Microsoft on Tuesday pushed out patches for at least 66 security defects across the Windows ecosystem and called urgent attention to a WebDAV remote code execution bug that’s already been exploited in the wild.
The WebDAV (Web Distributed Authoring and Versioning) flaw, marked as ‘important’ with a CVSS score of 8.8/10, allows browser-based drive-by downloads if a target clicks on a rigged website.
“External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network,” Microsoft said in a barebones bulletin.
As is customary, Redmond has not disclosed who is abusing the CVE-2025-33053 software defect or whether exploitation is widespread. The company has not provided IOCs (indicators of compromise) or other telemetry to help defenders hunt for signs of infections.
Check Point Software, the company credited with reporting the bug, released a separate advisory warning that successful exploitation could allow a remote attacker to execute arbitrary code on the affected system.
Check Point has linked the in-the-wild exploitation to an APT group called ‘Stealth Falcon’ that uses spear-phishing to target organizations in Turkey, Qatar, Egypt and Yemen. Stealth Falcon has been publicly attributed to the United Arab Emirates (UAE).
Both companies warn that the attack surface is enormous with every supported version of Windows listed as vulnerable, from older Server 2008 builds right up to Windows 11 24H2 and the forthcoming Server 2025 releases.
Because WebDAV relies on the legacy MSHTML and EdgeHTML rendering engines, Microsoft is also pushing fixes through the Internet Explorer cumulative update channel for older server platforms, ensuring the underlying scripting components are patched alongside the core WebDAV code.
The exploited WebDAV zero-day headlines a whopper Patch Tuesday that provides cover for at least 9 critical-severity Windows flaws with remote code execution risk.
According to Redmond’s security response team, the critical bugs were patched in Microsoft Sharepoint Server (CVE-2025-47172), Microsoft Office, Windows Netlogon (CVE-2025-47167), Windows KDC Proxy Service (CVE-2025-33071), Windows Remote Desktop Services (CVE-2025-32710), and Windows Schannel (CVE-2025-29828).
The software giant also flagged CVE-2025-3052 for immediate attention, warning that a vulnerability in a UEFI application signed with a widely-trusted Microsoft third-party UEFI certificate could be exploited to bypass Secure Boot protections.
The InsydeH2O Secure Boot Bypass, reported by Binarly via CERT/CC, affects any machine that trusts Microsoft’s “UEFI CA 2011” digital signature, a list that includes most modern laptops, servers and workstations because the same certificate also signs the Linux “shim” loader used by major distributions.
Binarly said it first noticed the module on the VirusTotal malware-scanning service in November 2024; embedded signature metadata shows it was compiled and signed in October 2022, so it has likely been circulating un-detected for years.
Related: Five Zero-Days, 15 Misconfigurations Found in Salesforce Industry Cloud
Related: Misconfigured HMIs Expose US Water Systems to Anyone With a Browser
Related: Zero-Day Attacks Highlight Another Busy Microsoft Patch Tuesday
Related: Microsoft Patches 125 Windows Vulns, Including Exploited CLFS Zero-Day
