Microsoft’s June update fixes dozens of Windows and Office security flaws

Yesterday was Patch Tuesday for June, and that means Microsoft provided new security fixes for 66 vulnerabilities. According to Microsoft, one vulnerability in Windows is already being exploited for attacks and several other vulnerabilities in Windows and Office are labelled as critical.

Keep reading for more details on the various security vulnerabilities that have been addressed. The next Patch Tuesday will be July 8th, 2025.

Windows security vulnerabilities

A large number of the vulnerabilities—this time 44—are spread across the various Windows versions (10 and newer, Server) for which Microsoft still offers security updates. Windows 7 and 8.1 are no longer receiving security updates, so they remain vulnerable. If your system requirements allow it, you should upgrade to Windows 11 24H2 at your soonest convenience to continue receiving security updates. (With Windows 10 reaching end of life in October, we don’t recommend that.)

Windows under attack

According to Microsoft, there are already attacks being made on the CVE-2025-33053 vulnerability in Windows, which affects WebDAV and Internet Explorer. This is still present as a legacy in all Windows versions because the MSHTML platform, for example, is still used by some older applications. A click on a specially prepared link is enough for the user to execute infiltrated code. Microsoft is providing updates for Windows Server 2008 and newer to fix this vulnerability.

The EoP (Elevation of Privilege) vulnerability CVE-2025-33073 in the Windows SMB client is already publicly known. Microsoft would like to thank the experts at several IT security companies who privately reported this vulnerability to Microsoft. If a user can be tricked into contacting a malicious server—an SMB server would be an obvious choice—then the server could compromise the user’s system and gain elevated privileges. Ultimately, code with system rights could be executed.

Critical Windows vulnerabilities

Microsoft has identified an RCE vulnerability (CVE-2025-33071) in the Kerberos KDC proxy service (KPSSVC) as critical. Domain controllers are generally not affected by this. The RCE vulnerability CVE-2025-29828 in Windows Schannel could be exploited by an attacker sending a flood of fragmented client “Hello” messages to a server that accepts TLS connections. According to Dustin Childs, Microsoft secretly patched the RCE vulnerability CVE-2025-32710 in Remote Desktop Services back in May and is now just catching up with the documentation.

The EoP (Elevation of Privilege) vulnerability CVE-2025-33070 in Windows Netlogon could allow an attacker to obtain the authorizations of a domain administrator by sending crafted logon requests to a domain controller. Microsoft apparently considers it quite likely that this vulnerability will be exploited in the foreseeable future.

Microsoft also identified the EoP vulnerability CVE-2025-47966 in cloud-based productivity tool Power Automate (formerly Microsoft Flow) as critical. Fortunately, Microsoft has already taken care of it.

Office security vulnerabilities

Microsoft has fixed 18 vulnerabilities in its Office product family, including 17 RCE vulnerabilities. Five vulnerabilities are classified as critical, including one that specifically affects SharePoint. Microsoft categorizes the other vulnerabilities as high risk.

For the four other critical vulnerabilities, the preview window is considered an attack vector. This means that it’s possible for a prepared file to facilitate an attack just by being displayed in the preview. The user doesn’t have to click on it or open it.

Browser security vulnerabilities

The latest browser version of Edge is 137.0.3296.68 from June 6th, based on Chromium 137.0.7151.69. However, Google released a new Chrome (and Chromium) update version 137.0.7151.103/104 yesterday on June 10th, which fixes vulnerabilities classified as high risk.