Full Report
A researcher tells CyberScoop that up to 80% of enterprises could be vulnerable to the zero-day Microsoft patched in its June update. The post Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Zero-Day Exploited in Microsoft WebDAV & Critical RCE in Power Automate (June 2025)
## CVE Details
- CVE ID: CVE-2025-33053 (Zero-Day)
- CVE ID: CVE-2025-47966 (Critical Flaw)
- CVSS Score: Not explicitly stated, but one critical and 43 high-severity flaws were patched.
- CWE: Not specified for either CVE.
## Affected Systems
- Products: Microsoft WebDAV (mechanism used across enterprise systems), Microsoft Power Automate, Microsoft Office and standalone Office products.
- Versions: Not explicitly listed in the article, but all systems affected by the June 2025 Patch Tuesday updates are potentially vulnerable.
- Configurations: Systems utilizing WebDAV, which is often enabled for legitimate business needs but potentially poorly secured.
## Vulnerability Description
Microsoft's June 2025 security update addressed 66 vulnerabilities. The most critical finding is a **zero-day vulnerability in WebDAV** allowing remote code execution (RCE) by unauthorized attackers. An espionage group, Stealth Falcon, was confirmed to have exploited this vulnerability in March 2025 against a defense company in Turkey to deploy malware.
Additionally, a **critical vulnerability (CVE-2025-47966) exists in Power Automate** that allows an unauthorized attacker to escalate privileges after exposing sensitive information to them.
## Exploitation
- Status: **CVE-2025-33053 is actively exploited in the wild** by the espionage group Stealth Falcon. CISA has added it to the Known Exploited Vulnerabilities Catalog.
- Complexity: Implied to be **Low to Medium** given the confirmed use in targeted attacks.
- Attack Vector: Likely **Network** for the WebDAV RCE.
## Impact
- Confidentiality: Likely **High** (due to RCE leading to potential data exfiltration).
- Integrity: Likely **High** (due to RCE and privilege escalation capability).
- Availability: Likely **High** (due to RCE and potential for system compromise). *Note: Impact levels are inferred based on the severity classification (Critical/Zero-Day RCE).*
## Remediation
### Patches
- Patches are available as part of the **Microsoft June 2025 Patch Tuesday** release.
- Specific patches are needed for WebDAV components, Power Automate, and 17 vulnerabilities affecting Microsoft Office products.
### Workarounds
- No specific workarounds were detailed in the summary, other than the necessity of applying vendor patches.
- Given the WebDAV nature of the zero-day, organizations should review and potentially restrict or secure any exposed WebDAV instances.
## Detection
- Indicators of Compromise: Presence of malware deployed by the Stealth Falcon group, potentially leveraging WebDAV initial infection followed by LOLBins and multi-stage loaders.
- Detection methods and tools: Organizations should monitor network traffic for unusual activity related to WebDAV interactions and use endpoint detection/response tools to spot atypical process execution chains involving native and .NET components post-compromise.
## References
- Vendor Advisories: Microsoft’s Security Response Center (MSRC) release notes for June 2025.
- Relevant links:
- [Microsoft Security Update Guide Release Note - June 2025](https://msrc.microsoft.com/update-guide/releaseNote/2025-Jun) (Defanged)
- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (Defanged)
- [Check Point Research Report on Stealth Falcon](https://research.checkpoint.com/2025/stealth-falcon-zero-day/) (Defanged)