Major Microsoft Security Update Addresses Critical Vulnerabilities
Microsoft has rolled out a significant security update aimed at addressing 67 vulnerabilities within its software systems. Among these flaws is a notable zero-day vulnerability found in the Web Distributed Authoring and Versioning (WebDAV) component, which has reportedly been exploited in active attacks.
Overview of Vulnerabilities
Among the 67 vulnerabilities patched, 11 have been classified as critical and 56 as important. The security flaws comprise 26 remote code execution vulnerabilities, 17 information disclosure issues, and 14 privilege escalation bugs. This patch cycle expands upon previous updates, which included fixes for 13 additional vulnerabilities in Microsoft’s Edge browser.
The WebDAV Vulnerability (CVE-2025-33053)
The zero-day vulnerability in question pertains to remote code execution vulnerabilities associated with WebDAV (CVE-2025-33053), rated with a CVSS score of 8.8. This flaw can be exploited by tricking users into clicking on a malicious link. The discovery of this particular vulnerability is noteworthy as it marks the first time a zero-day exploit has been disclosed within the WebDAV standard. Researchers at Check Point, Alexandra Gofman and David Driker, are credited for identifying and reporting the issue.
Cybersecurity Implications
The exploitation of this vulnerability has been traced back to a threat actor group known as Stealth Falcon, also referred to as FruityArmor. This group has a history of leveraging Windows zero-day vulnerabilities for espionage campaigns. In September 2023, Stealth Falcon was observed deploying a backdoor named Deadglyph in targeted attacks against entities in Qatar and Saudi Arabia.
Eli Smadja, a research manager at Check Point Research, highlighted that while past operations have been linked to the United Arab Emirates, current findings do not confirm any specific country affiliation. Smadja also emphasized the targeted nature of this recent campaign, which focuses on specific victims rather than a broader attack.
Attack Methodology
The attack chain typically involves using an internet shortcut (URL) file that exploits the WebDAV flaw to execute malware from an actor-controlled server. Check Point has reported that this approach allows remote code execution through deliberate manipulation of the working directory. One incident against a defense contractor in Turkey showcased how the vulnerability was leveraged to introduce a custom implant known as Horus Agent, distributed via a specially crafted phishing email.
Features of The Malicious Payload
The Horus Agent, deemed an advancement over the previous Apollo implant, was crafted in C++ to enhance evasion tactics. Despite sharing core functionalities with some known Mythic agents, significant measures, such as string encryption and control flow flattening, have been incorporated to make analysis and detection more challenging for security teams.
This particular backdoor connects to a remote server, facilitating various malicious activities, such as system information gathering, file enumeration, and executing arbitrary commands—all while being cloaked from conventional security tools.
Keylogger and Other Tools
In addition to the Horus Agent, Stealth Falcon is employing an array of undocumented tools that further compromise victim security. Notable among these is a keylogger that tracks user keystrokes and stores them locally, allowing for data exfiltration in conjunction with other malware components.
Check Point’s research also reveals that Stealth Falcon utilizes advanced code obfuscation techniques, making their tools increasingly complex to analyze and track.
Official Responses and Recommendations
In light of the active exploitation of CVE-2025-33053, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This mandates that federal agencies apply Microsoft’s remediation steps by July 1, 2025.
Mike Walters, President and Co-Founder of Action1, expressed particular concern over the widespread adoption of WebDAV in corporate environments. Many organizations enable this feature for legitimate reasons yet may not fully understand the associated security risks.
Other Notable Vulnerabilities
Among the other critical vulnerabilities addressed in this update, a privilege escalation flaw in Power Automate (CVE-2025-47966) stands out, with a CVSS score of 9.8, allowing potential escalations of rights over a network. Also noteworthy is an unauthenticated remote code execution vulnerability in the Windows KDC Proxy Service (CVE-2025-33071), classified as critical.
Industry experts have pointed out that particular vulnerabilities, like those in the Common Log File System Driver and the Windows SMB Client, have gained attention due to their implications in ransomware-related operations.
Conclusion
This latest round of Microsoft security updates underscores the ongoing battle against cybersecurity threats, particularly the sophisticated techniques employed by groups such as Stealth Falcon. The swift action taken by Microsoft and the CISA highlights the urgent need for organizations to remain vigilant, regularly applying security patches to mitigate the risks posed by these vulnerabilities.
