Full Report
A researcher tells CyberScoop that up to 80% of enterprises could be vulnerable to the zero-day Microsoft patched in its June update. The post Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Actively Exploited Microsoft WebDAV Zero-Day (CVE-2025-33053) and Critical Power Automate Flaw
## CVE Details
- CVE ID: CVE-2025-33053 (Zero-Day), CVE-2025-47966 (Critical)
- CVSS Score: N/A for zero-day (Severity implied as high/critical due to exploitation); CVE-2025-47966 severity not specified but noted as Critical.
- CWE: Not specified in detail, but CVE-2025-33053 relates to Remote Code Execution (RCE).
## Affected Systems
- Products: Microsoft Products leveraging WebDAV functionality (specific products not detailed, but WebDAV is widely used across enterprise systems). Microsoft Power Automate (for CVE-2025-47966).
- Versions: Undetermined, but the patches released during the June 2025 Patch Tuesday address the vulnerabilities.
- Configurations: Systems where WebDAV is enabled are potentially vulnerable to CVE-2025-33053.
## Vulnerability Description
Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities. Two notable issues are:
1. **CVE-2025-33053 (Zero-Day):** A vulnerability in **WebDAV** that allows an unauthenticated attacker to achieve **Remote Code Execution (RCE)**. WebDAV, often used for remote file sharing and editing, is frequently enabled without a full understanding of the security risks, potentially exposing millions of organizations.
2. **CVE-2025-47966 (Critical):** A critical vulnerability in **Power Automate** that exposes sensitive information to an unauthorized user, which could lead to **privilege escalation**.
## Exploitation
- Status: **CVE-2025-33053 is actively exploited in the wild.** It was used by the espionage group Stealth Falcon in March 2025 against a defense company in Turkey.
- Complexity: Low/Medium (Implied by the actor and the nature of RCE via WebDAV).
- Attack Vector: Network (Remote Code Execution).
## Impact
- Confidentiality: High (Implied by espionage group activity and potential information disclosure in CVE-2025-47966).
- Integrity: High (RCE grants full system compromise).
- Availability: Medium/High (RCE can lead to system downtime or control).
## Remediation
### Patches
- Microsoft released patches for all 66 vulnerabilities during the **June 2025 Patch Tuesday**. Users must apply the relevant updates provided via the Microsoft Security Response Center.
### Workarounds
- Since the zero-day involves WebDAV, primary workarounds involve:
* Disabling WebDAV services if they are not strictly required for business operations.
* Ensuring WebDAV implementations are correctly secured (if essential for business needs).
* *Note: The article does not list specific vendor-provided workarounds, focusing instead on patching.*
## Detection
- **Indicators of Compromise (IOCs):** Activity related to the involvement of the **Stealth Falcon** threat group, including the use of WebDAV alongside LOLBins and multi-stage loaders.
- **Detection Methods and Tools:** CISA added CVE-2025-33053 to its known exploited vulnerabilities catalog, suggesting updated EDR/threat intelligence feeds should flag related activity. Monitoring for unusual network connections or processes spawned from WebDAV handlers is recommended.
## References
- Vendor Advisories: [Microsoft’s Security Response Center (MSRC) June 2025 Release Notes](https://msrc.microsoft.com/update-guide/releaseNote/2025-Jun) (Defanged)
- Threat Report: [Check Point Research Report on Stealth Falcon CVE](https://research.checkpoint.com/2025/stealth-falcon-zero-day/) (Defanged)
- Exploit Catalog: [NVD entry for CVE-2025-33053](https://nvd.nist.gov/vuln/detail/CVE-2025-33053) (Defanged)
- Exploit Catalog: [NVD entry for CVE-2025-47966](https://nvd.nist.gov/vuln/detail/CVE-2025-47966) (Defanged)