Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day
Microsoft addressed 66 vulnerabilities across its suite of products and systems, including a zero-day in WebDAV that allows unauthorized attackers to remotely execute code, the company said in its latest security update Tuesday.
The espionage group Stealth Falcon exploited the zero-day — CVE-2025-33053 — to execute malware on a defense company in Turkey in March, Check Point Research said in a threat report Tuesday. “Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt and Yemen,” researchers said.
According to security researchers, Stealth Falcon has been carrying espionage operations and deploying spyware against journalists, activists and dissidents since at least 2012.
“We are aware of a few organizations [impacted by the zero-day exploit] at the moment, and the CVE was only used by Stealth Falcon,” Eli Smadga, research group manager at Check Point Research, said via email. “The activity appears to be highly targeted, affecting specific victims rather than being widespread.”
The Cybersecurity and Infrastructure Security Agency added CVE-2025-33053 to its known exploited vulnerabilities catalog on Tuesday.
The espionage group’s recent operations “showcase a creative approach to infection chains by leveraging WebDAV, LOLBins, multi-stage loaders, and a mix of native and .NET components,” Check Point Research said in the threat report.
WebDAV, a set of extensions to the HTTP protocol that allows users to share and edit files remotely, is used widely across enterprise systems and often poorly secured, according to Mike Walters, president and co-founder of Action1.
“Many organizations enable WebDAV for legitimate business needs — often without fully understanding the security risks it introduces,” Walters said in an email. “The potential impact is extensive, with millions of organizations worldwide at risk.”
Walters estimates up to 80% of enterprises could be vulnerable to the zero-day Microsoft patched in its Patch Tuesday security update.
The batch of CVE disclosures and patches in Microsoft’s monthly security update includes one critical vulnerability, 43 high-severity defects and 22 flaws with an initial CVSS score in the medium-severity range.
The lone critical vulnerability — CVE-2025-47966 — exposes sensitive information to an unauthorized user in Power Automate, allowing an unauthorized attacker to escalate privileges.
Seventeen of the vulnerabilities in this month’s security update affect Microsoft Office and standalone Office products, including three defects Microsoft described as more likely to be exploited.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
