By: Tyler Reguly, Associate Director, Security R&D, Fortra
Boring. That’s the first word that came to mind when I saw the June patch drop. It’s a relatively small one with just 66 CVEs and nothing jumps when you look at the release notes. With only one vulnerability listed as Exploit Detected and only one CVSS Base Score above 9.0, it feels like a quiet month… but sometimes quiet months can be quite scary.
When you dig in deeper, you find that Microsoft has labelled 10 of these vulnerabilities as Critical using their severity system. A couple of those are remote but require large numbers of messages or winning a race condition and Microsoft has indicated we’re less likely to see an exploit for these.
The scary part of our quiet Patch Tuesday is a set of 4 vulnerabilities impacting Office. These vulnerabilities (CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-47953) are one of the most concerning aspects of this month’s patch drop. The patches for Microsoft 365 for Office are not currently available and the preview pane is an attack vector. It is always important to take note of Microsoft’s Preview Pane FAQ entry as that is likely to indicate that the vulnerability can be exploited without user interaction, simply by receiving an email. Additionally, 3 of the 4 were listed as Exploitation More Likely in Microsoft’s exploitability assessment.
The other items worth discussing this month are the single vulnerability that has been seen in active exploitation, CVE-2025-33053, and the single CVSS Critical, CVE-2025-47966.
With our actively exploited vulnerability, users need to click on a link or visit a malicious website in order to visit the malicious WebDAV server. Given the active exploitation of this vulnerability, this is the update that should be prioritized this month. It is important to note that there may be multiple updates to install on older versions of Windows.
As for that Critical CVSS vulnerability, the CVE was released as part of Microsoft’s efforts towards transparency with cloud vulnerabilities. In this case, there’s nothing for Microsoft users to do except be aware that it exists.
With any luck, the lower CVE counts the past few months have relieved security teams of a bit of the patch fatigue they are likely accustomed to feeling. This could be a good month for a CSO to ride along with their IT team to see what they deal with when Microsoft patches are released. Sometimes, it is easier to forget what individual contributors are dealing with month over month and seeing it first hand, especially at a time when the pressure is reduced a little, can be a great way to identify process or tooling improvements that could really benefit your security team.
Related
This entry was posted on June 10, 2025 at 2:57 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: Office Vulnerabilities Raise Quiet Alarm
By: Tyler Reguly, Associate Director, Security R&D, Fortra
Boring. That’s the first word that came to mind when I saw the June patch drop. It’s a relatively small one with just 66 CVEs and nothing jumps when you look at the release notes. With only one vulnerability listed as Exploit Detected and only one CVSS Base Score above 9.0, it feels like a quiet month… but sometimes quiet months can be quite scary.
When you dig in deeper, you find that Microsoft has labelled 10 of these vulnerabilities as Critical using their severity system. A couple of those are remote but require large numbers of messages or winning a race condition and Microsoft has indicated we’re less likely to see an exploit for these.
The scary part of our quiet Patch Tuesday is a set of 4 vulnerabilities impacting Office. These vulnerabilities (CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-47953) are one of the most concerning aspects of this month’s patch drop. The patches for Microsoft 365 for Office are not currently available and the preview pane is an attack vector. It is always important to take note of Microsoft’s Preview Pane FAQ entry as that is likely to indicate that the vulnerability can be exploited without user interaction, simply by receiving an email. Additionally, 3 of the 4 were listed as Exploitation More Likely in Microsoft’s exploitability assessment.
The other items worth discussing this month are the single vulnerability that has been seen in active exploitation, CVE-2025-33053, and the single CVSS Critical, CVE-2025-47966.
With our actively exploited vulnerability, users need to click on a link or visit a malicious website in order to visit the malicious WebDAV server. Given the active exploitation of this vulnerability, this is the update that should be prioritized this month. It is important to note that there may be multiple updates to install on older versions of Windows.
As for that Critical CVSS vulnerability, the CVE was released as part of Microsoft’s efforts towards transparency with cloud vulnerabilities. In this case, there’s nothing for Microsoft users to do except be aware that it exists.
With any luck, the lower CVE counts the past few months have relieved security teams of a bit of the patch fatigue they are likely accustomed to feeling. This could be a good month for a CSO to ride along with their IT team to see what they deal with when Microsoft patches are released. Sometimes, it is easier to forget what individual contributors are dealing with month over month and seeing it first hand, especially at a time when the pressure is reduced a little, can be a great way to identify process or tooling improvements that could really benefit your security team.
Share this:
Like this:
Related
This entry was posted on June 10, 2025 at 2:57 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.