Top Exploited Vulnerabilities in June 2025

To develop a strong cybersecurity posture, companies need to understand the evolving risk landscape. Regularly identifying Common Vulnerabilities and Exposures (CVEs) is critical for keeping your IT security strategy up to date.  

To help with that, we are giving an overview of the top CVEs that were identified in June 2025 that includes information on how the vulnerabilities were exploited.  

As a trusted cybersecurity solution and service provider, ProActive Solutions uses real-world scenarios to explain how to defend against these risks. 

Who was Impacted by CVEs in June 2025?

Multiple industries were affected by CVEs in June of 2025. Bad actors used different attack vectors to exploit vulnerabilities in companies in these verticals. 

Technology & Networking:  

• Cisco Identity Service Engine (ISE) is critical for enterprise access control 

• Git vulnerabilities threaten critical infrastructure and internal services  
   

Enterprise Software & Collaboration: 

• Microsoft SharePoint 

• Windows Remote Desktop Services (RDS) and Server Message Block (SMB) expose servers to ransomware and lateral movement   
   

Telecom & IoT:  

• Fortinet FortiVoice affects infrastructure devices 

• Belkin router buffer‑overflows compromise home and business networks  
   

Enterprise/ERP Platforms:  

• SAP NetWeaver allows unauthorized system control, affecting manufacturing and operations   
   

Consumer Software/Browsers: 

• Chromium V8 exploited via browsing 

• Intel/Qualcomm chipset flaws could impact mobile and edge devices 

Top Exploited CVEs in June 2025 

As of June 2025, several CVEs have been identified as actively exploited. These vulnerabilities affect both software and critical infrastructure components. Below is a summary of the most significant CVEs and their negative impacts. 

Windows Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution (RCE) 

Status:  

✅ Confirmed Exploited (Zero-Day) 

Summary:  

• A vulnerability in the Windows WebDAV component allows attackers to execute arbitrary code by tricking a user into opening a .url file 

• The flaw affects Windows 10, 11, and Windows Server platforms 

Exploitation:  

• Weaponized by threat actors like Stealth Falcon via phishing emails 

• The malicious .url file loads an external WebDAV resource, executing payloads silently 

Patch Method:  

• Microsoft issued a fix during the June Patch Tuesday rollout 

Remediation:  

• Disable WebDAV if not in use 

• Update all endpoints 

• Block .url file execution from untrusted sources 

Third-Party Impact:  

• High risk to contractors or shared tenants in government and critical infrastructure who rely on Windows endpoint devices 

• Exploitation could traverse into shared environments via credential theft or mapped drives 

Windows Server Message Block (SMB) Client Elevation of Privilege (EoP) 

Status:  

✅ Confirmed Exploited [CISA Known Exploited Vulnerabilities (KEV)] 

Summary:  

• A flaw in how Windows SMB client handles network responses can be abused to elevate privileges to SYSTEM level 

Exploitation:  

• Attackers set up a malicious SMB server and trick clients into connecting, allowing them to execute SYSTEM-level code 

Patch Method:  

• Resolved in Microsoft’s June patch bundle 

Remediation:  

• Block outbound SMB connections to untrusted hosts 

• Enforce SMB signing 

• Restrict user permissions 

Third-Party Impact:  

• This vulnerability is especially risky in environments with shared network drives or external file sync services, exposing internal systems to lateral movement 

Citrix NetScaler Application Delivery Controller (ADC)/Gateway Remote Code Execution 

Status:  

✅ Confirmed Exploited (Horizon3.ai) 

Summary:  

• A critical RCE vulnerability in Citrix ADC and Gateway products, widely used for secure application delivery and remote access 

Exploitation:  

• Attackers use crafted HTTP requests to leak memory and execute code. In-the-wild exploitation has been confirmed by multiple researchers 

Patch Method:  

• Citrix released updated firmware (14.1-47.46 and later) 

Remediation:  

• Patch immediately 

• If you’re unsure of exposure, rotate credentials and review configurations for signs of compromise 

Third-Party Impact:  

• Impacts any organization using Citrix Virtual Private Networks (VPNs), including Managed Security Service Providers (MSSPs), partner support portals, or federated login systems

Apple iOS/macOS/iPadOS Code Execution via iCloud Media

Status:  

✅ Confirmed Exploited (CISA KEV) 

Summary: 

• A vulnerability in Apple’s media handling allows attackers to execute code on devices when users access malicious content shared via iCloud links 

Exploitation:  

• Delivered via a crafted image or video link, exploiting parsing logic in iOS/macOS’s image frameworks 

Patch Method:  

• Addressed by Apple in June’s security release 

Remediation:  

• Urge users to update immediately, especially on devices handling sensitive work 

• Block iCloud media access on high-trust devices where possible 

Third-Party Impact:  

• High risk for Bring Your Own Device (BYOD) or enterprise environments relying on Apple devices for cross-functional work 

• Exposure may extend to project collaborators or contractors 

Chromium V8 Out-of-Bounds Read/Write RCE 

Status:  

✅ Confirmed Exploited (Google Emergency Patch) 

Summary:  

• A memory flaw in the V8 JavaScript engine used by Chromium-based browsers allows for remote code execution when a user visits a malicious webpage 

Exploitation:  

• Active exploitation in the wild prompted Google to release an emergency security update 

• Malicious JavaScript triggers the bug in rendering engines 

Patch Method:  

• Available via Chrome’s auto-update or enterprise patch deployments 

Remediation:  

• Confirm browser versions are updated 

• Consider deploying content filters or browser isolation for high-risk users 

Third-Party Impact:  

• Software as a Service (SaaS) vendors embedding Chromium or shared web portals using V8 may pass risk downstream to end users and partners 

Fortinet FortiVoice Stcack-Based Buffer Overflow 

Status:  

✅ Confirmed Exploited in Limited Attacks (Fortinet Disclosure) 

Summary:  

• A stack buffer overflow in FortiVoice’s web interface allows remote code execution as root 

Exploitation:  

• Exploited through HTTP requests, bypassing basic access controls 

• Fortinet noted limited real-world exploitation targeting small enterprise deployments 

Patch Method:  

• Fortinet provided patched versions across FortiVoice 6.4, 7.0, and 7.2 

Remediation:  

• Patch affected systems immediately 

• If patching is delayed, disable administrative interfaces and isolate devices from the public internet 

Third-Party Impact:  

• Could compromise voice gateways and remote connectivity, especially in shared-call center, Managed Service Provider (MSP), or Session Initiation Protocol (SIP)-integrated deployments
  

What Companies Need to Know About CVEs in Q2 of 2025 

 1.) RCE Is Still King 

Over 70% of the top exploited vulnerabilities in June enabled Remote Code Execution, often without user interaction. RCE remains the most favored initial access vector, especially in remote infrastructure. 

• Client Tip: Prioritize patching RCEs, especially in services exposed to the internet. 

Chromium and Apple iCloud-based exploits show that client-side attacks are back in play. Phishing is no longer just about credential theft; it’s also a delivery method for stealth RCEs. 

• Client Tip: Enforce automatic browser/Operating System (OS) updates. Consider browser isolation or disabling link previews where applicable. 

Protocols like WebDAV, SMB, and RDS, originally designed decades ago, are increasingly exploited in modern attacks. 

• Client Tip: Decommission legacy services if possible. If they’re needed, wrap them with access controls. 

If a CVE is added to CISA’s Known Exploited Vulnerabilities catalog, it’s not theoretical. It’s being actively used in the wild. 

• Client Tip: Maintain a Service Level Agreement (SLA) for patching KEVs within 7 to 14 days max. Treat KEVs like ransomware proximity alerts. 

Several exploited CVEs in June involve systems not directly managed by security teams but by IT, ops, or service vendors. 

• Client Tip: Include these systems in your vulnerability management program and ensure vendor patching is contractually required and tracked. 

APT-linked tools were used to exploit both WebDAV and iCloud media CVEs, showing an uptick in stealth, tailored payloads in cyberespionage. 

• Client Tip: Layer your defenses; don’t rely solely on patching. Threat hunting and behavioral detection help spot APT activity before damage is done. 

Even patched systems can remain vulnerable for months due to poor asset inventory, untracked systems, or slow vendor cycles. 

• Client Tip: Focus on reducing security debt by investing in better asset management, automating patch deployment, and tightening integration between IT and security. 

How ProActive Solutions Can Help Clients Mitigate June 2025 CVEs 

Proactive Solutions offers a comprehensive and consultative approach to managing and mitigating the risks associated with critical CVEs that were identified in June 2025. By leveraging advanced security tools, proactive monitoring, and timely patch management, Proactive can help organizations stay ahead of cyber threats and ensure the security of their systems. 

10 Key Mitigation Strategies 

Why it matters:  

• 7 out of 10 exploited CVEs in June had patches available before or during active exploitation 

• Delayed patching remains the top cause of compromise 

How Proactive Helps: 

• Automate patch validation for OS, browsers, and third-party apps 

• Prioritize CISA KEV vulnerabilities with SLA-based workflows 

• Coordinate across IT and SecOps to eliminate patch blind spots 

• Provide monthly patch digest and vulnerability risk rankings 

 2.) Legacy Protocol Hardening 

Why it matters:  

• Exploited services included WebDAV, SMB, and Remote Desktop Services (RDS) 

• These older protocols are still enabled in many environments by default 

How Proactive Helps: 

• Identify and map usage of legacy protocols in your network 

• Recommend safe decommissioning or isolation steps 

• Configure host-based firewalls and Group Policies to limit access 

• Monitor for unauthorized use or anomalous port activity 

 3.) Endpoint Hardening & Configuration Management 

Why it matters:  

• Many client-side exploits rely on poor device hygiene or open access to risky features 

How Proactive Helps: 

• Enforce secure baselines using Mobile Device Management (MDM) and Unified Endpoint Management (UEM) 

• Disable risky services 

• Standardize endpoint browser configurations 

• Audit patch compliance across macOS, Windows, and mobile 

 4.) Internet-Facing System Security  

Why it matters:  

• Attackers exploited public-facing appliances with web-based or API-level flaws

How Proactive Helps: 

• Inventory and continuously scan external infrastructure 

• Harden admin interfaces 

• Deploy Web Application Firewall (WAF) or reverse proxy controls where needed 

• Monitor for exploitation attempts using honeypots or threat feeds 

5.) Browser and Application Isolation 

Why it matters:  

• Two high-profile RCEs in June occurred through the browser and cloud-sharing features 

How Proactive Helps: 

• Implement browser isolation for high-risk users or sites 

• Use secure web gateways to inspect and block malicious content 

• Control browser extensions via enterprise policy 

• Enable sandboxing for media and documents opened via cloud services 

 6.) Email and Phishing Defense 

Why it matters:  

• Exploits like the WebDAV RCE and iCloud media exploit were delivered through social engineering and crafted content 

How Proactive Helps: 

• Configure Secure Email Gateway (SEG) or cloud email gateways to detect weaponized attachments 

• Deliver advanced phishing simulations tailored to current exploit methods 

• Monitor inbox rule creation, lateral movement from phished accounts 

• Educate users on new payload formats 

7.) Access Control & Network Segmentation 

Why it matters:  

Exploited systems like Cisco ISE and SAP NetWeaver are commonly trusted across enterprise environments, so a compromise can lead to lateral escalation 

How Proactive Helps: 

• Identify overly permissive Virtual Local Area Networks (VLANs) and firewall rules 

• Segment critical infrastructure from standard user access 

• Recommend identity-aware access policies 

• Review service accounts and network paths that span business units 

8.) Threat Detection & Logging 

Why it matters:  

Exploits often leave breadcrumbs, such as anomalous SMB behavior, unusual HTTP requests to Citrix appliances, or abuse of RFC in SAP 

How Proactive Helps: 

• Develop custom Security Information Event Management (SIEM) content for exploitation patterns 

• Integrate Endpoint Detection and Response/Extended Detection and Response (EDR/XDR) telemetry for behavioral detection 

• Perform retroactive threat hunting after CVE disclosures 

• Align logs and detection rules with MITRE ATT&CK and CISA guidance 

9.) Third-Party Risk Oversight 

Why it matters:  

• Many exploited technologies are often managed by third parties, with delayed patch cycles or limited visibility 

How Proactive Helps: 

• Help clients track vendor patch status and SLAs 

• Review access policies and remote management practices 

• Assist in contractual updates to require faster remediation 

• Run third-party exposure risk assessments 

10.) KEV-Driven Vulnerability Prioritization 

Why it matters:  

• All CISA KEV entries are known to be exploited in the wild, and some were actively used in June 

How Proactive Helps: 

• Maintain and distribute KEV watchlists for client environments 

• Align vulnerability scanning with KEV priorities 

• Use threat intelligence to anticipate exploitation windows 

• Support SLA dashboards for patch timelines and compliance 

ProActive Solutions in Action 

By partnering with a service provider that is an expert in cybersecurity, your company can stay ahead of the curve when eliminating vulnerabilities to prevent being successfully targeted by exploits.  

Here are 2 scenarios that show how Proactive Solutions would help organizations mitigate the CVEs that were identified in June 2025. 

Scenario 1: Windows WebDAV RCE via Malicious .url File 

Problem: 

An employee in a finance department receives a phishing email that appears to be an internal document share from HR. The attachment is a .url file linking to a WebDAV server. When the user double-clicks the file, a payload is silently downloaded and executed. The attacker gains remote access to the system and moves laterally to access shared finance folders and AD credentials. 

How Proactive Solutions Helps: 

Prevention: 

• Configure email security tools to sandbox and strip .url files from inbound messages 

• Work with IT to disable WebDAV client support via Group Policy or registry across Windows endpoints 

• Conduct phishing simulations that mimic “HR document share” lures, focusing on URL-based payloads 

Detection: 

• Deploy SIEM rules to alert on: 

• • .url file execution 

• • Outbound WebDAV traffic 

• Ingest EDR telemetry to flag suspicious PowerShell or encoded scripts triggered from the URL shortcut 

Response: 

• Launch forensic analysis using EDR logs to identify affected users and commands run 

• Coordinate with IT to re-image or isolate impacted endpoints and rotate any exposed credentials 

• Notify leadership of a “Credential Access + Initial Access via file-based RCE” chain — mapped to MITRE ATT&CK 

Post-Incident: 

• Provide tailored awareness content on new payload types 

• Help IT build a patch verification script to ensure KBs addressing WebDAV are applied 

• Deliver an executive debrief summarizing user behavior, detection gaps, and SLA recommendations 

Scenario 2: Citrix NetScaler ADC/Gateway RCE  

Problem: 

An attacker scans the internet and finds an outdated Citrix ADC gateway exposed by a small healthcare organization. Using the CVE-2025-6543 exploit, they execute code remotely and establish persistence. The threat actor then tunnels into internal systems, captures Active Directory hashes, and begins exfiltrating sensitive patient scheduling data. 

How Proactive Solutions Helps: 

Prevention: 

• Perform an external exposure assessment to identify unpatched Citrix appliances and recommend segmentation 

• Assist with automated patch deployment or manual firmware updates to the latest Citrix versions 

• Configure Citrix ADC access control policies to restrict login and admin portals to known IPs only 

Detection: 

• Monitor for unusual HTTP POST patterns and admin logins from untrusted geographies 

• Deploy network behavior analysis tools to spot lateral movement from Citrix into the internal network 

• Integrate ADC logs with SIEM to alert on signs of memory corruption or crashes (exploit indicators) 

Response: 

• Engage incident response: isolate the affected Citrix appliance, pull volatile memory, and shut down attacker tunnels 

• Rotate credentials used in Citrix Single Sign-On (SSO), Lightweight Directory Access Protocol (LDAP), and RADIUS configurations 

• Conduct internal threat hunt across the subnet where the Citrix device was deployed 

Post-Incident: 

• Establish patch lifecycle monitoring for all internet-facing systems 

• Recommend Zero Trust segmentation so Citrix access doesn’t automatically imply domain trust 

• Help IT enforce multi-admin approval or jump server access for Citrix management portals 

These scenarios demonstrate that ProActive has the experience and knowledge needed to help your company defend against today’s most challenging security threats.