As happens every month, Microsoft released a series of patches on the second Tuesday of this month. The ones released on 10 June 2025 contained patches for a vulnerability tracked as CVE-2025-33053. This vulnerability exploits WebDAV and the MSHTML browser engine to allow the loading of resources controlled by an attacker. It was initially being exploited by the Stealth Falcon (aka Fruity Armor) Advanced Persistent Threat, which is believed to be part of or sponsored by the state of the United Arab Emirates. This vulnerability is now starting to be exploited more widely.
Organisations using legacy Windows systems and those with Internet Explorer compatibility mode enabled face heightened risk. Microsoft has taken the unusual step of issuing patches for this vulnerability all the way back to legacy platforms like Windows Server 2008 and Internet Explorer's underlying components, even though it has been out of support for over 3 years. The 2025-06 Cumulative Update patch should be installed even if an organisation no longer uses Internet Explorer as those parts can be launched via compatibility mode in Microsoft Edge.
Action Required: Install the June 2025 Cumulative Update patch on Windows devices and servers as soon as possible. The update patch is available for Windows 10, Windows 11, Windows 2008, Windows 2012, Windows 2016, Windows 2019 and Windows 2022.
In the longer-term, to protect against similar MSHTML issues it is good practice to disable IE compatibility mode via group policy wherever possible. A small minority of organisations may still require compatibility mode enabled for a very limited number of users. To apply such a policy (Source: Microsoft):
- Download and use the latest Microsoft Edge Policy Template.
- Open Group Policy Editor.
- Click User Configuration/Computer Configuration > Administrative Templates > Microsoft Edge.
- Double-click Configure Internet Explorer integration.
- Select Enabled.
- Under Options, set the dropdown value to None to stop users from using or configuring Internet Explorer mode. (Setting this to Disabled means compatibility mode is disabled by default, but can be enabled manually by users)
We provide notifications like this to our customers and partnered MSPs to help them stay on top of regular threats.