Actively Exploited Zero-Day Vulnerability in Web Distributed Authoring and Versioning
CVE-2025-33053 is an Important remote code execution vulnerability affecting Web Distributed Authoring and Versioning (WebDAV) with a CVSS score of 8.8. This vulnerability allows attackers to control file names or paths in WebDAV implementations, enabling them to execute arbitrary code remotely on affected systems without requiring authentication. The flaw exists in how WebDAV handles file and path operations, allowing attackers to manipulate these elements to achieve code execution.
While WebDAV is primarily server software, it requires client software to interact with it. CVE-2025-33053 specifically affects the server-side implementation, making internet-facing WebDAV servers particularly vulnerable to remote attacks that could lead to unauthorized code execution.
It’s commonly seen in, but not limited to, the following environments:
- Microsoft IIS (Internet Information Services) web servers
- Apache HTTP Server (with mod_dav module)
- Nginx (with WebDAV modules)
- Specialized WebDAV servers like SabreDAV
- Cloud storage platforms that offer WebDAV access
| Severity | CVSS Score | CVE | Description |
| Important | 8.8 | CVE-2025-33053 | Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Office Products
CVE-2025-47162, CVE-2025-47164, CVE-2025-47167, and CVE-2025-47953 are all Critical vulnerabilities in Microsoft Office, all with a CVSS score of 8.4 and sharing similar exploitation characteristics. These vulnerabilities allow attackers to remotely execute malicious code through locally triggered exploits without requiring privileges or user interaction.
The vulnerabilities stem from different implementation flaws:
CVE-2025-47162: Heap-based buffer overflow
CVE-2025-47164: Use-after-free vulnerability
CVE-2025-47167: Type confusion issue
CVE-2025-47953: Improper restriction of file names/resources
All four vulnerabilities can be exploited through the Preview Pane as an attack vector, significantly increasing the risk as users don’t need to open files to trigger the exploit.
We have seen Preview Pane many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025).
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-47162 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-47164 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-47167 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-47953 | Microsoft Office Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Netlogon
CVE-2025-33070 is a Critical elevation of privilege vulnerability in Windows Netlogon with a CVSS score of 8.1. This vulnerability allows attackers to gain domain administrator privileges without authentication by exploiting the use of uninitialized resources in the Netlogon service.
While exploitation requires the attacker to perform additional preparatory actions against the target environment, no user interaction is needed, increasing the risk. The vulnerability can be exploited by sending specially crafted authentication requests to domain controllers, potentially leading to unauthenticated remote code execution and compromising the confidentiality, integrity, and availability of affected systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-33070 | Windows Netlogon Elevation of Privilege Vulnerability |
Critical Vulnerability in Windows Cryptographic Services (Schannel)
CVE-2025-29828 is a Critical remote code execution vulnerability in Windows Cryptographic Services (Schannel) and has a CVSS score of 8.1. This vulnerability allows attackers to remotely execute malicious code without authentication by exploiting a memory leak (missing release of memory after effective lifetime) in the Transport Layer Security (TLS) implementation.
Exploitation requires the attacker to send a large number of malicious fragmented TLS handshake messages, specifically the initial “ClientHello” message type that begins TLS connections, to servers accepting secure connections. No user interaction is needed, increasing the risk. The vulnerability specifically affects memory handling in Windows Cryptographic Services, potentially compromising the confidentiality, integrity, and availability of affected systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-29828 | Windows Schannel Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Remote Desktop Services
CVE-2025-32710 is a Critical remote code execution vulnerability in Windows Remote Desktop Services and has a CVSS score of 8.1. This vulnerability allows attackers to remotely execute malicious code without authentication by exploiting a use-after-free condition in systems running the Remote Desktop Gateway role.
While exploitation requires the adversary to win a race condition when connecting to affected systems, no user interaction is needed, increasing the risk. This vulnerability involves improper synchronization of shared resources and memory handling in the Remote Desktop Gateway Service, potentially compromising confidentiality, integrity, and availability of affected systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-32710 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
Critical Vulnerability in Windows KDC Proxy Service (KPSSVC)
CVE-2025-33071 is a Critical remote code execution vulnerability in Windows KDC Proxy Service (KPSSVC) with a CVSS score of 8.1. This vulnerability allows attackers to remotely execute malicious code without authentication by exploiting a use-after-free condition in the Kerberos Key Distribution Center Proxy Service.
While exploitation requires the adversary to win a race condition, no user interaction is needed, increasing the risk. The vulnerability specifically affects Windows Servers configured as [MS-KKDCP] Kerberos Key Distribution Center Proxy Protocol servers (domain controllers are not affected). Attackers can leverage a cryptographic protocol vulnerability by sending specially crafted applications to compromised systems, potentially compromising confidentiality, integrity, and availability.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft SharePoint Server
CVE-2025-47172 is a Critical remote code execution vulnerability in Microsoft SharePoint Server and has a CVSS score of 8.8. This vulnerability allows attackers with minimal permissions to remotely execute malicious code by exploiting an SQL injection flaw in the SharePoint platform.
While exploitation requires the attacker to have at least Site Member permissions, no user interaction is needed and the attack complexity is low, increasing the risk. The vulnerability stems from improper neutralization of special elements used in SQL commands, potentially allowing authenticated attackers to execute arbitrary code on affected SharePoint servers and compromise confidentiality, integrity, and availability.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2025-47172 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important Vulnerability in Windows SMB Client
CVE-2025-33073 is an Important elevation of privilege vulnerability in Windows SMB Client and has a CVSS score of 8.8. This vulnerability allows attackers with low privileges to gain SYSTEM-level access by exploiting improper access control in the Windows SMB implementation. The attack requires minimal complexity and can be executed over a network without user interaction.
This vulnerability affects Windows systems that use the SMB client functionality (virtually all Windows machines). The vulnerability has been publicly disclosed with proof-of-concept code available, though no in-the-wild exploitation has been detected. Microsoft has released official security updates to address this vulnerability.
The vulnerability was discovered and reported by multiple security researchers, including CrowdStrike’s Keisuke Hirata.
| Severity | CVSS Score | CVE | Description |
| Important | 8.8 | CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
