Microsoft Security updates were released today to resolve at least 67 vulnerabilities Windows Operating system and software. Redmond warned that one of the flaws was already in active attacks and that the software blueprint shows how to exploit the prevalent Windows bug this month, now public.
The only zero-day vulnerability this month is CVE-2025-33053, which is a remote code execution flaw in Windows implementation WebDav – HTTP extension that allows users to remotely manage files and directories on servers. Although Windows does not enable WebDav by default, its presence in older or professional systems still makes it a relevant target. Seth HoytSenior Safety Engineer Automox.
Adam Barnettchief software engineer Rapid7Microsoft’s consultation on CVE-2025-33053 has not yet mentioned that Windows implementation has been listed as deprecated since November 2023, which in actual terms means that the WebClient service will no longer be started by default.
“The consultation also has low attack complexity, which means exploitation does not require preparing the target environment in any way beyond the attacker’s control,” Barnett said. “Development relies on users to click on malicious links. It is unclear how assets will be immediately vulnerable if the service does not run, but all versions of Windows receive a patch, including patches released since the deprecation of Webclient, such as Server 2025 and Windows 11 24H2.”
Microsoft warns that Windows Server Message Block (SMB) client (CVE-2025-33073) may be exploited because the proof-of-concept code for this error is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (in 10), and exploitation flaws can lead to attackers gaining “system” level control over vulnerable PCs.
“What makes this particularly dangerous is that no further user interaction is required after the initial connection – an attacker can usually trigger without the user’s awareness.” Alex Vovkco-founder and CEO Action 1. “Given the high level of privilege and ease of use, this defect poses a significant risk to the Windows environment. The affected systems are broad because SMB is the core Windows protocol for file and printer sharing and interprocess communication.”
Apart from these highlights, 10 vulnerabilities fixed this month were rated “critical” by Microsoft, including eight remote code execution flaws.
The obvious lack of patch batches for this month is addressing the newly discovered weakness Windows Server 2025 This allows an attacker to act privileged by any user in Active Directory. This is called “Bad worker”, the researchers akamai On May 21, there are now several public proofs of concept. Organizations with at least one Windows Server 2025 domain controller should review the principal’s permissions and limit those permissions as much as possible, said Satnam Narang of Tenable.
Adobe Updates have been published Acrobat Reader There are six other products targeting at least 259 vulnerabilities, most of which are being updated Experience Manager. Mozilla Firefox and Google Chrome Both recently released security updates that require a reboot of the browser to take effect. The latest Chrome update fixes two zero-day vulnerabilities in the browser (CVE-2025-5419 and CVE-2025-4664).
A detailed breakdown of personal security updates released by Microsoft today Internet Storm Center. Action 1 has patch breakdowns from Microsoft, and many other software vendors have been released this month. As always, back up your system and/or data before patching, and if you experience any issues applying these updates, feel free to put down the comments in the comments.
