Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WEBDAV) that it said has come under active exploitation in the wild.
Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.
The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WEBDAV (CVE-2025-33053, CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL.
The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It’s worth mentioning that CVE-2025-33053 is the first zero-day vulnerability to be disclosed in the WebDAV standard.
In a separate report, the cybersecurity company attributed the abuse of CVE-2025-33053 to a threat actor known as Stealth Falcon (aka FruityArmor), which has a history of leveraging Windows zero-days in its attacks. In September 2023, the hacking group was observed using a backdoor dubbed Deadglyph as part of an espionage campaign aimed at entities in Qatar and Saudi Arabia.
“The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server,” Check Point said. “CVE-2025-33053 allows remote code execution through manipulation of the working directory.”
In the attack chain observed against an unnamed defense company in Turkey, the threat actor is said to have employed CVE-2025-33053 to deliver Horus Agent, a custom implant built for the Mythic command-and-control (C2) framework. It’s believed that the malicious payload used to initiate the attack, a URL shortcut file, was sent as an archived attachment in a phishing email.
The URL file is used to launch iediagcmd.exe, a legitimate diagnostics utility for Internet Explorer, leveraging it to launch another payload called Horus Loader, which is responsible for serving a decoy PDF document and executing Horus Agent.
“Written in C++, the implant shows no significant overlap with known C-based Mythic agents, aside from commonalities in the generic logic related to Mythic C2 communications,” Check Point said. “While the loader makes sure to implement some measures to protect the payload, the threat actors placed additional precautions within the backdoor itself.”
This includes the use of techniques like string encryption and control flow flattening to complicate analysis efforts. The backdoor then connects to a remote server to fetch tasks that allow it to collect system information, enumerate files and folders, download files from the server, inject shellcode into running processes, and exit the program.
 |
| CVE-2025-33053 infection chain |
Horus Agent is assessed to be an evolution of the customized Apollo implant, an open-source .NET agent for Mythic framework, that was previously put to use by Stealth Falcon between 2022 and 2023.
“Horus is a more advanced version of the threat groups’ custom Apollo implant, rewritten in C++, improved, and refactored,” Check Point said.
“Similar to the Horus version, the Apollo version introduces extensive victim fingerprinting capabilities while limiting the number of supported commands. This allows the threat actors to focus on stealthy identification of the infected machine and next stage payload delivery, while also keeping the implant size significantly smaller (only 120Kb) than the full agent.”
The company said it also observed the threat actor leveraging several previously undocumented tools such as the following –
- Credential Dumper, which targets an already-compromised Domain Controller to steal Active Directory and Domain Controller credential-related files
- Passive backdoor, which listens for incoming requests and executes shellcode payloads
- Keylogger, a custom C++ tool that records all keystrokes and writes them to a file under “C:/windows/temp/~TN%LogName%.tmp”
The keylogger notably lacks any C2 mechanism, meaning that it likely works in conjunction with another component that can exfiltrate the file to the attackers.
“Stealth Falcon employs commercial code obfuscation and protection tools, as well as custom-modified versions tailored for different payload types,” the Check Point said. “This makes their tools more difficult to reverse-engineer and complicates tracking technical changes over time.”
The active exploitation of CVE-2025-33053 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fix by July 1, 2025.
“What makes this flaw particularly concerning is the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration,” Mike Walters, President and Co-Founder of Action1, said. “Many organizations enable WebDAV for legitimate business needs — often without fully understanding the security risks it introduces.”
The most severe vulnerability resolved by Microsoft is a privilege escalation flaw in Power Automate (CVE-2025-47966, CVSS score: 9.8) that could permit an attacker to elevate privileges over a network. However, there is no customer action required to mitigate the bug.
Other vulnerabilities of note include elevation of privilege flaws in Common Log File System Driver (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB Client (CVE-2025-33073, CVSS score: 8.8), as well as a critical unauthenticated RCE vulnerability in the Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1).
“Over the past several months, the CLFS driver has become a consistent focus for both threat actors and security researchers due to its exploitation in multiple ransomware operations,” Ben McCarthy, lead cyber security engineer at Immersive said.
“It is categorized as a heap-based buffer overflow — a type of memory corruption vulnerability. The attack complexity is considered low, and successful exploitation allows an attacker to escalate privileges.”
Adam Barnett, lead software engineer at Rapid7, said the exploitation of CVE-2025-33071 requires the attacker to exploit a cryptographic flaw and win a race condition.
“The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network,” Barnett added.
Last but not least, Microsoft has also rolled out patches to remediate a secure boot bypass bug (CVE-2025-3052, CVSS score: 6.7) discovered by Binarly that enables the execution of untrusted software.
“A vulnerability exists in a UEFI application signed with a Microsoft third-party UEFI certificate, which allows an attacker to bypass UEFI Secure Boot,” Redmond said in an alert. “An attacker who successfully exploited this vulnerability could bypass Secure Boot.”
CERT Coordination Center (CERT/CC), in an advisory released Tuesday, said the vulnerability is rooted in Unified Extensible Firmware Interface (UEFI) applications DTBios and BiosFlashShell from DT Research, allowing Secure Boot bypass using a specially crafted NVRAM variable.
“The vulnerability stems from improper handling of a runtime NVRAM variable that enables an arbitrary write primitive, capable of modifying critical firmware structures, including the global Security2 Architectural Protocol used for Secure Boot verification,” CERT/CC said.
“Because the affected applications are signed by the Microsoft UEFI Certificate Authority, this vulnerability can be exploited on any UEFI-compliant system, allowing unsigned code to run during the boot process.”
Successful exploitation of the vulnerability could permit the execution of unsigned or malicious code even before the operating system loads, potentially enabling attackers to drop persistent malware that can survive reboots and even disable security software.
Microsoft, however, is not affected by CVE-2025-4275 (aka Hydroph0bia), another Secure Boot bypass vulnerability present in an InsydeH2O UEFI application that allows digital certificate injection through an unprotected NVRAM variable (“SecureFlashCertData”), resulting in arbitrary code execution at the firmware level.
“This issue arises from the unsafe use of an NVRAM variable, which is used as trusted storage for a digital certificate in the trust validation chain,” CERT/CC said. “An attacker can store their own certificate in this variable and subsequently run arbitrary firmware (signed by the injected certificate) during the early boot process within the UEFI environment.”
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- Adobe
- Amazon Web Services
- AMD
- Arm
- Atlassian
- AutomationDirect
- Bosch
- Broadcom (including VMware)
- Canon
- Cisco
- D-Link
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Hitachi Energy
- HP
- HP Enterprise (including Aruba Networking)
- IBM
- Intel
- Insyde
- Ivanti
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitel
- Mitsubishi Electric
- Moxa
- Mozilla Firefox and Thunderbird
- NVIDIA
- Palo Alto Networks
- Phoenix Technologies
- QNAP
- Qualcomm
- Roundcube
- Salesforce
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- SonicWall
- Splunk
- Spring Framework
- Synology
- Trend Micro Apex Central, Apex One, Endpoint Encryption PolicyServer, and WFBS
- Veritas
- Zimbra, and
- Zoho ManageEngine Exchange Reporter Plus and OpManager
