This month’s Microsoft update includes patches for 66 security flaws, and two of them are already being used in real-world attacks — one dating back to March.
Microsoft’s latest Patch Tuesday didn’t just arrive with the usual pile of updates — it came with a wake-up call. The company’s June 2025 update includes fixes for 66 security vulnerabilities, 10 of which are marked critical. But what’s raising eyebrows is that two of these bugs are already under active exploitation — and one has a backstory that reads like a cyber-thriller.
The update dropped just after 10 a.m. Pacific, and one zero-day bug in particular — tracked as CVE-2025-33053 — had already been in the wild for months, giving attackers a head start. That one’s been linked to a hacking group with a murky reputation and a history of highly targeted campaigns.
One Flaw, Many Victims — And a Persistent Attacker
The zero-day flaw centers on the Web Distributed Authoring and Versioning protocol, or WebDAV for short. It’s a tech that’s been hanging around for years, enabling file sharing and editing over the web. But it turns out, that convenience also opened the door to a serious vulnerability.
What makes this one so dangerous? It’s basically a one-click attack. A victim clicks a malicious link — disguised as a PDF — and boom, the attacker can execute code remotely. No further interaction needed.
The crew exploiting it? That would be Stealth Falcon, a hacker group that’s been circling since at least 2012. They’ve got a history of targeting journalists, dissidents, and government-related entities, mostly in the Middle East.
Their latest move was aimed at a Turkish defense firm. That’s where Check Point researchers spotted the flaw — but by then, it had already done damage.
How the Attack Went Down
Eli Smadja from Check Point, who led the investigation, offered some insight into how it played out. According to him, it started with a cleverly disguised email. You know the kind — looks official, smells official, but has a nasty payload hidden inside.
“The victim clicks on a URL file disguised as a PDF,” Smadja explained via email. “That’s a common tactic in spear-phishing campaigns.”
And then it’s lights out.
The file downloads malware that slips past defenses, including a custom-built keylogger and data-exfiltration tools. Not exactly your average spam.
One sentence is enough sometimes.
Legacy Systems Get a Rare Lifeline
Microsoft isn’t usually in the habit of patching unsupported platforms. But this time, they made an exception.
Why? Because the vulnerability was so dangerous and so widespread, they actually issued patches for Windows Server 2008 and even for Internet Explorer’s guts — a browser that’s been officially dead since 2022.
Here’s what got updated in this unusual move:
-
Internet Explorer core components (even on dead systems)
-
WebDAV modules on Windows Server 2008
-
Multiple versions of Windows Server and Windows 10
Microsoft didn’t provide exact numbers on how many systems were hit before the patch, but analysts suspect the actual figure could be in the thousands — maybe more.
The Bigger Picture: Patch Tuesday’s Full Rundown
Now, this wasn’t a one-issue update. The full Patch Tuesday drop included fixes for 66 flaws across various Microsoft products.
Here’s a look at the breakdown:
| Patch Category | Number of Fixes |
|---|---|
| Total Vulnerabilities | 66 |
| Critical | 10 |
| Actively Exploited | 2 |
| Zero-Days | 1 |
| Out-of-Support Fixes | 2 |
And here’s the kicker — 33% of the critical flaws could allow remote code execution. That’s not just bad news — it’s worst-case scenario territory if left unpatched.
Should Users Be Worried?
In short, yes — but it’s not panic time.
Security experts are advising users and businesses to patch immediately, especially if their systems still use WebDAV or have legacy Internet Explorer components lurking around. You’d be surprised how many enterprise systems still rely on old code under the hood.
Some organizations delay updates out of fear they’ll break things. But with active exploits in play, that’s a risky move.
There’s a fine line between cautious and careless.
What Makes This Different from Past Updates?
Every Patch Tuesday brings its own drama, but this one stands out for a few reasons:
-
It fixes a zero-day that’s been in the wild since March.
-
The attack was highly targeted, not just a spray-and-pray phishing campaign.
-
Microsoft patched dead systems, which it rarely does.
-
WebDAV is old tech — but still widely used.
Also, the attack wasn’t generic. The phishing emails were tailored — sorry, customized — to specific users. That makes detection harder and raises questions about what else might be lurking.
And What Now?
As of this week, the patches are available and rolling out through Windows Update. But there’s always a lag between release and adoption. That’s the window attackers love — and they’re already through it.
Keep in mind, Stealth Falcon isn’t known for flashy attacks. They work in silence, pick targets carefully, and usually have a bigger agenda than just stealing passwords.
The fact that it took until June for this to go public? That’s what’s scary.
