As the calendar turns to Patch Tuesday, Microsoft has once again taken center stage, announcing a significant update aimed at addressing a multitude of vulnerabilities. This month, the tech giant has identified 66 flaws that require attention, including a zero-day vulnerability that was only disclosed today at 10:00 AM Pacific Time. Among these, ten critical patches stand out, with two of them currently being exploited in the wild.
In a notable move, Microsoft has extended its patching efforts to include older, out-of-support platforms such as Windows Server 2008 and components of the long-retired Internet Explorer. One particularly concerning vulnerability, designated CVE-2025-33053, has been actively exploited since March by the Stealth Falcon hacking group. This group, known for its targeted attacks across the Middle East, has leveraged this flaw in the Web Distributed Authoring and Versioning (WebDAV) extension, allowing for remote code execution with just a single click on a malicious link.
According to Eli Smadja, a research group manager at Check Point, the attack vector is sophisticated. Victims are often lured into clicking on a URL disguised as a PDF, a tactic frequently employed in spear-phishing campaigns. The attackers meticulously craft emails and attachments to appear legitimate, increasing the likelihood of success. Smadja noted that the URL file names were tailored specifically for the targets, indicating a high level of customization in their approach.
The second vulnerability under active exploitation is found within the Chromium V8 JavaScript engine, utilized by Microsoft Edge. Google addressed this issue, CVE-2025-5419, last week, and Microsoft has now included it in its patch bundle to mitigate the associated memory corruption risks.
Cover those crits
Among the vulnerabilities requiring immediate attention is CVE-2025-33073, an escalation of privilege vulnerability in the Windows SMB Client. Although it has been publicly disclosed along with proof-of-concept code, it has yet to be exploited. Rated with a CVSS score of 8.8, this flaw could allow an attacker to gain SYSTEM privileges if a user is deceived into connecting to a malicious server.
The list of critical issues is extensive, with ten vulnerabilities demanding prompt remediation. Four of these are found within Microsoft Office, all carrying CVSS scores of 8.4 and categorized as “Exploitation More Likely,” utilizing the Preview Pane as an entry point:
- CVE-2025-47162: A heap-based buffer overflow that enables local attackers to execute arbitrary code.
- CVE-2025-47164: A use-after-free vulnerability that can lead to arbitrary code execution through local access.
- CVE-2025-47167: A type confusion bug allowing local code execution, with potential delays in visibility for Microsoft 365 users based on their update channel.
- CVE-2025-47953: Another use-after-free flaw enabling local code execution, though deemed less likely to be exploited.
Additionally, four critical remote code execution patches have been identified:
- CVE-2025-47172: A vulnerability in SharePoint that permits authenticated network attackers to execute code remotely.
- CVE-2025-29828: A fix addressing a memory leakage issue in Windows Schannel.
- CVE-2025-32710: A vulnerability in Remote Desktop Gateway allowing unauthorized access to target machines.
- CVE-2025-33071: A cryptographic protocol vulnerability in the Windows KDC Proxy Service.
Two additional critical fixes focus on elevation-of-privilege flaws: CVE-2025-47966, associated with Microsoft Power Automate, which carries a high CVSS score of 9.8, and CVE-2025-33070, targeting Windows Netlogon, which Microsoft describes as requiring a “complex” attack to exploit.
Beyond the critical vulnerabilities, this month’s patch batch also encompasses a range of important updates for Office and the Storage Management Provider.
Adobe and the rest
Meanwhile, Adobe users are urged to act swiftly, as the company has prioritized fixes for Adobe Commerce, affecting versions 2.4.8 and earlier, as well as Commerce B2B for version 1.5.2 and below. Fortunately, no known exploits have been reported for these vulnerabilities thus far.
Adobe’s Experience Manager takes the spotlight with an extensive update addressing 254 CVEs, predominantly important fixes, including two critical and two moderate vulnerabilities. Notably, the important fixes primarily involve cross-site scripting issues that could lead to arbitrary code execution.
Adobe Acrobat users will find ten fixes in this update, four of which are critical, addressing use-after-free memory issues across Windows and macOS. Interestingly, there are no patches for Photoshop this month. InDesign receives nine patches, five of which are critical and could allow code execution if exploited. Additionally, InCopy and Substance 3D Sampler each have critical out-of-bounds flaws to address, while 3D Painter faces a single critical issue of the same nature.
Fortinet has also been active in addressing vulnerabilities, particularly the CVE-2023-42788 flaw discovered by security researchers at Orange in FortiAnalyzer 7.4. Following a patch in FortiManager Cloud last month, FortiAnalyzer-Cloud has now received an update to resolve the issue.
Lastly, SAP continues its tradition of aligning with Patch Tuesday, resolving 14 issues this month. Among these, the only critical patch is CVE-2025-42989, associated with the NetWeaver Application Server, which boasts a CVSS score of 9.6, while the remainder primarily addresses missing authorization checks in S/4HANA.
