June Patch Tuesday advice for CSOs: Defense-in-depth needed to stop RCEs – Source: www.csoonline.com

This month’s Patch Tuesday fixes highlight a troubling pattern of remote code execution (RCE) holes being found in Microsoft’s core enterprise products, says an expert.

“This trend reinforces the need for defense-in-depth strategies that extend well beyond patching,” says Mike Walters, president of patch management provider Action1.

He pointed to several RCE vulnerabilities in this round of patches, including:

• a WebDAV remote code execution vulnerability (CVE-2025-33053), which is already under active exploitation;
• CVE-2025-47172, a remote code execution vulnerability in Microsoft SharePoint Server. With a CVSS score of 8.8, he said this SQL injection flaw could allow attackers with minimal permissions to execute code remotely, posing a serious risk to organizational security.

Walters said CISOs should consider accelerating the adoption of zero-trust architecture to reduce lateral movement, enhancing detection capabilities for post-exploitation behavior, reassessing security architecture to minimize reliance on perimeter defenses, and implementing application control policies to restrict the execution of unauthorized code.

“Patch management efforts should be guided by an organization’s specific threat landscape,” he added. “For instance, those with externally exposed SharePoint instances should prioritize the SharePoint RCE vulnerability. Meanwhile, organizations with large remote workforces should focus on the WebDAV and Office vulnerabilities, which are more likely to be exploited through phishing and malicious links.”

Also on Tuesday, CSOs with SAP NetWeaver Application Server for ABAP in their environment were warned to immediately install a just-released patch.

And Salesforce issued a number of patches after a security vendor discovered five zero-day vulnerabilities in its Industry Clouds.

Windows priorities

Plugging the Windows WedDAV remote code execution hole and preparing to defend against unpatched Microsoft Office vulnerabilities are two of the biggest priorities for CSOs after the release of the June Patch Tuesday fixes, experts said.

The WebDAV remote code execution vulnerability (CVE-2025-33053) is already under active exploitation, Walters noted.

With a critical CVSS score of 8.8, it allows unauthenticated remote attackers to execute code via specially crafted URLs, he said. The other way it could be exploited is through watering hole attacks: Threat actors could compromise legitimate websites and embed malicious WebDAV links, targeting specific organizations or industry sectors.

Once the initial compromise occurs via WebDAV, attackers can deploy secondary exploits to elevate privileges, potentially to SYSTEM level, he explained. Once inside a network, attackers can use this vulnerability to compromise additional systems by inducing users to click malicious links. And after initial compromise, attackers could then establish persistence through backdoors, allowing continued access even after the original vulnerability is patched.

Since WebDAV traffic runs over HTTP/HTTPS (ports 80/443), blocking it without disrupting legitimate web traffic is difficult, Walters said.

Office vulnerabilities

There are four unpatched vulnerabilities impacting Microsoft Office (CVE-2025-47167, CVE-2025-47164, CVE-2025-47162, and CVE-2025-47953).

“The preview pane is an attack vector,” noted Tyler Reguly, associate director for security R&D at Fortra, who urges CSOs to read Microsoft’s Preview Pane FAQ entry about the hole. The vulnerability appears to be exploited without user interaction, simply by receiving an email, he said.

In addition, he pointed out, three of the four CVEs were listed as Exploitation More Likely in Microsoft’s exploitability assessment.  

When you find yourself facing an unpatched vulnerability, patience is the key, Reguly advises CSOs. “Thankfully, Microsoft did not list these as already exploited, and, hopefully the patches will be released shortly. As a CSO, this is where you want to know that you’ve got a robust, layered approach to enterprise security. The real risk isn’t introduced until an exploit exists, and right now it is a race between Microsoft and the malicious actors. We don’t know who will win that race, so we rely on building our security stack from top to bottom and expect that our tool set will do the job if needed.” 

CISOs should also note that Microsoft warned that distribution of the Windows 11, version 24H2 update released on Tuesday will be slowed.

“We’ve identified a compatibility issue affecting a limited set of these devices,” Microsoft said. “If your device is affected, you’ll receive a revised update with all the June 2025 security improvements by the end of the day. The June 2025 security update is fully available for all other supported versions of Windows.”

Ben McCarthy, lead cyber security engineer at Immersive, drew attention to CVE-2025-33071 (with a score of 8.1), a Windows KDC Proxy Service (KPSSVC) remote code execution vulnerability that affects Windows servers configured as Kerberos Key Distribution Centers (KDCs).

Domain controllers are not impacted in this case, he added.

This vulnerability stems from a flaw in the cryptographic protocol used by the service. An attacker can craft a malicious application to interact with the vulnerable service and exploit this cryptographic weakness.

“While several vulnerabilities have previously been discovered in the KDC service,” McCarthy said, “this one stands out due to its multi-stage nature, which involves exploiting a cryptographic flaw, triggering a race condition, and ultimately reaching a use-after-free state.

Use-after-free vulnerabilities are particularly dangerous in complex, multi-threaded systems like the KDC, where managing object lifecycles, memory cleanup, and concurrent threads introduces opportunities for exploitation, he said. In this case, the attacker leverages the unpredictable timing of object de-allocation to execute code within the vulnerable service, potentially leading to full remote code execution.

Also note that today Microsoft issued a critical vulnerability disclosure for M365 Copilot.  However, no customer action is needed.

SAP vulnerabilities

CSOs with SAP applications in their environment should also act on 14 new security notes issued Tuesday, including one HotNews and four high priority updates.

Security Note #3600840 (CVSS 9.6) is for NetWeaver AS ABAP. Researchers at Pathlock said authenticated attackers can bypass the S_RFC authorization object in tRFC/qRFC calls, enabling privilege escalation and potential system compromise. The affected versions include KERNEL 7.89, 7.93, 9.14, and 9.15.

“The key recommendation is to deploy this patch immediately.” said Pathlock, noting that that after applying it, additional S_RFC authorizations may need to be granted. SAP Note #3601919 provides configuration guidance.

Salesforce vulnerabilities

Finally, Salesforce issued CVEs for five of the findings of researchers at AppOmni. The patches fix three of the zero days, while configuration guidance has been issued for the other two, which require customer action. There are also 16 configuration risks that are the responsibility of the customer to address.

The holes were found by Aaron Costello, AppOmni’s chief of SaaS security research. “These findings revealed how default settings and some insecure patterns that are the responsibility of the customers to configure and use correctly can lead to unauthorized access to encrypted fields, session stealing, credentials and business logic, he said in a blog.

These findings impacted core components like FlexCards, Data Mappers, and Integration Procedures, says Salesforce’s advisory.