“`html

Microsoft today unveiled security enhancements to address at least 67 vulnerabilities in its Windows operating systems and applications. The company from Redmond cautions that one of the weaknesses is currently subject to active exploitation, and that software diagrams detailing how to take advantage of a widespread Windows flaw corrected this month are now accessible to the public.

The only zero-day vulnerability this month is CVE-2025-33053, a remote code execution vulnerability in the Windows version of WebDAV — an HTTP extension that enables users to remotely handle files and directories on a server. Although WebDAV isn’t activated by default in Windows, its existence in legacy or specialized systems still renders it a pertinent target, noted Seth Hoyt, senior security engineer at Automox.

Adam Barnett, chief software engineer at Rapid7, stated that Microsoft’s advisory for CVE-2025-33053 fails to mention that the Windows adaptation of WebDAV has been marked as deprecated since November 2023, indicating that the WebClient service no longer starts automatically.

“The advisory also categorizes attack complexity as low, suggesting that exploitation does not necessitate preparing the target environment in a manner beyond the attacker’s control,” Barnett explained. “Exploitation hinges on the user engaging with a malicious link. It remains unclear how an asset could be immediately susceptible if the service isn’t operational, yet all Windows versions receive a patch, including those launched after the deprecation of WebClient, such as Server 2025 and Windows 11 24H2.”

Microsoft alerts that an “elevation of privilege” vulnerability in the Windows Server Message Block (SMB) client (CVE-2025-33073) is likely to be exploited, especially as proof-of-concept code for this flaw is now publicly available. CVE-2025-33073 carries a CVSS risk score of 8.8 (out of 10), and exploitation of this vulnerability enables the attacker to gain “SYSTEM” level control over an affected PC.

“What renders this particularly hazardous is that no additional user interaction is necessary after the initial connection—an occurrence that attackers can often initiate without the user being aware,” stated Alex Vovk, co-founder and CEO of Action1. “Considering the elevated privilege level and simplicity of exploitation, this vulnerability presents a considerable risk to Windows environments. The range of impacted systems is extensive, as SMB is a fundamental Windows protocol used for file and printer sharing, as well as inter-process communication.”

In addition to these highlights, 10 of the vulnerabilities addressed this month were deemed “critical” by Microsoft, which includes eight remote code execution flaws.

Notably, absent from this month’s patch release is a remedy for a recently discovered vulnerability in Windows Server 2025 that permits attackers to operate with the privileges of any user in Active Directory. The flaw, referred to as “BadSuccessor,” was publicly disclosed by researchers at Akamai on May 21, and several public proof-of-concepts are now accessible. Satnam Narang from Tenable advised that organizations with at least one Windows Server 2025 domain controller should assess permissions for principals and minimize those permissions wherever possible.

Adobe has issued updates for Acrobat Reader and six other products, addressing at least 259 vulnerabilities, the majority of which pertain to an update for Experience Manager. Mozilla Firefox and Google Chrome both recently rolled out security updates that necessitate a restart of the browser to take effect. The latest Chrome update corrects two zero-day vulnerabilities in the browser (CVE-2025-5419 and CVE-2025-4664).

For an in-depth breakdown of the specific security updates released by Microsoft today, refer to the Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 provides a summary of patches from Microsoft and numerous other software vendors issuing fixes this month. As always, please ensure you back up your system and/or data before applying patches, and feel free to leave a note in the comments if you encounter any issues while installing these updates.

“`