- Your Meta AI prompts might be public - here's how to check
- Former CISA and NCSC Heads Warn Against Glamorizing Threat Actor Names
- Some apps are battery vampires - how to root them out and shut them down
- Your Android phone just got a major feature upgrade for free - including these Pixel models
- I found a Linux distro that combines the best parts of other operating systems (and it works)
Two Microsoft Zero-Days for Admins to Fix in June Patch Tuesday
June is set to be a relatively quiet month for sysadmins, with Microsoft patching just two zero-day vulnerabilities – one of which has been exploited in the wild.
The exploited zero-day is CVE-2024-33053, rated as “important” by Microsoft with a CVSS score of 8.8.
It’s a remote code execution (RCE) bug in the Web Distributed Authoring and Versioning (WebDav) HTTP extension, which could allow attackers to execute arbitrary code with elevated privileges.
It represents a major risk, given the large number of enterprises thought to use WebDAV for remote file management in document management systems, collaboration platforms and legacy file-sharing tools, according to Seth Hoyt, senior security engineer at Automox.
“This vulnerability stems from how WebDAV handles file commands like PUT and MOVE, which can be abused when the service is misconfigured or unnecessarily exposed. Although WebDAV isn’t enabled by default, its presence in legacy or specialized systems still makes it a relevant target,” he explained.
“The attack involves uploading a malicious file using a PUT request, renaming it via MOVE with a semicolon-injected filename, and triggering execution through a crafted URL, effectively bypassing standard security controls.”
Microsoft also classes publicly disclosed flaws that have yet to be exploited as “zero-days.” In this category, it listed one vulnerability this Patch Tuesday: CVE-2025-33073.
This is an “important”-rated elevation of privilege (EoP) vulnerability in the Windows Server Message Block (SMB) client, which also has a CVSS score of 8.8.
EoP bugs are highly sought-after by threat actors, according to Ben McCarthy, lead cybersecurity engineer at Immersive.
“Once an attacker has gained an initial foothold on a machine, often through methods like phishing or exploiting another vulnerability, they can leverage privilege escalation flaws to gain deeper control,” he explained.
“With elevated privileges, an attacker could potentially disable security tools, access and exfiltrate sensitive data, install persistent malware, or move laterally across the network to compromise additional systems.”
Given the critical role SMB plays in Windows networking, administrators should prioritize patching this bug, McCarthy argued.
In total there were 66 CVEs fixed this Patch Tuesday, including 10 RCE bugs, which ranks June among the lightest update rounds this year.
