Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild.
Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.
The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL.
The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It’s worth mentioning that CVE-2025-33053 is the first zero-day vulnerability to be disclosed in the WebDAV standard.
Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2025/06/microsoft-patches-67-vulnerabilities.html
Link: https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/
Link: https://www.securityweek.com/microsoft-patch-tuesday-covers-webdav-flaw-marked-as-already-exploited/
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/
Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032
Water Curse Employs 76 GitHub Accounts to Deliver Multi-Stage Malware Campaign
Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.
“The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.
The “broad and sustained” campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.
Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with “developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”
“Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.”
Source: The hacker news / Dark reading / Securityweek
Link: https://thehackernews.com/2025/06/water-curse-hijacks-76-github-accounts.html
Link: https://www.securityweek.com/new-campaigns-distribute-malware-via-open-source-hacking-tools/
CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.
The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023.
“Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount,” the agency said.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/06/cisa-warns-of-active-exploitation-of.html
Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication
Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions.
The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0.
“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” the company said in an advisory.
CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/06/veeam-patches-cve-2025-23121-critical.html
Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG).
“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity,” John Hultquist, chief analyst at GTIG, said in an email Monday.
“We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
Scattered Spider is the name assigned to an amorphous collective that’s known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the wake of the latter’s supposed takeover of RansomHub’s infrastructure.
However, GTIG told The Hacker News that it has not seen any evidence of Scattered Spider collaborating with DragonForce or using its ransomware.
“The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics,” SOS Intelligence said.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/06/google-warns-of-scattered-spider.html
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
A novel attack technique named EchoLeak has been characterized as a “zero-click” artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 (M365) Copilot’s context sans any user interaction.
The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already addressed by Microsoft. There is no evidence that the shortcoming was exploited maliciously in the wild.
“AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network,” the company said in an advisory released Wednesday. It has since been added to Microsoft’s Patch Tuesday list for June 2025, taking the total number of fixed flaws to 68.
Aim Security, which discovered and reported the issue, said it’s an instance of a large language model (LLM) Scope Violation that paves the way for indirect prompt injection, leading to unintended behavior.
LLM Scope Violation occurs when an attacker’s instructions embedded in untrusted content, e.g., an email sent from outside an organization, successfully tricks the AI system into accessing and processing privileged internal data without explicit user intent or interaction.
Source: The hacker news / Bleeping computer / Dark reading / aim security blog
Link: https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html
Link: https://www.aim.security/lp/aim-labs-echoleak-blogpost