Current events · 3 MIN READ · BEN NAHORNEY AND MATT JASTRAM · JUN 10, 2025 · TAGS: vulnerability prioritization
TL;DR
- This month, we’re covering a handful of vulnerabilities in Ivanti that were first identified last month
- Microsoft released 66 new CVEs for Patch Tuesday, including: CVE-2025-33053, CVE-2025-33070
- This blog can help you manage your immediate, tech-stack specific vulnerabilities
It’s the second day of the second week of the month, and you know what that means—Patch Tuesday!
Patch Tuesday: June 10, 2025
This month, Microsoft released 66 CVEs. Of the vulnerabilities, the following caught our eye as the highest priority because of the vulnerability exploitation risk factors.
Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability (RCE) (CVE-2025-33053): This is the only CVE Microsoft reported as already being actively exploited via specially crafted HTML. Checkpoint reported the vulnerability being used in spear-phishing, leveraging both URLs and as attachments. The vulnerability impacts all currently supported versions of Windows. Microsoft notes that if an organization only applies security patches, it alone won’t patch the vulnerability. The organization also needs to apply Internet Explorer (IE) cumulative updates. (Despite IE being retired, some of the core components still exist on modern systems, so the cumulative updates patch these remaining components.)
Windows Netlogon Elevation of Privilege Vulnerability (CVE-2025-33070): A threat actor could send a specially-crafted authentication request to domain controllers allowing the attacker to gain domain administrator privileges. The vulnerability leverages an unauthenticated remote code execution. Based on Microsoft’s details, it sounds as though some special conditions may be required to pull this off, but the risk from the vulnerability is worth the patch. We recommend updating your servers and PCs with the available updates.
Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability (RCE) (CVE-2025-33071): This server-specific vulnerability is only applicable if users have configured their server as a Kerberos Key Distribution Center (KDC) Proxy Protocol server. This type of configuration is used to change passwords and securely obtain service tickets from the server via an HTTPS connection. For an attacker to successfully exploit, they must win a race condition by tricking the system into carrying out unauthorized actions outside of normal processes. We recommend deploying the server patches available for Windows Server versions 2012, 2016, 2019, 2022, & 2025.
This month we’re going to take a look at a couple vulnerabilities that we’ve seen exploited in Ivanti applications. These applications are a regular target of attackers since they often reside on the network perimeter.
Exploit tales: Ivanti applications
On May 13, Ivanti published a security advisory warning of two vulnerabilities discovered in their Endpoint Manager Mobile (EPMM) application, used to manage and secure desktop and mobile devices.
The first of these two vulnerabilities, CVE-2025-4427, is an authentication bypass vulnerability. If exploited, it could allow a bad actor to gain access to EPMM’s API without providing authorized credentials.
The second, CVE-2025-4428, is a remote code execution (RCE) vulnerability in EPMM. If exploited, this would allow an attacker to run arbitrary code on an unpatched version of the application.
These two vulnerabilities, when combined, make for a potent combination. A motivated attacker can chain these together to gain access to EPMM (CVE-2025-4427) and then run malicious code (CVE-2025-4428) on the compromised server.
Within days of the disclosure of these vulnerabilities, our SOC saw its first incident involving these CVEs and a publicly exposed EPMM server. After the attacker exploited these vulnerabilities, gaining control of the system, they installed the KrustyLoader ELF backdoor from an attacker-controlled AWS bucket.
We immediately recommended disabling compromised user accounts, resetting their credentials, and patching the EPMM application with the latest release. Total time from alert to Expel recommendations: 6.7 minutes.
Outside of this pair of vulnerabilities, our SOC has seen several incidents where threat actors have attempted to use exploits against other Ivanti applications.
In another incident last month, an attacker was seen attempting to exploit a stack-based buffer overflow in Ivanti Connect Secure (CVE-2025-22457) that could lead to remote code execution. However, the attacker in this case was unable to successfully pull off the exploit and instead caused the server to crash.
And earlier in the year, we encountered an incident involving suspicious behavior surrounding Ivanti Connect Secure and reports seen on CVE-2025-0282. In both incidents, patching to the latest version of the software resolved the issue.
That’s it for this month. If you have any questions about these specific vulnerabilities (or others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.
