Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

On Tuesday 10^th June 2025 – Microsoft released its Patch Tuesday for June 2025, in which Microsoft has addressed 66 vulnerabilities. This month’s patch includes fixes for one actively exploited zero-day vulnerability and nine critical vulnerabilities, along with an additional 56 vulnerabilities with varying severity levels.

The number of bugs in each vulnerability category is listed below:

• 13 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 25 Remote Code Execution Vulnerabilities
• 17 Information Disclosure Vulnerabilities
• 6 Denial of Service Vulnerabilities
• 2 Spoofing Vulnerabilities

Microsoft Windows received the most patches this month with 44, followed by ESU (24) and Microsoft Office (18). This count does not include Mariner, Microsoft Edge, and Power Automate flaws fixed earlier this month.

Two Zero-day vulnerabilities:
The actively exploited zero-day vulnerability:

Tracked as CVE-2025-33053 is a High severity vulnerability (base score: 8.2) affecting Web Distributed Authoring and Versioning (WebDAV). This remote code execution vulnerability allows attackers to control file names or paths in WebDAV implementations on affected systems without requiring authentication, according to the check point advisory.

WebDAV is primarily server software, which requires client software to interact with it. Microsoft's advisory further states that a user must click on a specially crafted WebDav .url file for the flaw to be exploited.

Research by Checkpoint reports that CVE-2025-33053 was actively being exploited by a new campaign conducted by the APT group “Stealth Faclon”. Most notably an attempted cyberattack to a major defense organisation in Turkey was identified.

This vulnerability has been added to the known exploited vulnerabilities catalog on the CISA website. 

The publicly disclosed zero-day vulnerability:

Tracked as CVE-2025-33073 is a high severity vulnerability (base score: 8.8) which has an elevation of privilege vulnerability in Windows SMB client. This vulnerability can be exploited by an attacked by executing a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate, which results in elevation of privilege and successful gain system privileges.

This vulnerability affects Windows systems which uses the SMB client functionality. This vulnerability has been publicly discoed and has not been seen exploited in the wild, unlike the vulnerability mentioned above. 

While an update is now available, the flaw can reportedly be mitigated by enforcing server-side SMB signing via Group Policy


To access the full list and description of each vulnerability and the systems it affects, you can visit the Microsoft Security update guide release notes here: https://msrc.microsoft.com/update-guide/releaseNote/2025-jun 

FIN6 threat actor group pose as job seekers to compromise recruiters’ devices

FIN6 aka “Skeleton Spider” is a notable threat actor group, who are known for conducting financial fraud. Who in their latest campaign are posing as job seekers on platforms like LinkedIn and Indeed to backdoor recruiters devices with malware known as ‘More Eggs’ which is being delivered through fake resumes and phishing websites.

According to a report by Domaintools, FIN6 are conducting social engineering campaigns that exploit professional trust. Which starts off by initiating communication on LinkedIn and Indeed with recruiters as they pose as enthusiastic job seekers before delivering phishing messages which lead to malware. The resumes or emails do not contain any clickable links which means that it evades any security tools or features that an organisation may have in place. This forced the recruiters to type the URL manually, in which these URLs take the recruiters to a lang page that mimics personal resume portfolios.

The URLs seen used in these campaigns have been FirstnameLastname.com (e.g. johnsmith[.]com), mimicking a real applicant by displaying a picture and name on the landing page. The landing pages use traffic filtering and CAPTCHA which ensures that only human recruiters are targeted with the malware. Once the recruiter is verified, the site delivers a malicious ZIP file, which allows for command execution, credential theft, and follow-on payload delivery, often operating in memory to evade detection.

Over 80,000 Roundcube instances vulnerable to actively exploited vulnerability – CVE-2025-49113

Threat actors exploited a critical remote code execution (RCE) flaw in Roundcube, tracked as CVE-2025-49113 with a critical severity vulnerability score of 9.9, just days after the patch was released, targeting over 80,000 servers.

The vulnerability arises from defective sanitisation of a parameter - $_GET['_from'], in Roundcube's image upload feature for managing sender identities. It has remained hidden in the software for over a decade. An attacker can exploit the flaw to take control of affected systems and run malicious code, putting users and organizations at significant risk

The advisory from NIST reads as following “Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.”

This vulnerability was addressed in the latest version 1.6.1.1 and 1.5.10 LTS, which is recommended that organisations address and enforce this update as soon as possible, as it is unclear at what scale the attacks are being leveraged in. Therefore, it is also recommended to organisations to monitor affected systems as well as monitoring for brute-force attempts.

Critical Fortinet flaws now being actively exploited by Qilin ransomware gang

The Qilin ransomware gang, also known as “Phantom Mantis”, has been observed exploiting two Fortinet vulnerabilities in FortiOS/FortiProxy devices, that allow bypassing authentication on vulnerable devices that remain unpatched. Qilin ransomware was previously associated with compromising “Synnovis” in the UK, which is a third-party medical testing and diagnostics provider.

PRODAFT, a threat intelligence company recently spotted Qilin exploiting two Fortinet vulnerabilities, the critical out-of-bounds write vulnerability CVE-2024-21762 and the critical authentication bypass vulnerability CVE-2024-55591, both of which affect FortiOS and FortiProxy SSL-VPN devices. It was revealed that the ransomware gang was focusing on several organisations across Spanish-speaking countries between May and June 2025. However, PRODAFT have said within their report that though the focus seems to be on “Spanish-speaking countries” from their data, they assess that the ransomware gang are selecting their target opportunistically, rather than geographically or targeting a specific sector.

In February 2024, Fortinet detected that the critical remote code execution vulnerability CVE-2024-21762 in FortiOS SSL VPN was actively being exploited in the wild. Though these CVEs are from 2024, there seems to still remain Fortinet devices still remained unpatched to these vulnerabilities.

Ivanti Workspace Control hardcoded key flaws expose SQL credentials

Ivanti has released thee security updates to fix high-severity hardcoded key flaws which impacts its Ivanti Workspace Control (IWC) platform. The IWC platform helps enterprise administrators to manage, deploy and configure operating system and application settings for Microsoft windows users, regulating access and workspace configuration based on policies and user roles.

The three vulnerabilities are caused by a bug in the use of hard-coded key flaws which can lad to privilege escalation and system compromise. Tracked as CVE-2025-5353 and CVE-2025-22455 which are both high severities with a base score of 8.8, are described by NIST as a hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt stored SQL credentials. Meanwhile, the other vulnerability tracked as CVE-2025-22455 with a high severity score of 7.2 is described by NIST as a hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt the stored environment password.

On the 10/06/2025 patches were released in which Ivanti has urged its customers to patch immediately, as successful exploitation could lead to credential compromise. Currently it is not known whether these vulnerabilities are being used in targeted attacks in the wild. Ivanti previously did announced that the IWC platform will be retired, reaching the end of life in December 2026 as they will be moving forward with the Users Workspace manager platform, which users are recommended to move to instead.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.