Microsoft’s June 2025 Patch Tuesday: 5 cloud criticals, 3 IAM flaws, and Office 365 RCEs explained

‍Microsoft’s June 2025 Patch Tuesday update has covered 66 vulnerabilities, including one actively exploited bug. The high-stakes fixes this month  ripple from Azure workloads to Office 365 desktops. 

Microsoft’s June 2025 Patch Tuesday lists the following ten critical vulnerabilities: 

• Microsoft Office remote code execution vulnerabilities: CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, CVE-2025-47953 
• Microsoft SharePoint server remote code execution vulnerability: CVE-2025-47172
• Windows Schannel remote code execution vulnerability: CVE-2025-29828 
• Windows KDC proxy service remote code execution vulnerability: CVE-2025-33071
• Windows Netlogon elevation of privilege vulnerability: CVE-2025-33070 
• Windows Remote Desktop Services remote code execution vulnerability: CVE-2025-32710 
• Microsoft PowerPoint remote code execution vulnerability: CVE-2025-47177
  
  

Five major cloud risks at a glance

Five cloud-service bugs were newly disclosed, of which four are rated Critical: SharePoint Server RCE CVE-2025-47172, Schannel RCE CVE-2025-29828, Kerberos KDC Proxy RCE CVE-2025-33071, and Netlogon EoP CVE-2025-33070. 

A WebDAV zero-day RCE (CVE-2025-33053) was tagged Important.

Three identity-centric weaknesses: two Critical Active Directory flaws (the same Netlogon and KDC Proxy CVEs) and an Important Windows Installer EoP (CVE-2025-33075) stand out in Microsoft’s June 2025 Patch Tuesday update.

Along with these are 17 Windows Storage Management Provider issues, an RDP information-disclosure bug, and nine fresh CVEs across Excel, Outlook, PowerPoint, and SharePoint. Earlier June fixes for Azure, Dataverse, Mariner, and Microsoft Edge are not counted here.

A particularly worrisome discovery is an unpatched threat: BadSuccessor vulnerability. 

This is a privilege escalation vulnerability discovered in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory, without modifying the target object.

Research by Akamai Technologies found that in 91% of assessed environments, non-administrative users had the necessary permissions to perform this attack, making the vulnerability highly prevalent in real-world Active Directory deployments.

Why should identity-first defenders pay close attention?

Microsoft’s June 2025 Patch Tuesday update raises urgent questions for identity-first defenders. Based on the MITRE ATT&CK framework, these vulnerabilities sketches a modern kill chain:

Initial breach: A crafted SharePoint request, Schannel packet, or WebDAV call can drop remote code deep inside a hybrid cloud.

Privilege escalation: Exploiting Netlogon or the Windows Installer EoP turns that foothold into domain-admin or SYSTEM control.

Credential harvest: Once privileged, an attacker can mint Kerberos tickets, read Entra ID tokens, or reach into Office 365 mailboxes and SharePoint libraries.

Left unpatched, even an “Important” bug such as WebDAV’s CVE-2025-33053 can feed directly into those Critical pathways, and Microsoft’s code fixes still won’t close crucial ones such as BadSuccessor.

Prompt patching is a basic step you have to take here. Meanwhile, Unosecur platform’s new Office 365 Connector will give you an instant map of every user, guest, service account and token across Exchange, SharePoint, OneDrive and Teams. 

It spots identities that have been idle for 90 days or more, flags hidden admin paths created by nested groups, and raises real-time alerts when anyone bypasses SSO or MFA. 

Teams can quarantine or de-licence risky accounts and trim surprise privileges in a single click, with each action automatically written to an immutable audit log, so you can prove to auditors that access was contained while the June 2025 Patch-Tuesday CVEs are being rolled out. 

In short, while IT patches the code flaws, Unosecur removes the forgotten mailboxes and stealthy tokens that would let those flaws turn into full-tenant compromise.

High-impact identity and access flaws

Given below are the five critical cloud risks and three high-impact IAM vulnerabilities, with additional exposure from unpatched AD design flaws. 

These critical vulnerabilities target core authentication services in Active Directory environments, allowing attackers to bypass authentication, escalate privileges to domain administrator, execute code within the Kerberos infrastructure, and potentially forge tickets or impersonate privileged users. 

Their exploitation can lead to full domain compromise, credential theft, and persistent unauthorized access, making them crucial for immediate patching to protect enterprise identity and access management.

* While it can impact IAM policies if SYSTEM is compromised, it's not as directly tied to authentication as Netlogon or KDC Proxy. 

Office 365 application vulnerabilities

Microsoft’s June 2025 Patch Tuesday update includes several additional vulnerabilities affecting Excel, Outlook, PowerPoint, and SharePoint: core components of the Office 365 Suite.

These vulnerabilities add to the already critical list and highlight the need for Office 365 administrators to apply all available patches across the suite—not just for the headline vulnerabilities.

Mitigation priorities after June 2025 Patch Tuesday

When it comes to patch management, your TPV should match your MTTR.

Time to Patch Vulnerabilities (TPV) is the countdown from a vendor’s patch release to full deployment, while Mean Time to Remediate (MTTR) clocks how long you take to contain a live incident. 

When your TPV matches, or beats your MTTR, critical fixes land on domain controllers, SSO gateways, and cloud IAM consoles before adversaries can reverse-engineer them. Executives gain a single, intuitive metric: if MTTR is five days and TPV is fifteen, the gap is obvious and actionable. 

And any widening TPV-MTTR delta becomes an early-warning signal that change-control or resourcing bottlenecks are handing attackers free time: a risk the business can’t afford.

Microsoft’s June 2025 Patch Tuesday updates addresses most technical vulnerabilities, but architectural weaknesses like BadSuccessor require proactive configuration changes.

Here is how Unosecur can help you address major issues:

For the vulnerabilities released in Microsoft’s June 2025 Patch Tuesday update, priority actions are:
For cloud security:

1. Immediate Patching for SharePoint (CVE-2025-47172), Schannel (CVE-2025-29828), and KDC Proxy (CVE-2025-33071).
2. Disable WebDAV where unused to neutralize CVE-2025-33053.
3. Audit Storage Permissions to address 17 storage provider vulnerabilities.

For identity management:

1. Enforce Netlogon Secure RPC to block CVE-2025-33070 exploitation.
2. Restrict dMSA Creation and apply Akamai's mitigation script for BadSuccessor.
3. Monitor LSA Services for anomalous activity linked to CVE-2025-33056/33057.

‍