Patch Tuesday June 2025

Patch Tuesday June 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This Patch Tuesday, Microsoft addressed 66 vulnerabilities—fewer than last month—including 9 rated as critical. Only one zero-day and one vulnerability with a proof of concept (PoC) were disclosed. Below are the highlights of the most notable critical updates.

WebDAV Remote Code Execution Vulnerability (CVE-2025-33053)

This zero-day vulnerability affects Microsoft’s implementation of the WebDAV (Web Distributed Authoring and Versioning) protocol. It arises from improper validation of file paths and names, allowing attackers to manipulate them in a way that results in arbitrary code execution on affected systems. The underlying issue is a classic path traversal flaw (CWE-73), where user-controlled input influences file system operations.

The vulnerability specifically involves how WebDAV processes specially crafted URLs. An attacker can craft a malicious URL that, when clicked by a user, triggers execution of arbitrary code with the privileges of the compromised process. If the user has administrative rights, the impact is significantly elevated.

WebDAV is widely used in enterprise environments for remote file access and collaboration, often without full awareness of the associated risks.

Exploit Details:

• Attack Vector: Network (AV:N) – Can be launched remotely over the internet
• Attack Complexity: Low (AC:L) – Minimal conditions required for exploitation
• Privileges Required: None (PR:N) – No authentication or prior access needed
• User Interaction: Required (UI:R) – Exploitation depends on the user clicking a crafted URL

CVSS Scores:

• Base Score: 8.8 (High)
• Temporal Score: 8.2 (High)

Despite requiring user interaction, the low complexity and lack of required privileges make this vulnerability a serious concern. The potential for full system compromise, particularly in environments with administrative access, increases the risk.

Exploitation Status:

• Public Disclosure: No
• Exploited in the Wild: Yes – Active exploitation confirmed
• Proof of Concept: None publicly confirmed, though exploitation suggests working code exists

Affected Systems:

• Windows 10 and 11
• Windows Server 2016, 2019, 2022
• Legacy versions: Windows Server 2008/2008 R2 and 2012/2012 R2

This vulnerability also impacts Internet Explorer-related components still present in modern systems, including MSHTML (used by IE mode in Edge) and the WebBrowser control in various applications.

Wider Impact:

• Potentially affects millions of Windows-based systems globally
• Estimated exposure includes up to 70–80% of enterprise environments, especially those lacking strict URL filtering or user awareness programs

Why This Matters:

1. WebDAV is common in enterprise systems but often poorly secured.
2. Social engineering easily overcomes the user interaction requirement.
3. Active exploitation implies the vulnerability is already being used in targeted attacks and could be added to exploit kits or ransomware payloads.
4. The core flaw (CWE-73) is a persistent, well-known issue in web application design, making long-term mitigation challenging.

Windows SMB Client Elevation of Privilege Vulnerability (CVE-2025-33073)

This vulnerability, for which a proof-of-concept (PoC) is available, affects the Windows Server Message Block (SMB) client. It stems from improper access control (CWE-284), allowing a malicious SMB server to manipulate authentication processes and escalate privileges on the client system.

The flaw resides in how the SMB client handles authentication when connecting to a compromised or attacker-controlled server. By exploiting protocol-level weaknesses, the attacker can elevate privileges—potentially to SYSTEM level, the highest access tier on a Windows system. This occurs without user interaction after the initial connection, which can be established through techniques that redirect or trick users into initiating a connection.

Exploit Details:

• Attack Vector: Network (AV:N) – Can be exploited remotely
• Attack Complexity: Low (AC:L) – Minimal conditions required
• Privileges Required: Low (PR:L) – Some privileges are necessary
• User Interaction: None (UI:N) – No interaction needed once connected

CVSS Scores:

• Base Score: 8.8 (High)
• Temporal Score: 7.9 (High)

The high base score reflects the critical nature of potential SYSTEM-level compromise. The temporal score incorporates the existence of a PoC, the availability of a fix, and confirmation from Microsoft.

Exploitation Status:

• Public Disclosure: Yes
• Exploited in the Wild: No (as of now)
• Proof of Concept: Yes – Publicly available
• Microsoft Exploitability Assessment: Less Likely

Affected Systems:

• Windows 10 and 11
• Windows Server 2016, 2019, 2022
• Possibly Windows Server 2012/2012 R2 and other supported versions

As SMB is a core component of Windows used for file sharing and inter-process communication, the scope of exposure is broad.

Attack Scenarios:

• Man-in-the-Middle: Intercepting SMB traffic and redirecting it to a malicious server
• DNS Poisoning: Redirecting legitimate SMB traffic to attacker-controlled hosts
• Social Engineering: Sending links to SMB shares (e.g., \\malicious-server\share) via email or chat
• Attack Chain Integration:
  • Used after phishing or other initial access vectors
  • Enables lateral movement with stolen credentials
  • Difficult to detect in environments where SMB is allowed through firewalls
• Coerced Authentication: Forcing client systems to connect and authenticate to malicious servers via crafted scripts

Potential Impact:

The risk to organizations is significant. SMB is widely enabled across Windows environments, and roughly 85–90% of enterprise systems could be exposed. Small and mid-sized businesses may be particularly vulnerable due to limited security controls.

Why It Matters:

1. SMB is foundational to Windows networking and commonly used in most organizations
2. SYSTEM-level privilege escalation enables full control over the affected system
3. The lack of user interaction after the initial connection increases risk
4. Although Microsoft rates exploitation as less likely, the public PoC increases the chance of adoption by threat actors
5. Patch deployment may be delayed across complex enterprise environments, sustaining the threat even after the fix is available

Microsoft Office Remote Code Execution Vulnerabilities

This month’s Patch Tuesday includes four critical remote code execution (RCE) vulnerabilities affecting Microsoft Office:

• CVE-2025-47953 – Improper Restriction of Names for Files (CWE-641)
• CVE-2025-47167 – Type Confusion (CWE-843)
• CVE-2025-47164 – Use After Free (CWE-416)
• CVE-2025-47162 – Heap-based Buffer Overflow (CWE-122)

These vulnerabilities share the following characteristics:

• CVSS Base Score: 8.4
• Temporal Score: 7.3
• Attack Vector: Local (AV:L)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Exploitation via Outlook Preview Pane: All four can be triggered without opening the document

CVE-2025-47953 – Improper Restriction of Names for Files

This flaw stems from improper validation of file names or resource identifiers. Attackers can craft malicious files to:

• Trigger memory corruption
• Bypass resource restrictions
• Execute arbitrary code via use-after-free behavior
  Microsoft Exploitability Rating: Less Likely

CVE-2025-47167 – Type Confusion

This vulnerability involves improper handling of data types, allowing:

• Memory corruption by misinterpreting one type as another
• Unauthorized memory access
• Arbitrary code execution by manipulating memory structures
  Microsoft Exploitability Rating: More Likely

CVE-2025-47164 – Use After Free

This issue occurs when memory is freed but still used by the application, allowing:

• Attackers to write to freed memory
• Execution of arbitrary code if the memory is reused
  Microsoft Exploitability Rating: More Likely

CVE-2025-47162 – Heap-based Buffer Overflow

The most critical of the four, this vulnerability results from failing to check input size, leading to:

• Buffer overflows into adjacent memory
• Heap structure corruption
• Potential execution of arbitrary code
  Microsoft Exploitability Rating: More Likely

Exploitation Scenarios

Though classified as local, all four vulnerabilities can be exploited remotely in practical attack chains:

• Email-based Delivery: Malicious Office documents sent via email
• Web Downloads: Documents hosted on compromised or malicious websites
• Preview Pane Trigger: Exploits can be activated by simply viewing the document in Outlook Preview Pane
• Drive-by Downloads: Files delivered automatically when visiting attacker-controlled websites

Technical Considerations

• Heap-based buffer overflows (CVE-2025-47162) typically offer more stable and reliable exploitation paths
• Type confusion flaws (CVE-2025-47167) can give attackers strong primitives to bypass security features
• Use-after-free issues (CVE-2025-47164, CVE-2025-47953) are more difficult to exploit predictably due to heap behavior

CVE-2025-47162 is likely the most dangerous due to:

• Exploit reliability
• Well-documented techniques and tooling
• Microsoft’s “More Likely” exploitation rating
• Compatibility with Preview Pane delivery
• History of successful exploitation in similar Office vulnerabilities

Despite this, all four should be treated with equal priority given their critical ratings and potential impact. CVE-2025-47167, in particular, could be just as damaging when used by experienced attackers.

Mitigation Guidance

Due to delays in patch availability for Microsoft 365 environments, organizations should consider interim mitigations:

• Disable the Preview Pane in Outlook
• Enforce strict attachment filtering policies
• Limit exposure to Office documents from untrusted sources

Prompt action is recommended to reduce the risk of exploitation.

Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-47172)

CVE-2025-47172 is a critical SQL injection vulnerability in Microsoft SharePoint Server that can lead to remote code execution. The flaw results from improper handling of user input in SQL queries (CWE-89), where special characters are not correctly neutralized. This allows attackers to inject malicious SQL statements that can ultimately be used to execute arbitrary code on the server.

Unlike typical SQL injection, which is often limited to database manipulation, this vulnerability likely enables execution of operating system commands through SQL Server features such as xp_cmdshell or CLR integration, significantly increasing its impact.

Technical Details:

• Attack Vector: Network (AV:N) – Exploitable remotely
• Attack Complexity: Low (AC:L) – Requires no special conditions
• Privileges Required: Low (PR:L) – Only Site Member permissions are needed
• User Interaction: None (UI:N) – No user action is required

CVSS Scores:

• Base Score: 8.8 (High/Critical)
• Temporal Score: 7.7 (High)

The high base score reflects the potential for full system compromise with minimal access. The temporal score accounts for the absence of a known exploit, availability of an official fix, and confirmed reports.

Exploitation Status:

• Public Disclosure: No
• Exploited in the Wild: No (as of now)
• Proof of Concept: None publicly confirmed
• Microsoft Assessment: Exploitation rated as “Less Likely”

While Microsoft considers exploitation less likely at this time, SQL injection techniques are widely understood. Once technical details emerge, the chances of exploitation could increase rapidly.

Affected Versions Likely Include:

• SharePoint Server 2019
• SharePoint Server 2016

Risk Factors:

Organizations are especially at risk if they:

• Use SharePoint for core business operations
• Expose SharePoint to the internet
• Grant Site Member access broadly
• Rely on custom applications interacting with vulnerable components

Potential Attack Scenarios

1. Initial Access: An attacker with basic SharePoint permissions could exploit the vulnerability to gain a foothold in the network.
2. Privilege Escalation: Once remote code execution is achieved, attackers could:
   • Extract stored credentials
   • Access application secrets
   • Steal authentication tokens
   • Chain with local exploits to escalate to domain admin
3. Attack Chain Integration: This vulnerability could support broader attack strategies involving:
   • Credential theft (e.g., database connection strings)
   • Lateral movement from the SharePoint server
   • Data theft from SharePoint and connected systems
   • Ransomware deployment across the network
4. Supply Chain Risks: If third-party integrations or workflows run on the compromised server, attackers could abuse them to spread further

Why This Matters

1. SQL Injection Leading to RCE: A rare and dangerous combination, indicating serious flaws in input handling
2. Low Privilege Requirement: Only basic SharePoint access is needed, greatly expanding the attack surface
3. No User Interaction Needed: The absence of user involvement makes exploitation easier to automate
4. High-Value Target: SharePoint servers often host sensitive data and operate in trusted network zones
5. Detection Challenges: SharePoint’s complexity can hinder effective monitoring

This vulnerability poses a significant risk, especially to enterprises with internet-facing SharePoint deployments or large user bases with Site Member access. It should be prioritized for remediation.

Microsoft OneDrive

Researchers at Oasis have identified a vulnerability in Microsoft OneDrive that allows third-party websites to access all cloud storage content, even when a user is downloading just one file. The issue stems from the OneDrive file selector requesting broad permissions, attempting to read the entire disk due to the lack of fine-grained OAuth scopes.

This flaw poses risks to both individual and enterprise users, potentially leading to data leaks and compliance issues. Applications integrated with OneDrive—such as ChatGPT, Slack, Trello, and ClickUp—may be affected.

The problem is compounded by vague consent prompts that fail to clearly convey the extent of access being granted. Users are unable to distinguish between malicious apps requesting access to all files and legitimate ones forced to do so due to the lack of safer alternatives. Additionally, OAuth tokens are often stored insecurely, including in browser session storage as plain text.

In some workflows, a refresh token is issued, granting permanent access to user data and allowing new access tokens to be generated without reauthentication.

Following responsible disclosure, Microsoft acknowledged the issue but has not yet provided a fix. It recommends temporarily disabling file uploads via OneDrive using OAuth and avoiding the use of refresh tokens. Tokens should be stored securely and discarded when no longer needed. Oasis advises careful management of OAuth scopes, regular security audits, and proactive monitoring to help mitigate exposure.

Microsoft Windows Server 2025

A critical privilege escalation vulnerability in Windows Server 2025 exposes a path to compromise any user in Active Directory. The flaw, discovered by Akamai and dubbed BadSuccessor, takes advantage of Delegated Managed Service Accounts (dMSA)—a feature introduced to mitigate Kerberoasting attacks.

dMSAs allow users to create new accounts or replace legacy service accounts. When a dMSA replaces an account, password-based authentication is blocked and redirected to the Local Security Authority (LSA), which grants the new account the same resource access as the original.

During this transition, the dMSA learns which devices the replaced service account was used on. The issue lies in how Kerberos processes the migration. The Privilege Attribute Certificate (PAC) includes both the dMSA’s and the original account’s security identifiers, as well as all group memberships. This allows an attacker to simulate a migration and inherit the replaced account’s privileges—even domain administrator privileges—without having any permissions on the original account. The only requirement is write access to the dMSA attributes.

Akamai found that 91% of the environments studied had users who could perform this attack without being domain admins. The vulnerability affects domains whether or not they actively use dMSA.

Akamai disclosed the issue to Microsoft on April 1, 2025. Microsoft classified it as medium severity, citing the need for specific permissions to exploit it, but is currently working on a fix.

In the meantime, Akamai recommends restricting the ability to create dMSAs, tightening permissions, and using its mitigation script. The flaw enables attackers with CreateChild permissions to gain domain-wide access, similar to DCSync attacks.

Google Chrome

Google has released an emergency update for Chrome 137 to patch three vulnerabilities, including a high-severity zero-day exploit tracked as CVE-2025-5419. The flaw involves out-of-bounds read/write in the V8 JavaScript and WebAssembly engine and is reportedly being exploited by spyware vendors.

Google confirmed the existence of an exploit but has not provided technical details. The issue was reported by Clement Lesin and Benoit Sevens from Google’s Threat Analysis Group (TAG) on May 27, 2025. TAG has previously documented multiple spyware-related Chrome vulnerabilities, and CVE-2025-5419 appears to be another case. According to NIST, the vulnerability could allow heap corruption via a crafted HTML page, potentially leading to arbitrary code execution.

This is the second actively exploited zero-day Chrome has patched in 2025. The first, CVE-2025-2783 (CVSS: 8.3), was reportedly used in attacks targeting organizations in Russia.

The latest Chrome version is 137.0.7151.68/69 for Windows and macOS and 137.0.7151.68 for Linux. Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also update as fixes become available.

The update also addresses CVE-2025-5068, a medium-severity use-after-free vulnerability in Blink.

Mozilla Firefox

Mozilla has released updates for Firefox and its ESR versions to fix two critical JavaScript vulnerabilities demonstrated at Pwn2Own Berlin 2025. Although both flaws could lead to memory corruption and code execution, they could not bypass the browser’s sandbox.

• CVE-2025-4918, discovered by Eduard Boschen and Tao Yang of Palo Alto Networks, allows out-of-bounds memory access when resolving JavaScript Promise objects, which could lead to arbitrary code execution within the browser’s content process.
• CVE-2025-4919, submitted by Manfred Paul, involves array index confusion during optimization of linear sums, resulting in memory overflow.

Both were successfully exploited during the Pwn2Own competition organized by Trend Micro’s Zero Day Initiative. The researchers received $50,000 and five points toward the “Master of Pwn” title. Mozilla issued patches within 24 hours. While sandboxing prevented full exploitation, users are advised to update immediately to ensure protection.

Android

Three critical zero-day vulnerabilities related to Qualcomm components in Android have been identified and confirmed as being actively exploited. Google addressed these flaws in its June Android security bulletin.

According to Qualcomm’s advisory, the vulnerabilities—CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—affect Adreno GPU drivers:

• CVE-2025-21479 involves improper authorization in the GPU component, leading to memory corruption when a crafted command sequence is processed. A local attacker could use this to execute arbitrary code within the driver’s context.
• CVE-2025-21480 is similar and stems from incorrect access control within the GPU micromodule, also resulting in memory corruption and potential privilege escalation.
• CVE-2025-27038 is a use-after-free flaw in the Adreno driver triggered during graphics rendering. It can be exploited in scenarios such as browsing via Chrome.

These vulnerabilities were discovered by Android Security and Google’s Threat Analysis Group (TAG), and reported to Qualcomm. Patches were issued to hardware vendors in May. Qualcomm urges immediate updates. Affected chipsets include Snapdragon 8 Gen 2 and Gen 3, as well as the Snapdragon 695, 778G, and 4 Gen 1/2 series. The issue also affects wearables, automotive modules, and networking hardware using FastConnect, QCA, and QCS components.

Roundcube

Researchers at FearsOff have disclosed a critical vulnerability in Roundcube webmail that remained undetected for over a decade. Tracked as CVE-2025-49113 and rated 9.9 on the CVSS scale, the flaw allows remote code execution after authentication via PHP object deserialization.

The vulnerability stems from the unchecked _from parameter in program/actions/settings/upload.php, enabling deserialization of untrusted objects. All Roundcube versions up to and including 1.6.10 are affected. The issue is resolved in versions 1.6.11 and 1.5.10 LTS.

Shortly after disclosure, exploitation began. Researchers noted that attackers quickly reverse-engineered the patches and developed working exploits, already circulating on underground forums. While the attack requires valid credentials, these can be obtained from logs or via brute-force attacks. FearsOff also suggests that credentials could be harvested using cross-site request forgery (CSRF).

Although the attack surface is considered industrial in scale, there are at least 1.2 million Roundcube hosts online. Due to the widespread exploitation, researchers have released a detailed technical analysis but withheld a full proof-of-concept for now. A related identifier, CVE-2025-48745, has been rejected as a duplicate of CVE-2025-49113.

Cisco

Horizon3 researchers have published technical details on a critical vulnerability in Cisco IOS XE’s WLC arbitrary file upload feature, tracked as CVE-2025-20188. While a ready-made remote code execution (RCE) exploit is not included, the documentation offers sufficient insight for an experienced attacker to develop one.

Cisco disclosed the issue on May 7, 2025, identifying it as a flaw in the “Download Access Point Image via External Channel” feature. The vulnerability is caused by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to upload files, perform path traversal, and execute commands with root privileges.

Devices affected include:

• Catalyst 9800-CL Wireless Controllers for Cloud
• Catalyst 9800 Embedded Wireless Controllers for 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controllers on Catalyst Access Points

According to Horizon3, the root cause lies in a hard-coded JWT backup key (“notfound”) used in Lua scripts for download endpoints. If the /tmp/nginx_jwt_key file is missing, the backend defaults to this string, allowing attackers to forge valid JWTs using the HS256 algorithm.

Horizon3 demonstrated how to send an HTTP POST request to the /ap_spec_rec/upload endpoint via port 8443, using path traversal to place files outside intended directories. To escalate the attack to RCE, the exploit targets the pvp.sh service, which monitors directories and overwrites configuration files. A reboot then executes the injected commands.

Cisco recommends updating to version 17.12.04 or later. As a temporary workaround, administrators can disable the vulnerable feature.

Cisco has also addressed multiple open-source vulnerabilities in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP). The most serious is CVE-2025-20286, a critical static credential issue in ISE, discovered by Kentaro Kawane of GMO Cybersecurity.

The flaw stems from improper credential generation in cloud deployments of ISE, leading to the reuse of credentials across different instances. In cloud environments such as AWS, Azure, and Oracle Cloud Infrastructure, this allows remote attackers to access sensitive data, modify configurations, or disrupt services—provided the primary administration node is deployed in the cloud.

Cisco clarified that the following ISE deployments are not vulnerable:

• All on-premises deployments using ISO or OVA files from Cisco’s Software Download Center
• Azure VMware Solution (AVS)
• Google Cloud VMware Engine
• VMware Cloud on AWS
• Hybrid deployments with all administrator personas kept local

As an interim measure, Cisco advises running the reset-config ise command on the affected cloud node to reset credentials. However, this action resets the system to factory defaults and restores old credentials if backups are used.

Two additional flaws have also been patched:

• CVE-2025-20130: Arbitrary file upload in Cisco ISE
• CVE-2025-20129: Information disclosure in Cisco Customer Collaboration Platform

HPE

Hewlett Packard Enterprise (HPE) has disclosed eight vulnerabilities affecting its StoreOnce backup and deduplication solution. The most critical is CVE-2025-37093, an authentication bypass flaw with a CVSS score of 9.8.

StoreOnce is widely used in large enterprises and data centers, integrating with backup tools like HPE Data Protector, Veeam, Commvault, and Veritas NetBackup.

The bulletin also covers:

• Four RCE vulnerabilities: CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, and CVE-2025-37096
• Two directory traversal issues: CVE-2025-37094 and CVE-2025-37095
• One server-side request forgery: CVE-2025-37090

All StoreOnce versions prior to 4.3.11 are affected. Users are urged to upgrade to version 4.3.11 immediately.

According to the Zero Day Initiative (ZDI), CVE-2025-37093 is tied to the machineAccountCheck function and results from a flawed authentication algorithm. ZDI emphasized that this flaw is critical not only on its own but also because it can facilitate the exploitation of other vulnerabilities.

Two medium-severity flaws—CVE-2025-37094 and CVE-2025-37095—can enable file deletion and information disclosure. Despite requiring authentication, these issues are easier to exploit in practice due to weaknesses in the existing mechanism.
These vulnerabilities were discovered in October 2024, with patches issued seven months later. There are no current reports of active exploitation. HPE has not suggested any workarounds; updating remains the only mitigation.

Ivanti

The ongoing series of security issues affecting Ivanti continues with new findings from Wiz researchers, who reported the active exploitation of two recently patched vulnerabilities in Endpoint Manager Mobile (EPMM).

The flaws—CVE-2025-4427 and CVE-2025-4428—are related to authentication bypass and post-authentication remote code execution (RCE), respectively. Both were discovered in open-source libraries integrated into EPMM and are rated medium severity. Ivanti released patches on May 13, warning that the vulnerabilities were being exploited as zero-days against a limited number of customers. They noted that risk is reduced when ACL functionality or an external WAF is used to restrict API access.

According to Wiz, the authentication bypass results from incorrect handling of routing rules in the Spring framework, allowing unauthenticated access. The RCE flaw is caused by unsafe processing of user-supplied input in error messages, enabling attackers to inject a format parameter that executes arbitrary Java code. Though rated medium individually, the two bugs can be chained to achieve unauthenticated RCE.

Exploitation began on May 16, following the publication of a proof of concept. Wiz identified several payloads, including the Sliver beacon, which connects to a command-and-control server previously linked to attacks on vulnerable Palo Alto Networks devices. The same certificate associated with that server has remained unchanged since November 2024, suggesting that the same attacker targeted both Ivanti EPMM and PAN-OS devices.

Organizations are urged to update to one of the patched EPMM versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.

Processors

As part of Patch Tuesday, Intel, AMD, and Arm issued security advisories addressing newly discovered CPU vulnerabilities, including issues tied to recently disclosed processor attack techniques.

ETH Zurich researchers reported CVE-2024-45332, a branch privilege injection vulnerability that expands on Spectre-BTI (Branch Target Injection) attack techniques. Despite existing mitigations for Spectre-BTI, researchers found a way to bypass them on Intel CPUs due to a race condition. These types of attacks allow access to sensitive data from memory, including encryption keys and passwords. Intel has classified CVE-2024-45332 as an information disclosure issue and is releasing microcode updates to mitigate it.

AMD stated that this vulnerability does not affect its processors, a claim also confirmed by the researchers. Meanwhile, researchers from VU Amsterdam disclosed another set of Spectre-style attacks dubbed Training Solo, which exposes limitations in domain isolation. They identified three new classes of self-learning Spectre v2 attacks and developed two exploits targeting Intel CPUs, capable of leaking kernel memory at rates up to 17 KB/s.

The disclosure also included two new hardware vulnerabilities—CVE-2024-28956 and CVE-2025-24495—that break domain isolation, re-enabling traditional Spectre v2 scenarios such as user-to-user, guest-to-guest, and guest-to-host attacks. Intel has responded with microcode updates and updated mitigation guidelines. AMD, while not affected by these specific attacks, acknowledged that similar risks exist on Arm processors and has updated its guidance accordingly.

Intel issued 25 security advisories addressing dozens of vulnerabilities across various product lines. High-severity issues leading to information disclosure, denial of service, or elevation of privilege were patched in products such as:

• Tiber Edge Platform
• Graphics and Graphics Driver
• Server Boards
• PROSet/Wireless
• Gaudi
• Xeon
• Ethernet Network Adapters
• Slim Bootloader
• Simics Package Manager

Medium-severity vulnerabilities were addressed in:

• RealSense
• oneAPI tools
• Arc GPU
• Core and Xeon CPUs
• QuickAssist Technology

AMD published three new advisories. One addresses four high-severity flaws in AMD Manageability Tools, which could lead to elevation of privilege and possible RCE. Another covers two high-severity vulnerabilities in AMD Optimizing CPU Libraries (AOCL) with similar impact. The third advisory details a medium-severity vulnerability in uProf, which could allow arbitrary file deletion.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: June 2025 Vulnerability Digest from Action1