Microsoft Patches 67 Vulnerabilities Including a WebDAV Zero-Day

Microsoft has released fixes for 67 security flaws, including a zero-day vulnerability in Web Distributed Authoring and Versioning (WebDAV) that is being actively exploited by cybercriminals. Of the 67 vulnerabilities patched, 11 are rated Critical and 56 are rated Important, covering 26 remote code execution flaws, 17 information disclosure issues, and 14 privilege escalation bugs. The patches complement 13 issues already addressed in the Chromium-based Edge browser since the last monthly security update.

The vulnerability being actively exploited involves remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8), which can be triggered by tricking users into clicking a specially crafted URL. Researchers at Check Point discovered and reported the flaw — making it the first publicly disclosed zero-day in the WebDAV standard. The cybersecurity firm attributed the exploitation of CVE-2025-33053 to a threat group known as Stealth Falcon (also called FruityArmor), which has a history of leveraging Windows zero-day vulnerabilities in its attacks.

In the attack chain observed against an unidentified defense company in Turkey, the threat group used CVE-2025-33053 to deliver the Horus Agent, a custom implant built for the Mythic command-and-control framework. The malicious payload used to initiate the attack was a URL shortcut file sent as a compressed attachment in a phishing email. The URL file is used to execute iediagcmd.exe — a legitimate Internet Explorer diagnostics utility — which is then abused to run a secondary payload called Horus Loader, responsible for displaying a decoy PDF document and launching the Horus Agent.

The active exploitation of CVE-2025-33053 led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patch by July 1, 2025. Other significant vulnerabilities addressed include a privilege escalation flaw in Power Automate (CVE-2025-47966, CVSS score: 9.8) and critical vulnerabilities in the Windows KDC Proxy Service and Windows SMB Client. In addition to Microsoft, other vendors including Adobe, Cisco, Google, IBM, and many others have also released security updates in recent weeks.

This post was translated and summarized from its original version with the use of AI, with human review.

With information from The Hacker News