Security News ZDI: The June 2025 Security Update Review

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,929
Content source
https://www.zerodayinitiative.com/blog/2025/6/10/the-june-2025-security-update-review
It’s the second Tuesday of the month, and while many places in the Northern Hemisphere are scorching, Microsoft and Adobe have released their latest security offering in hopes of cooling things down. Grab an iced beverage and take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Click to expand...
Adobe Patches for June 2025

For June, Adobe released seven bulletins addressing massive 254 CVEs in Adobe Acrobat Reader, InCopy, Experience Manager, Commerce, InDesign, Substance 3D Sampler, and Substance 3D Painter. Four of these bugs were reported through the Trend ZDI program. Of these patches, Adobe rates the fixes for Commerce as Priority 1, even though they state there are no known exploits for the five CVEs addressed. The biggest update by far affects Experience Manager. This fix alone covers 225 CVEs – although most are simply cross-site scripting (XSS) bugs. Still, XSS bugs can lead to arbitrary code execution.

Of the remaining updates, the fix for Acrobat covers 10 bugs that could lead to code execution in an open-and-own scenario. The fix for InCopy addresses two Critical-rated code execution bugs. For InDesign, five of the nine CVEs are also Critical-rated code execution bugs with the others being memory leaks. The fix for Substance 3D Sampler also fixes two code execution bugs. Finally, the June release from Adobe end with a single fix for an Out-of-Bounds (OOB) Write bug in Substance 3D Painter.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.
Click to expand...
Microsoft Patches for June 2025

This month, Microsoft released a reasonable 66 new CVEs in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Nuance Digital Engagement Platform, and the Windows Cryptographic Service. Three of these bugs were reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 70 CVEs.

Of the patches released today, 10 are rated Critical, and the rest are rated Important in severity. This number of fixes is relatively typical for June, but it does put Microsoft ahead of where they were at this point last year in regards to CVEs released year-over-year. It’s also another massive release for Office-related bugs. Time will tell if any of these make their way into exploit kits in the future.

Microsoft lists one bug as being under active attack at the time of release, with one other being publicly known.
Click to expand...
Looking Ahead

The next Patch Tuesday of 2025 will be on July 8, and I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Click to expand...
www.zerodayinitiative.com

Zero Day Initiative — The June 2025 Security Update Review

It’s the second Tuesday of the month, and while many places in the Northern Hemisphere are scorching, Microsoft and Adobe have released their latest security offering in hopes of cooling things down. Grab an iced beverage and take a break from your scheduled activities and join us as we review the d
www.zerodayinitiative.com www.zerodayinitiative.com
 
  • Like
  • +Reputation
Reactions: Brownie2019, Dave Russo, simmerskool and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,929
Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws
Today is Microsoft's June 2025 Patch Tuesday, which includes security updates for 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed.

This Patch Tuesday also fixes ten "Critical" vulnerabilities, eight being remote code execution vulnerabilities and two being elevation of privileges bugs.

The number of bugs in each vulnerability category is listed below:
  • 13 Elevation of Privilege Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities
  • 25 Remote Code Execution Vulnerabilities
  • 17 Information Disclosure Vulnerabilities
  • 6 Denial of Service Vulnerabilities
  • 2 Spoofing Vulnerabilities
This count does not include Mariner, Microsoft Edge, and Power Automate flaws fixed earlier this month.
Click to expand...
www.bleepingcomputer.com

Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

Today is Microsoft's June 2025 Patch Tuesday, which includes security updates for 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Hundred Points
  • Thanks
Reactions: Brownie2019, Dave Russo, simmerskool and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,929
New Secure Boot flaw lets attackers install bootkit malware, patch now
Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware.

The flaw affects nearly every system that trusts Microsoft's "UEFI CA 2011" certificate, which is pretty much all hardware that supports Secure Boot.

Binarly researcher Alex Matrosov discovered the CVE-2025-3052 flaw after finding a BIOS-flashing utility signed with Microsoft's UEFI signing certificate.

The utility was originally designed for rugged tablets but as it was signed with Microsoft's UEFI certificate, it can run on any Secure Boot-enabled system.

Further investigations discovered that the vulnerable module had been circulating in the wild since at least late 2022 and later uploaded to VirusTotal in 2024, where Binarly spotted it.

Binarly disclosed the flaw to CERT/CC on February 26, 2025, with CVE-2025-3052 being mitigated today as part of the Microsoft June 2025 Patch Tuesday.
Click to expand...
www.bleepingcomputer.com

New Secure Boot flaw lets attackers install bootkit malware, patch now

Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
  • Wow
Reactions: Brownie2019, Dave Russo, Parkinsond and 2 others

Similar threads

Gandalf_The_Grey
    • Like
Security News ZDI: The February 2025 Security Update Review
Replies
1
Views
1,081
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
Security News ZDI: The January 2025 Security Update Review
Replies
2
Views
1,175
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Security News ZDI: The October 2024 Security Update Review
Replies
2
Views
1,954
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top