Microsoft Patches 67 vulnerability, including Zero-Day Webdav, is exploited in the wild

Microsoft released the patches to fix 67 security deficienciesIncluding one mistake with zero day in the author’s and version posted on the Internet (Webdav), which, he said, was actively operating in the wild.

Of the 67 vulnerabilities, 11 are evaluated critical and 56 are assessed important in seriousness. This includes 26 shortcomings of remote code, 17 deficiencies of information disclosure and 14 deficiencies of privileges.

Patches in addition to 13 Disadvantages Addressed to the company in its browser based on Chromium from the exit of last month Update on Tuesday patch.

Vulnerability that was armed in real attacksCve-2025-33053.

The technical giant was attributed to the Check Point researchers Alexander Hoffman and David Drikes for identifying and misconception. It should be noted that the CVE-2025-33053 is the first vulnerability with the zero day to be disclosed in the WebDav standard.

In a separate report, the cybersecurity company linked CVe-2025-33053 to A to A to A to A Actor threatening known as Stealth falcon (AKA FRUITARMOR), which in its attacks has the history of zero days Windows. In September 2023, the hacking group was observed using the posterior name Deadglyph as part of a spying campaign aimed at the Organization of Qatar and Saudi Arabia.

“The attack was used by the .URL file, which exploits vulnerability with zero day (CVE-2025-33053) to perform malware with the Webdav server controlled actor,” Check Point – Note. “CVE-2025-33053 allows you to execute the deleted code by manipulating the work catalog.”

In a chain of an attack against an unnamed defense campaign in Turkey, an actor of the threat used by CVE-2025-33053 to supply Horus agent, a custom implant built for mythical command and control (C2). It is believed that the harmful useful load used to initiate the attack, the quick URL file file was sent as an archival investment in phishing -electronic mail.

The URL file is used to launch an iadiagcmd.exe, legitimate diagnosis utilities for Internet Explorer, using it to run another useful load called Horus Loader, which is responsible for PDF -document service and Horus.

“Written in C ++, the implant does not detect significant overlappings with famous mythical agents based on C, except for the common logic associated with the mythical communication C2,” the Check Point said. “While the forklift necessarily implements some measures to protect the useful load, the actors threatened the additional precautions in the back corner.”

This includes the use of methods such as rows encryption and smoothing control flow to complication of analysis efforts. The back then connects to the remote server to get the tasks that allow it to collect system information, list files and folders, download files from the server, enter Shellcode into the running processes and get out of the program.

Cve-2025-33053 infectious chain

The Horus agent is evaluated as the evolution of an individual implant Apollo, an open source.

“Horus is a more advanced version of” Apollo implant “by a group of threats, rewritten in C ++, improved and transformed,” said Check Point.

“Similar to Horus versions, the Apollo version presents extensive victims’ fingerprints, while limiting the number of supported teams. This allows the subjects to focus on the hidden identification of the infected machine and delivery of the useful load at the next step, as well as maintaining the implant much smaller (only 120 kb).”

The company said she also watched the actor threats used some previously undocumented tools such as the following –

• Files related to the account mode aimed at the domain domain controller to steal the active directory and domains related to the account data
• Passive back
• Keylogger, custom tool C ++, which records all the keys and writes them into the file in the section “c: /windows/temp/~tn%Logname%.tmp”

The keyboard, in particular, lacks no C2 mechanism, that is, it probably works in conjunction with another component that can highlight the attacker.

“Stealth Falcon uses commercial codes of structures and protection, as well as custom version, taking into account different types of useful load,” the Check said. “This makes it difficult for their tools for the opposite engineer and complicates the tracking of technical changes over time.”

Active Operation CVE-2025-33053 has caused the Agency for Cybersecurity and infrastructure (CISA) to add This is up to known exploited vulnerabilities (Ship) A catalog that requires the Federal Civil Executive (FCEB) to apply the fix by July 1, 2025.

“What makes this disadvantage especially relatively wide use of WebDav in businesses for remote file and cooperation,” Mike Walters, President and Co -founder Action1, – Note. “Many organizations allow Webdav for legal business needs – often without understanding the fullest at risk it introduces.”

The most serious vulnerability resolved by Microsoft is a lack of escalation of privileges in Power Automate (Cve-2025-47966CVSS assessment: 9.8), which can allow the attacker to raise privileges on the net. However, the client’s action is not required to mitigate the error.

Other vulnerabilities of vulnerability include increased privileges in the File System Driver (Cve-2025-32713CVSS assessment: 7.8), Windows NetLogon (Cve-2025-33070CVSS assessment: 8.1) and client Windows SMB (Cve-2025-33073.Cve-2025-33071CVS’s assessment: 8.1).

“Over the past few months the CLFS driver has become successive focus Both for the threats and security researchers due to its exploitation in several requirements, “said Ben McCarthy, said cybersecurity engineer in Immersiv.

“It is classified as a clipboard based on a bunch of vulnerability of corruption.

Adam Barnett, a leading program engineer in Rapid7, said the operation of the CVE-2025-33071 requires the attacker to use a cryptographic disadvantage and win the race condition.

“The bad news is that Microsoft considers the operation more likely no matter, and since the proxy-proxy KDC helps Kerberos requests from unverified networks easier to access the trusted assets without the need for a direct connection from the customer to the controller domain.

Last but no less important, Microsoft also rolled the patches to revive the safe bypass (Cve-2025-3052CVSS assessment: 6.7) detected by Dinar This allows you to perform unreliable software.

“The vulnerability exists in the UEFI app signed by the UEFI Microsoft Certificate that allows the attacker to bypass the Secure Boot Uefi,” Redmond said in a warning. “The attacker who successfully exploits this vulnerability can bypass the safe bot.”

Cert/CC Coordinating Center (CERT/CC) said on Tuesday, stated that the vulnerability is implemented in a single extensive firmware interface (UEFI) DTBIOS and Biosflashhell from DT Research, allowing a safe load using a specially designed NVRAM.

“The vulnerability is related to the miscalculation of the NVRAM variable, which allows you to arbitrarily write primitive, capable of changing critical firmware structures, including global architectural Security2 – Note.

“As the affected applications are signed by the Microsoft UEFI Certificate Management, this vulnerability can be used in any UEFI system that allows you to run the unsigned code during the download process.”

Successful vulnerability can allow the implementation of the unsigned or malicious code before the operating system load, which can allow the attackers to reset the permanent malware that can survive the reboot and even disable security software.

Microsoft, however, does not affect the CVE-2025-4275 (it Hydroph0bia), Another safe vulnerability of the uploading, which is present in the Insydeh2o UEFI app that allows you to injure the digital certificate through the unprotected variable NVRAM (“Secureflashcertdata”), which leads to arbitrary running code at the firmware level.

“This question follows from the dangerous use of a variable NVRAM used as a trusted repository for a digital certificate in a confidence check chain,” CERT/CC – Note. “The attacker can store his own certificate in this variable, and later launch an arbitrary firmware (signed by the introduction certificate) during the early download process in the UEFI.”

Software patches from other suppliers

In addition to Microsoft, over the past few weeks have also been released security updates to fix multiple vulnerabilities, including –

• Week
• Web Services Amazon
• Amd
• Arm
• Atlasia
• AutomationDirect
• Bosh
• Broadcom (including VMware)
• Canon
• Cisco
• D-Posal
• Declaration
• Drupal
• F5
• Firmer
• Gitlab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Hitachi’s energy
• HP
• HP ENTERPRISE (including ARUBA network)
• IBM
• Intel
• Storage
• Ivant
• Jenkins
• Juniper’s networks
• Lenovo
• Distribution Linux Amazon Linux. Lunch. Oracle Linux. Red hat. Rocky linux. Spreadand Ubuntu
• Mediator
• Mittel
• Mitsubishi Electric
• Max
• Ointment Firefox and Thunderbird
• Nvidia
• Palo Alto Networks
• Phoenix Technologies
• Qnap
• Qualcomm
• Circle
• Seller
• Samsung
• Juice
• Schneider Electric
• Siemens
• Solarwinds
• Sonicwall
• Bar
• Spring frame
• Signature
• Trend Micro APEX Central. Apex One. POLICYSERVER ENTIFTING POPSand Wfbs
• Veritas
• Marand
• Zoho Manageengine Exchange Reporter Plus and Striker