carroll, cyber incident response manager at security service provider Nightwing. “If you look at what tends to get a lot of attention, critical vulnerabilities catch all the buzz. But we see real world attacks abusing that Windows Log File subsystem pretty regularly.”