Microsoft warns of 66 flaws to fix for this Patch Tuesday • The Register

Patch Tuesday It’s Patch Tuesday time again, and Microsoft is warning that there are a bunch of critical fixes to sort out – and two actively exploited bugs.

Redmond reported 66 flaws to be fixed in its monthly patch bundle, including one that was a zero-day until 1000 Pacific Time today. There are ten critical patches, but two of the important ones are under active exploitation, and Microsoft has taken the unusual step of issuing patches for one bug all the way back to out-of-support platforms like Windows Server 2008 and the three-years-dead Internet Explorer’s underlying components.

The hole, CVE-2025-33053, has been exploited since March by the Stealth Falcon hacking crew, who have been active for over 10 years and have made a name for themselves exploiting zero-days in targeted attacks across the Middle East. The vulnerability is in the Web Distributed Authoring and Versioning (WebDAV) remote file sharing and collaboration extension, and it’s a one-click hit – follow the wrong link, and the attacker can do remote code execution at the local level.

The CVSS 8.8-ranked flaw was found by researchers at Check Point when it was used against a Turkish defense company to insert malware that allowed for data exfiltration and included a custom keylogger.

Here’s what Eli Smadja, a research group manager at Check Point, told us about the attack via email:

The second exploited flaw is in the Chromium V8 JavaScript engine from Google that Edge uses. Google patched CVE-2025-5419 last week and now Redmond is adding it to its bundle to mask off the memory corruption issue.

Cover those crits

Next on the priority list should be CVE-2025-33073, an escalation of privilege vulnerability in the Windows SMB Client that has been publicly disclosed with proof-of-concept code, but not yet exploited. Also rated CVSS 8.8, it would allow an attacker to get SYSTEM privileges if the user was tricked into signing onto a malicious server.

There are ten critical issues that should be on the to-do-as-soon-as-possible list. Four of them are in Office, all with CVSS 8.4 scores, the first three tagged as “Exploitation More Likely,” and they all use the Preview Pane as a way to gain access.

• CVE-2025-47162 – A heap-based buffer overflow bug that allows local attackers to execute arbitrary code.
• CVE-2025-47164 – A use-after-free vulnerability that can lead to arbitrary code execution via local access.
• CVE-2025-47167 – A type confusion bug that enables local code execution. Microsoft 365 users may not see the fix immediately, depending on their update channel.
• CVE-2025-47953 – A use-after-free flaw that enables local code execution. Microsoft considers this one less likely to be exploited.

There are four more critical remote code execution patches:

• CVE-2025-47172 for SharePoint, which would allow an authenticated network attacker to execute code remotely.
• CVE-2025-29828, which fixes a memory leakage problem in Windows Schannel.
• CVE-2025-32710 for Remote Desktop Gateway, which would allow unauthorized access to the target machine.
• CVE-2025-33071 for Windows KDC Proxy Service, which Microsoft describes as a “cryptographic protocol vulnerability.”

The remaining two critical fixes are CVE-2025-47966 and CVE-2025-33070, both elevation-of-privilege flaws. The first, in Microsoft Power Automate, carries a CVSS score of 9.8 and was patched earlier this month, after Microsoft flagged its high-risk potential. The second targets Windows Netlogon and, according to Microsoft, would require a “complex” attack to exploit, but still worth patching.

Outside the critical pile, this month’s patch batch includes a raft of important updates for Office and the Storage Management Provider.

Adobe and the rest

Users of Adobe Commerce need to get moving, as Adobe has placed these on its priority one to-fix list, whereas all its other patches get the lowest priority-three ranking.

The Commerce fixes are for versions 2.4.8 and older, and there are fixes for Commerce B2B for anyone running version 1.5.2 and below. Magento Open Source from version 2.4.8 also needs a fast fix. Thankfully there are no known exploits for this so far.

The award for the largest update by Adobe goes to Experience Manager, which contains fixes for 254 CVEs – mostly important but with two criticals and two moderates. The important fixes all cross-site scripting issues that would allow arbitrary code execution.

Adobe’s flagship app Acrobat gets 10 fixes, four of them critical, including three use-after-free memory issues in Windows and macOS systems. Unusually there’s nothing to fix in Photoshop this month.

InDesign gets nine patches, five of which are critical and would, if exploited, allow code execution. Meanwhile InCopy has a couple of critical out-of-bounds flaws to fix, as does Substance 3D Sampler, while 3D Painter gets a single critical with the same type of issue.

Fortinet’s software fixers have had a busy time of it thanks to security researchers at the telco Orange, who found the CVE-2023-42788 flaw in FortiAnalyzer 7.4 a couple of years back. Last month, the issue was patched in FortiManager Cloud, and this month FortiAnalyzer-Cloud also got an update to sort out the issue.

SAP traditionally piggybacks on Patch Tuesday as well, and this month was no exception, with 14 issues sorted out. The only critical patch is CVE-2025-42989, an issue with the NetWeaver Application Server, which gets a 9.6 CVSS score, while the rest are mostly missing authorization checks in S/4HANA. ®