【安全更新】微软6月安全更新多个产品高危漏洞通告
【安全更新】微软6月安全更新多个产品高危漏洞通告
原创 NS-CERT 绿盟科技CERT 2025-06-12 03:02
通告编号:NS-2025-0033
2025-06-12
| TAG: |
安全更新、Windows、Microsoft Office、Azure、Microsoft Visual Studio |
| 漏洞危害: |
攻击者利用本次安全更新中的漏洞,可造成权限提升、远程代码执行等 |
| 版本: | 1.0 |
1
漏洞概述
6月11日,绿盟科技CERT监测到微软发布6月安全更新补丁,修复了67个安全问题,涉及Windows、Microsoft Office、Azure、Microsoft Visual Studio等广泛使用的产品,其中包括权限提升、远程代码执行等高危漏洞类型。
本月微软月度更新修复的漏洞中,严重程度为关键(Critical)的漏洞有11个,重要(Important)漏洞有58个。其中包括1个已检测到在野利用的漏洞:
Web分布式创作和版本控制 (WEBDAV) 远程代码执行漏洞(CVE-2025-33053)
请相关用户尽快更新补丁进行防护,完整漏洞列表请参考附录。
参考链接:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jun
SEE MORE →
2重点漏洞简述
根据产品流行度和漏洞重要性筛选出此次更新中包含影响较大的漏洞,请相关用户重点进行关注:
Windows Schannel 远程代码执行漏洞(CVE-2025-29828):
Windows Schannel存在远程代码执行漏洞。由于在Windows加密服务中存在内存泄露,,未经身份验证的攻击者可通过向TLS连接的目标服务器发送大量恶意的分片ClientHello消息,从而执行任意代码。CVSS评分8.1。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-29828
Microsoft Word远程执行代码漏洞(CVE-2025-32717):
Microsoft Word存在远程执行代码漏洞。由于Microsoft Office Word中存在基于堆的缓冲区溢出漏洞,未经身份验证的攻击者可以制作恶意的RTF文件诱使用户打开或预览窗格,从而在用户上下文中执行任意代码。CVSS评分8.4。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-32717
Web分布式创作和版本控制 (WEBDAV) 远程代码执行漏洞(CVE-2025-33053):
Web分布式创作和版本控制 (WEBDAV) 存在远程代码执行漏洞。由于WebDAV对链接中的文件路径处理不当,未经身份验证的攻击者可以通过外部控制WebDAV中的文件名或路径,诱导用户点击特制链接从而执行任意代码。CVSS评分8.8。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-33053
Windows 路由和远程访问服务 (RRAS) 远程代码执行漏洞(CVE-2025-33064):
Windows 路由和远程访问服务 (RRAS) 存在远程代码执行漏洞。由于Windows路由和远程访问服务(RRAS)中存在基于堆的缓冲区溢出漏洞,未经身份验证的远程攻击者可以在本地执行代码。CVSS评分8.8。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-33064
Power Automate权限提升漏洞(CVE-2025-47966):
Power Automate存在权限提升漏洞。由于Power Automate中存在敏感信息泄露,攻击者可以获取这些敏感信息,从而实现权限提升。CVSS评分9.8。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-47966
Microsoft Word远程执行代码漏洞(CVE-2025-47957):
Microsoft Word存在远程执行代码漏洞。由于Microsoft Office Word中存在“释放后使用”问题,未经身份验证的攻击者可以在本地执行代码。CVSS评分8.4。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-47957
Windows Netlogon权限提升漏洞(CVE-2025-33070):
Windows Netlogon存在权限提升漏洞。由于Windows Netlogon中使用了未初始化的资源,攻击者可以通过向域控制器发送特制的身份验证请求,从而获得域管理员权限。CVSS评分8.1。
官方通告链接:
https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2025-33070
3影响范围
以下为部分重点关注漏洞的受影响产品版本,其他漏洞影响产品范围请参阅官方通告链接。
|
漏洞编号 |
受影响产品版本 |
|
CVE-2025-29828 |
Windows Server 2025 Windows 11 Version 24H2 for x64-based Systems Windows 11 Version 24H2 for ARM64-based Systems Windows Server 2022, 23H2 Edition (Server Core installation) Windows 11 Version 23H2 for x64-based Systems Windows 11 Version 23H2 for ARM64-based Systems Windows Server 2025 (Server Core installation) Windows 11 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for ARM64-based Systems Windows Server 2022 (Server Core installation) Windows Server 2022 |
|
CVE-2025-32717 |
Microsoft 365 Apps for Enterprise for 64-bit Systems |
|
CVE-2025-33053 CVE-2025-33064 |
Windows Server 2022, 23H2 Edition (Server Core installation) Windows 11 Version 23H2 for x64-based Systems Windows 11 Version 23H2 for ARM64-based Systems Windows Server 2025 (Server Core installation) Windows 10 Version 22H2 for 32-bit Systems Windows 10 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for ARM64-based Systems Windows 10 Version 21H2 for x64-based Systems Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows Server 2025 Windows 11 Version 24H2 for x64-based Systems Windows 11 Version 24H2 for ARM64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems |
|
CVE-2025-47966 |
Power Automate for Desktop |
|
CVE-2025-47957 |
Microsoft Office LTSC 2024 for 64-bit editions Microsoft Office LTSC 2024 for 32-bit editions Microsoft Office LTSC 2021 for 32-bit editions Microsoft Office LTSC 2021 for 64-bit editions Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft 365 Apps for Enterprise for 32-bit Systems |
|
CVE-2025-33070 |
Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows Server 2025 Windows 11 Version 24H2 for x64-based Systems Windows 11 Version 24H2 for ARM64-based Systems Windows Server 2022, 23H2 Edition (Server Core installation) Windows 11 Version 23H2 for x64-based Systems Windows 11 Version 23H2 for ARM64-based Systems Windows Server 2025 (Server Core installation) Windows 10 Version 22H2 for 32-bit Systems Windows 10 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for ARM64-based Systems Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems |
4漏洞防护
4.1 补丁更新
目前微软官方已针对受支持的产品版本发布了修复以上漏洞的安全补丁,强烈建议受影响用户尽快安装补丁进行防护,官方下载链接:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jun
注:由于网络问题、计算机环境问题等原因,Windows Update的补丁更新可能出现失败。用户在安装补丁后,应及时检查补丁是否成功更新。
右键点击Windows图标,选择“设置(N)”,选择“更新和安全”-“Windows更新”,查看该页面上的提示信息,也可点击“查看更新历史记录”查看历史更新情况。
针对未成功安装的更新,可点击更新名称跳转到微软官方下载页面,建议用户点击该页面上的链接,转到“Microsoft更新目录”网站下载独立程序包并安装。
。
附录:漏洞列表
|
影响产品 |
CVE编号 |
漏洞标题 |
严重程度 |
|
Windows |
CVE-2025-29828 |
Windows Schannel 远程代码执行漏洞 |
Critical |
|
Windows |
CVE-2025-32710 |
Windows Remote Desktop Services 远程代码执行漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-47162 |
Microsoft Office 远程代码执行漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-47953 |
Microsoft Office 远程代码执行漏洞 |
Critical |
|
Windows |
CVE-2025-33071 |
Windows KDC Proxy Service (KPSSVC) 远程代码执行漏洞 |
Critical |
|
Microsoft Dynamics |
CVE-2025-47966 |
Power Automate 权限提升漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-32717 |
Microsoft Word 远程代码执行漏洞 |
Critical |
|
Windows |
CVE-2025-33070 |
Windows Netlogon 权限提升漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-47164 |
Microsoft Office 远程代码执行漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-47167 |
Microsoft Office 远程代码执行漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-47172 |
Microsoft SharePoint Server 远程代码执行漏洞 |
Critical |
|
Microsoft Office |
CVE-2025-47957 |
Microsoft Word 远程代码执行漏洞 |
Important |
|
Windows |
CVE-2025-32712 |
Win32k 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-32713 |
Windows Common Log File System Driver 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-32714 |
Windows Installer 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-32715 |
Remote Desktop Protocol Client 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-32716 |
Windows Media 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-32718 |
Windows SMB Client 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-32719 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-32720 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-32721 |
Windows Recovery Driver 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-32722 |
Windows Storage Port Driver 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-32724 |
Local Security Authority Subsystem Service (LSASS) 拒绝服务漏洞 |
Important |
|
Windows |
CVE-2025-33058 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33059 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33060 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33061 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33062 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33063 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33064 |
Windows Routing and Remote Access Service (RRAS) 远程代码执行漏洞 |
Important |
|
Windows |
CVE-2025-33065 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33066 |
Windows Routing and Remote Access Service (RRAS) 远程代码执行漏洞 |
Important |
|
Windows |
CVE-2025-33067 |
Windows Task Scheduler 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-33075 |
Windows Installer 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-47160 |
Windows Shortcut Files 安全功能绕过漏洞 |
Important |
|
Windows |
CVE-2025-47955 |
Windows Remote Access Connection Manager 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-47956 |
Windows Security App 欺骗漏洞 |
Important |
|
Windows SDK |
CVE-2025-47962 |
Windows SDK 权限提升漏洞 |
Important |
|
Windows |
CVE-2025-47969 |
Windows Virtualization-Based Security (VBS) 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-24068 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-24069 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-24065 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-32725 |
DHCP Server Service 拒绝服务漏洞 |
Important |
|
Windows |
CVE-2025-33050 |
DHCP Server Service 拒绝服务漏洞 |
Important |
|
Windows |
CVE-2025-33052 |
Windows DWM Core Library Information Disclosure Vulnerability |
Important |
|
Windows |
CVE-2025-33053 |
Web Distributed Authoring and Versioning (WEBDAV) 远程代码执行漏洞 |
Important |
|
Windows |
CVE-2025-33055 |
Windows Storage Management Provider 信息披露漏洞 |
Important |
|
Windows |
CVE-2025-33056 |
Windows Local Security Authority (LSA) 拒绝服务漏洞 |
Important |
|
Windows |
CVE-2025-33057 |
Windows Local Security Authority (LSA) 拒绝服务漏洞 |
Important |
|
Windows |
CVE-2025-33068 |
Windows Standards-Based Storage Management Service 拒绝服务漏洞 |
Important |
|
Windows |
CVE-2025-33069 |
Windows App Control for Business 安全功能绕过漏洞 |
Important |
|
Windows |
CVE-2025-33073 |
Windows SMB Client 权限提升漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47163 |
Microsoft SharePoint Server 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47165 |
Microsoft Excel 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47166 |
Microsoft SharePoint Server 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47168 |
Microsoft Word 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47169 |
Microsoft Word 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47170 |
Microsoft Word 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47171 |
Microsoft Outlook 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47173 |
Microsoft Office 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47174 |
Microsoft Excel 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47175 |
Microsoft PowerPoint 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47176 |
Microsoft Outlook 远程代码执行漏洞 |
Important |
|
Windows |
CVE-2025-3052 |
Cert CC: CVE-2025-3052 InsydeH2O Secure Boot Bypass |
Important |
|
Microsoft Visual Studio |
CVE-2025-47959 |
Visual Studio 远程代码执行漏洞 |
Important |
|
Microsoft Office |
CVE-2025-47968 |
Microsoft AutoUpdate (MAU) 权限提升漏洞 |
Important |
|
Azure |
CVE-2025-47977 |
Nuance Digital Engagement Platform 欺骗漏洞 |
Important |
END
声明
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。
绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。
绿盟科技CERT
∣
微信公众号
长按识别二维码,关注网络安全威胁信息