Each month brings a flood of vulnerability disclosures. But only a few truly matter. The ones being exploited. The ones buried in critical systems. The ones that could take down your environment.
In this post, we’ve pulled together the top CVEs of June 2025 not based on volume, but based on risk. Remote code execution flaws. Privilege escalations. Bugs hiding in tools you probably use every day.
Let’s break down what they are, how they work, and what you need to patch. Fast.
1. CVE‑2025‑20282: Unauthenticated File Upload and Root Code Execution in Cisco ISE and ISE PIC
CVE‑2025‑20282 is a critical, maximum-severity vulnerability in Cisco Identity Services Engine (ISE) and Passive Identity Connector (PIC) version 3.4. It lets unauthenticated attackers upload files to privileged directories and run them with root privileges, leading to full system takeover.
CVE‑2025‑20282 At a Glance
| Attribute | Value |
| Severity | Critical |
| CVSS v3.1 Score | 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
| Exploitation Status | No known active exploits yet |
| Attack Vector | Network (remote via internal HTTPS API) |
| User Interaction | None |
| Privileges Required | None |
| Scope | Changed (OS-level code execution) |
| Vulnerability Type | Missing file validation (CWE‑269) |
| Affected Versions | Cisco ISE and ISE PIC 3.4 |
Impact of Exploitation
- Full root-level control. Attackers can upload and run malicious executables anywhere.
- System integrity breached. They may modify security settings, install persistent backdoors, or harvest data.
- Network pivoting potential. Gives attackers an escalation path across the enterprise network.
- Complete service compromise. ISE is a strategic network control hub in many organizations.
Technical Root Cause
The issue stems from a bug in Cisco ISE and ISE PIC’s internal API. It fails to validate filenames and upload paths, allowing crafted files to land in restricted system folders. These files can then be executed with root privileges.
Affected Products and Versions
- Cisco Identity Services Engine (ISE) – version 3.4
- Cisco ISE Passive Identity Connector (ISE PIC) – version 3.4
Versions 3.3 and earlier are not affected.
Mitigation Guidance
- Apply Cisco’s Patch Immediately
Upgrade to ISE and ISE PIC 3.4 Patch 2 (ise apply CSCwo99449_3.4.0.608_patch1 SPA). - No Workarounds Available
Cisco hasn’t published any temporary fixes or mitigations. - Restrict Access to Management APIs
Block or isolate the affected HTTPS ports until patching is complete. - Monitor and Audit
Check logs for abnormal uploads, especially to system paths. Watch for unknown files executing on the host. - Scan with Nessus or Qualys
Use updated vulnerability plugins like Nessus QID 240417 or Qualys QID 317667 to detect unpatched systems.
Why It’s a Top CVE for June 2025?
- Zero authentication needed. Anyone can attack.
- Root-level code execution means full takeover.
- No workaround. Patching is the only defense.
- Critical network gatekeeper. ISE controls network access in many large organizations.
- Easy exploitability. The missing validation is trivial to abuse.
- High-value target. Once vulnerable, entire network stacks are at risk.
2. CVE-2025-47172: Remote Code Execution in Microsoft SharePoint Server
CVE-2025-47172 is a critical vulnerability in Microsoft SharePoint Server that allows remote code execution by an authenticated attacker. It impacts multiple versions of SharePoint and arises from improper handling of SQL queries, enabling an attacker to inject malicious commands and execute arbitrary code on the server.
This flaw is especially dangerous because it requires only user-level access to the SharePoint instance. Once authenticated, the attacker can craft specific inputs that trigger SQL injection and ultimately gain full control over the underlying server.
CVE-2025-47172 At a Glance
| Attribute | Value |
| Severity | Critical |
| CVSS v3.1 Score | 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| Exploitation Status | No active exploitation reported yet |
| Attack Vector | Network (Remote) |
| User Interaction | None |
| Privileges Required | Low (authenticated user) |
| Scope | Unchanged |
| Vulnerability Type | SQL Injection leading to Remote Code Execution (CWE-89) |
| Affected Products | Microsoft SharePoint Server 2016, 2019, Subscription Edition |
Impact of Exploitation
- Remote Code Execution: Attackers can execute arbitrary commands on the SharePoint server with the same privileges as the SharePoint service account
- Data Access and Theft: Sensitive business documents, PII, and internal files stored in SharePoint could be extracted or tampered with
- Privilege Escalation Path: Combined with lateral movement techniques, attackers could gain domain-level privileges
- Operational Disruption: A compromised server could be used to launch further attacks or shut down services entirely
Technical Root Cause
The vulnerability lies in the SQL query handling mechanism of SharePoint Server. When processing specially crafted inputs from a low-privilege authenticated user, SharePoint fails to properly sanitize query parameters. This oversight allows attackers to inject SQL statements that alter the intended logic, escalate privileges, and execute arbitrary code in the backend environment.
Affected Products and Versions
- Microsoft SharePoint Server 2016
- Before KB5038316
- Microsoft SharePoint Server 2019
- Before KB5038314
- Microsoft SharePoint Server Subscription Edition
- Before KB5038312
Mitigation Guidance
- Install Latest Patches: Microsoft has issued updates that fix this vulnerability. Apply the latest cumulative updates for the affected SharePoint versions immediately.
- Audit User Access: Ensure only trusted internal users have SharePoint access. Review permission models and remove unnecessary roles.
- Monitor SharePoint Logs: Watch for unusual database queries, failed authentication attempts, or unexpected data exfiltration activity.
- Isolate Critical Workloads: Ensure SharePoint is not running with excessive privileges and is segmented from core infrastructure where possible.
- Apply WAF Rules: Use a web application firewall to block suspicious query patterns targeting known vulnerable endpoints.
- Restrict Administrative Interfaces: Prevent access to SharePoint administrative panels from external networks.
Why It Ranks Among the Top CVEs of June 2025?
- Enterprise Impact: SharePoint is widely deployed in large organizations for collaboration and document management
- Privilege Abuse Potential: Exploitation allows full control of the backend server using only an authenticated user account
- Critical Data Risk: Attacks could expose or alter confidential business data and intellectual property
- Broad Version Coverage: Multiple active and supported SharePoint versions are vulnerable
- SQL Injection to RCE: One of the most dangerous attack paths due to reliability and lack of user interaction
3. CVE-2025-32710: Remote Code Execution in Windows Remote Desktop Services via Use-After-Free
CVE-2025-32710 is a critical use-after-free vulnerability in Microsoft’s Remote Desktop Services (RDS) Gateway component. This flaw allows remote, unauthenticated attackers to execute arbitrary code on target systems by exploiting the mishandling of memory during specific RDS protocol operations.
The issue arises due to improper memory management when processing RDS session requests. An attacker can exploit this by sending crafted RDP packets that trigger use-after-free conditions, leading to memory corruption and remote code execution.
CVE-2025-32710 At a Glance
| Attribute | Value |
| Severity | Critical |
| CVSS v3.1 Score | 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Exploitation Status | No public exploitation as of patch release |
| Attack Vector | Network (Remote) |
| User Interaction | None |
| Privileges Required | None |
| Scope | Unchanged |
| Vulnerability Type | Use-After-Free (CWE-416) |
| Affected Products | Windows Server 2022, 2019, and 2016 with RDS Gateway |
Impact of Exploitation
- Remote Code Execution: Attackers can take full control of the vulnerable server without needing credentials
- Potential Lateral Movement: Once inside, attackers may pivot to other internal systems
- Ransomware Deployment: High-value targets such as RDS are often initial entry points for ransomware campaigns
- Service Disruption: Exploitation may crash RDS services or lead to denial of service
Technical Root Cause
The vulnerability is rooted in how the Remote Desktop Services Gateway handles session memory. Specifically, it fails to properly deallocate memory after closing or transitioning RDP sessions. An attacker can send specially crafted packets to reuse freed memory areas, overwrite function pointers or return addresses, and gain code execution privileges on the target system.
Affected Products and Versions
- Windows Server 2022 with RDS Gateway enabled
- Windows Server 2019 with RDS Gateway enabled
- Windows Server 2016 with RDS Gateway enabled
- RDS Gateway configurations using default settings are especially at risk
Mitigation Guidance
- Apply Security Updates: Microsoft has released patches in the June 2025 Patch Tuesday. All affected systems should be updated immediately
- Limit Exposure: If patching is delayed, restrict RDS Gateway access via firewalls or VPNs
- Enable Network Level Authentication (NLA): This adds a layer of protection by requiring authentication before session setup
- Monitor RDP Logs: Look for unusual connection attempts, failed logins, or large numbers of session requests
- Implement RDP Gateway Hardening: Disable legacy protocols, enforce MFA, and monitor traffic with IDS/IPS tools
Why It Ranks Among the Top CVEs of June 2025?
- Critical Microsoft Component: Affects widely deployed RDS Gateway across enterprise networks
- No User Interaction: Makes it ideal for automated attacks or wormable malware
- High Value Targets: RDS Gateways often serve as entry points into internal systems
- Patch Just Released: Enterprises that delay updates remain exposed
- Potential Ransomware Vector: Similar flaws have historically led to ransomware deployments like BlueKeep and DejaBlue
4. CVE-2025-33071: Remote Code Execution in Windows Kerberos KDC Proxy Service via Use-After-Free
CVE-2025-33071 is a critical vulnerability found in the Kerberos Key Distribution Center (KDC) Proxy Service within Microsoft Windows. It stems from a use-after-free memory flaw that allows remote attackers to execute arbitrary code on vulnerable systems. The flaw can be exploited over the network without needing any user interaction or prior authentication.
This vulnerability specifically targets the KDC Proxy component responsible for handling Kerberos authentication requests in remote or hybrid environments.
Improper memory handling enables attackers to craft a malicious sequence of packets that trigger the use-after-free condition, allowing them to hijack program flow and execute malicious code.
CVE-2025-33071 At a Glance
| Attribute | Value |
| Severity | Critical |
| CVSS v3.1 Score | 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Exploitation Status | No active exploitation reported as of June 2025 |
| Attack Vector | Network (Remote) |
| User Interaction | None |
| Privileges Required | None |
| Scope | Unchanged |
| Vulnerability Type | Use-After-Free (CWE-416) |
| Affected Products | Windows Server 2016 and later, Windows 10/11 with KDC Proxy enabled |
Impact of Exploitation
- Remote Code Execution: A successful exploit grants the attacker the ability to execute arbitrary code in the context of the KDC Proxy service.
- Compromise of Authentication Infrastructure: Since Kerberos authentication is core to enterprise identity systems, exploitation could impact domain controller integrity.
- Lateral Movement: Attackers may use this foothold to move within the network, impersonate users, or escalate privileges.
- Service Instability: Targeted attacks may crash or hang Kerberos services, disrupting authentication operations.
Technical Root Cause
The flaw is caused by the reuse of a previously freed memory block in the KDC Proxy service when handling specially crafted network packets. When the service incorrectly accesses an already-freed object, it creates an opening for attackers to manipulate memory layout and redirect code execution.
This vulnerability is particularly dangerous because it affects a core authentication mechanism in enterprise Windows environments. Attackers do not require credentials, and the attack can be carried out remotely.
Affected Products and Versions
- Windows Server 2016, 2019, 2022 (with KDC Proxy role enabled)
- Windows 10 (Enterprise and Pro) if configured for remote Kerberos proxying
- Windows 11 (all editions) with hybrid authentication features enabled
- Microsoft has confirmed that systems without KDC Proxy enabled are not impacted.
Mitigation Guidance
- Apply Official Patches: Microsoft issued a fix for CVE-2025-33071 in its June 2025 Patch Tuesday update. Admins should immediately apply these patches across all systems running KDC Proxy.
- Disable KDC Proxy if Not Needed: If your environment does not require Kerberos proxying (commonly used in DirectAccess or hybrid identity setups), disable the role to reduce exposure.
- Monitor for Abnormal Authentication Activity: Watch for unusual Kerberos traffic or anomalies in authentication logs that could indicate attempted exploitation.
- Implement Access Control and Network Segmentation: Limit network access to domain controllers and proxy-enabled systems using firewalls or network ACLs.
- Enable Advanced Logging: Turn on Windows Event Logging for Kerberos service operations to detect potential abuse patterns early.
Why It Ranks Among the Top CVEs of June 2025?
- Critical Role in Identity: Targets the Kerberos service that underpins enterprise authentication across Microsoft environments.
- Remote Exploitability: Can be triggered over the network without credentials or user input.
- High-Impact Potential: Successful exploitation could lead to domain compromise and widespread lateral movement.
- Default in Enterprise Setups: KDC Proxy is often enabled in hybrid cloud deployments and remote access solutions.
- Requires Urgent Attention: Even though no active exploits were seen during initial disclosure, the nature of the flaw makes it likely to be targeted in future campaigns.
5. CVE-2025-29828: Remote Code Execution in Windows Secure Channel
CVE-2025-29828 is a critical remote code execution vulnerability found in Microsoft’s Secure Channel (Schannel) security support provider. It impacts Windows systems and stems from how fragmented TLS handshake packets are processed in memory. By exploiting this flaw, a remote attacker can execute arbitrary code on targeted machines without needing any user interaction.
This vulnerability affects a core component responsible for handling encrypted internet traffic, making it a high-risk concern for enterprises using Windows-based infrastructure. Although Microsoft has not confirmed exploitation in the wild, the ease of attack and the critical role of Schannel in securing communications make this a significant threat.
CVE-2025-29828 At a Glance
| Attribute | Value |
| Severity | Critical |
| CVSS v3.1 Score | 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Exploitation Status | Not yet exploited in the wild |
| Attack Vector | Network (Remote) |
| User Interaction | None |
| Privileges Required | None |
| Scope | Unchanged |
| Vulnerability Type | Memory Corruption during TLS Handshake |
| Affected Products | Windows 10, 11, and Windows Server 2016–2022 |
Impact of Exploitation
- Remote Code Execution: Attackers can send specially crafted fragmented TLS handshake messages to execute code.
- Full System Compromise: Exploitation could give attackers full control over the system.
- Stealthy Exploits: Since no authentication or user interaction is needed, attacks can be launched silently.
- Widespread Target Scope: Any server or endpoint that handles TLS connections may be a target.
Technical Root Cause
The vulnerability arises from improper memory handling of fragmented TLS handshake messages. Schannel fails to safely manage the reassembly and validation of these packets, allowing attackers to inject malicious code that gets executed within the context of the Schannel process. This flaw is similar in pattern to past vulnerabilities like CVE-2014-6321, making it potentially attractive for exploitation.
Affected Products and Versions
- Windows 10 (1909 and later)
- Windows 11 (all versions up to June 2025 patch)
- Windows Server 2016, 2019, 2022
Mitigation Guidance
- Apply Security Updates Immediately: Install Microsoft’s June 2025 cumulative update to mitigate the vulnerability.
- Limit Exposure: Block unnecessary inbound TLS/SSL traffic at the perimeter and restrict Schannel-exposed services.
- Enable Memory Protection Features: Use Control Flow Guard (CFG) and Enhanced Mitigation Experience Toolkit (EMET) for added security.
- Network Monitoring: Look for anomalies or malformed TLS traffic in packet captures.
- Segment High-Risk Hosts: Isolate publicly facing servers running Windows to limit lateral movement in case of compromise.
Why It Ranks Among the Top CVEs of June 2025?
- Core Component Exposure: Targets Schannel, a vital part of encrypted communication on Windows.
- Remote and Silent Exploitability: No privileges or interaction required.
- High Impact on Confidentiality and Integrity: Enables full system access if exploited.
- Enterprise Relevance: Found on almost all Windows servers and endpoints.
- Historical Precedent: Similar vulnerabilities have been exploited in past cyberattacks.
Bottomline
That wraps up the top CVEs of June 2025. These aren’t just random bugs. They’re the ones attackers are watching. And the ones you should be patching now.
But keeping up isn’t easy. New CVEs drop daily. Sorting the urgent from the background noise takes time most teams don’t have.
Strobes Vulnerability Intelligence helps make it simple. It brings real-time CVE insights, highlights what’s exploitable, and gives your team the context to act fast. No guessing. Just clear priorities.
References
CISA KEV Catalog (Known Exploited Vulnerabilities)
→ https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Microsoft Patch Tuesday Blog
→ https://msrc.microsoft.com/update-guide
