Microsoft has rolled out security fixes as part of its June 2025 Patch Tuesday release that cover over 60 vulnerabilities, including a zero-day flaw exploited in real-world attacks.
The said flaw (CVE-2025-33053) is a remote code execution issue in Microsoft Windows MSHTML stemming from the incorrect processing of file path in WebDav links. A remote attacker can trick the victim into clicking on a specially crafted link and execute arbitrary code on the system.
According to researchers at Check Point, who discovered the flaw, it has been exploited in a new campaign orchestrated by the Stealth Falcon state-backed threat actor that is largely focused on the Middle East and Africa. This recent attack has targeted high-profile entities in the government and defense sectors in Turkey, Qatar, Egypt, and Yemen.
The attack starts from spear-phishing emails that often include links or attachments that utilize WebDAV and LOLBins to deploy malware. The group’s arsenal contains custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant we dubbed Horus Agent. In addition, the threat actor employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.
In this case, Stealth Falcon used a .url file that exploited CVE-2025-33053 to execute malware from an actor-controlled WebDAV server.
In addition, Microsoft has fixed a previously disclosed vulnerability (CVE-2025-33073) in Windows SMB that allows attackers to gain SYSTEM privileges on vulnerable systems.
Another vulnerability worth attention is CVE-2025-3052, a Secure Boot bypass issue that impacts almost every system that trusts Microsoft's ‘UEFI CA 2011’ certificate.
Microsoft’s June 2025 Patch Tuesday also covers a bunch of high-risk security flaws affecting Microsoft Word, Microsoft .NET and Visual Studio, Microsoft Office, Microsoft Windows Netlogon, Microsoft Windows Remote Desktop Services, and other software products.
