Microsoft June 2025 Patch Tuesday exposes identity-first cloud risk

At a glance

What this is: Microsoft’s June 2025 Patch Tuesday bundles 66 vulnerabilities, including five cloud criticals and three identity-focused flaws that can pivot into domain control and tenant compromise.

Why it matters: IAM and security teams need to treat patching, identity hardening, and exposure reduction as one control plane because these flaws can bypass standard access boundaries.

By the numbers:

• Microsoft’s June 2025 Patch Tuesday update has covered 66 vulnerabilities, including one actively exploited bug.
• Research by Akamai Technologies found that in 91% of assessed environments, non-administrative users had the necessary permissions to perform this attack.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Unosecur's analysis of Microsoft's June 2025 Patch Tuesday and identity risks

Context

Microsoft’s June 2025 Patch Tuesday shows how quickly a patch cycle can become an identity risk cycle. When remote code execution, privilege escalation, and authentication-service flaws appear in the same release, defenders are no longer just managing software defects. They are managing the paths attackers use to reach domain controllers, SSO gateways, and cloud admin surfaces.

For IAM and NHI programmes, the important point is not that multiple CVEs were disclosed. It is that several of them sit on the boundary between application vulnerability management and identity governance, where a compromise of SharePoint, Netlogon, or KDC Proxy can turn into token theft, ticket minting, or administrative takeover. That makes patch order, hardening, and access visibility part of the same operating model.

Key questions

Q: What breaks when a cloud RCE reaches identity services before patching is complete?

A: When remote code execution reaches SharePoint, KDC Proxy, or Netlogon before remediation, the attacker can move from application foothold to authentication control. That usually means ticket minting, token access, or domain-level privilege rather than a contained server compromise. The failure is not only the CVE, but the placement of identity services inside the exploit path.

Q: Why do Netlogon and KDC Proxy flaws matter more than ordinary server bugs?

A: They matter because they sit inside the trust fabric that governs authentication. If an attacker can abuse those services, they can influence who is trusted, what credentials are accepted, and which systems receive valid authentication material. In practice, this turns a technical vulnerability into a directory governance problem.

Q: How do security teams know whether delegated Active Directory permissions are creating hidden risk?

A: Look for non-administrative users who can influence privileged directory objects, create derivative identities, or trigger privilege inheritance without a formal approval step. If a low-privilege account can shape high-privilege outcomes, the environment has an entitlement design flaw, not just a patching issue.

Q: Who is accountable when identity-service vulnerabilities are exploited in hybrid environments?

A: Accountability usually sits across vulnerability management, identity engineering, and service owners because the compromise path crosses all three. The practical test is whether a team owns the patch, the trust boundary, and the delegated privilege model together. If those are split, attackers can exploit the gap between them.

Technical breakdown

SharePoint, Schannel, and WebDAV as initial entry paths

Remote code execution in internet-facing services gives attackers a first foothold before identity controls can intervene. SharePoint, Schannel, and WebDAV sit close to the boundary between application traffic and internal trust, so a malicious request can create execution on a server that already has access to directory services, file stores, or mail systems. In that state, classic authentication controls do not stop the intrusion because the code is already running inside a trusted context. The real technical risk is not just the bug itself, but the service placement around it: once an exposed interface is exploited, the attacker inherits the network position of that workload.

Practical implication: prioritize patching and isolation of internet-facing services that can reach identity infrastructure.

Netlogon, KDC Proxy, and privilege escalation in core identity services

Netlogon and KDC Proxy are not ordinary application endpoints. They are protocol and authentication pathways that sit inside Active Directory’s trust fabric, so exploitation can convert a foothold into domain-level authority. Once an attacker reaches this stage, they can request, mint, or abuse authentication material in ways that look legitimate to surrounding systems. That is why these flaws matter more than a standard server bug. They target the mechanisms that establish who and what is allowed to act, which means compromise here can ripple across both human logins and machine identities.

Practical implication: harden domain controllers and authentication services before normal patch work reaches lower-risk assets.

BadSuccessor and the hidden exposure in delegated directory permissions

BadSuccessor is dangerous because it turns delegation misconfiguration into universal privilege inheritance. The vulnerability does not require changing the target object, which means existing directory structures can be abused without leaving the obvious modification signals teams expect. Akamai’s finding that 91% of assessed environments had the permissions needed for the attack shows how often this type of design flaw exists in the wild. The lesson is architectural: directory permissions, not just CVEs, can create an escalation path that survives even after code fixes are applied.

Practical implication: review delegated permissions in Active Directory, especially where non-administrative users can influence high-privilege objects.

Threat narrative

Attacker objective: The attacker’s objective is to turn a single exposed service flaw into identity-plane control over directories, tickets, tokens, and tenant data.

1. Entry can begin through a crafted SharePoint request, a malicious Schannel packet, or a WebDAV call that executes code on a reachable host.
2. Escalation follows when Netlogon or KDC Proxy flaws let the attacker move from code execution into domain-admin or SYSTEM-level control.
3. Impact occurs when the attacker mints Kerberos tickets, reads Entra ID tokens, or reaches Office 365 mailboxes and SharePoint libraries for persistent compromise.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Patch Tuesday is now an identity governance event, not just a vulnerability-management event. When critical flaws touch SharePoint, Netlogon, KDC Proxy, and Office 365, the question is no longer which CVE is most severe in isolation. The question is which identity planes those CVEs can reach before defenders finish remediation. That is why patch sequencing, exposure mapping, and admin-path reduction belong in the same governance discussion as access reviews and service-account control. Practitioners should treat the release as a control-plane test, not a software checklist.

Directory trust assumptions were built for stable service boundaries, and that assumption is too weak for today’s attack paths. Netlogon and KDC Proxy exploit the fact that attackers can move from execution to authentication control faster than most remediation cycles can respond. Once identity services become the target, the programme is no longer protecting endpoints alone. It is protecting the mechanisms that define trust across human logins, machine accounts, and tenant access. Practitioners should re-evaluate which directory services are allowed to sit within blast radius of internet-facing workloads.

BadSuccessor exposes a named failure mode: delegated identity administration without durable privilege boundaries. The attack works because directory permissions and object relationships can allow a non-administrative user to act with higher authority without obvious object modification. That is not simply a missing patch. It is a governance gap in how privilege is delegated, inherited, and reviewed across Active Directory. The implication is that some identity risks are structural, not patchable in the usual sense, and they need boundary redesign as well as remediation.

Identity-first defenders need a combined patch, hardening, and entitlement-reduction workflow. A vulnerable service that remains reachable, a privileged path that remains exposed, or a delegated permission that remains overbroad all preserve the attacker’s route even after one CVE is fixed. The practical conclusion is that patching alone is incomplete when the same environment still allows privilege escalation through identity design flaws. Teams should align vulnerability response with identity governance, not run them as separate queues.

Microsoft June 2025 Patch Tuesday shows why NHI governance and human IAM cannot be managed as separate disciplines. The same compromise chain can move from a server bug into Kerberos tickets, Entra ID tokens, mailboxes, and SharePoint libraries. That means the boundary between workload identity, directory trust, and user access is now one of the highest-value attack surfaces in the enterprise. Practitioners should govern that boundary as a single risk domain.

From our research:

• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
• 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
• That gap points to why identity hardening must be paired with lifecycle governance, which is covered in The 52 NHI breaches Report.

What this signals

Identity-first patch management is becoming a prerequisite for resilience. When vulnerabilities can pivot from collaboration services into directory trust, remediation speed alone is not enough. Teams need to know which workloads sit on the path to authentication control, and they need that map before the next disclosure lands.

TPV and MTTR should be managed as a single operational gap. If the time to deploy a fix exceeds the time it takes to contain a live issue, attackers are working inside an unprotected window. That gap is especially dangerous where the same service supports both user access and machine identity.

Privilege inheritance is the quietest part of the attack surface. BadSuccessor is a reminder that delegated access paths can outlive patch cycles and bypass visible change events. Practitioners should review entitlement models for hidden escalation routes, not just chase CVE counts.

For practitioners

• Prioritize identity-path patching first Patch SharePoint, Schannel, KDC Proxy, and Netlogon before lower-impact fixes when the affected service can reach directory or tenant infrastructure. Treat exposed identity services as the highest-risk remediation queue because a foothold there can become authentication control.
• Audit delegated directory permissions for escalation routes Review where non-administrative users can influence privileged directory objects, especially around dMSA creation and inherited access. Remove any permission paths that allow privilege escalation without a clear administrative approval boundary.
• Disable unused exposure paths such as WebDAV Turn off WebDAV where it is not required and reduce the reachable surface on systems that also host authentication or collaboration services. Smaller exposure reduces the chance that a single RCE becomes a directory compromise.
• Tie MTTR to patch deployment velocity Measure Time to Patch Vulnerabilities against Mean Time to Remediate so identity-relevant fixes do not linger after disclosure. If the TPV-MTTR gap widens, it signals that attackers have more time than your programme can tolerate.

Key takeaways

• This patch cycle matters because several vulnerabilities sit directly on the path from service compromise to identity-plane control.
• The Akamai finding that 91% of assessed environments had the permissions needed for BadSuccessor shows how common structural escalation risk can be.
• The right response is to combine patch sequencing, authentication hardening, and delegated-permission review into one operating model.

Key terms

• Identity-plane control: Identity-plane control is the ability to influence authentication, authorization, or trust decisions across systems. In this context, a vulnerability is serious when it can move an attacker from a single service compromise into the mechanisms that issue tickets, validate users, or grant administrative reach.
• Delegated privilege boundary: A delegated privilege boundary is the point where authority is intentionally limited for a user, account, or service. When that boundary is weak or inherited incorrectly, a low-privilege actor can reach higher-value directory or workload actions without a clear escalation event.
• TPV-MTTR gap: The TPV-MTTR gap is the distance between how quickly a patch is deployed and how quickly a live issue is contained. A widening gap means adversaries have more time to exploit disclosed flaws, especially when the vulnerable system sits inside the identity control plane.
• Privilege inheritance: Privilege inheritance is the way permissions flow from one object, group, or role to another in directory and cloud systems. It becomes a security problem when inherited authority allows non-administrative users to affect high-privilege assets or trigger escalation paths without direct approval.

What's in the full analysis

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step remediation priorities for SharePoint, Schannel, KDC Proxy, and Netlogon across mixed Windows estates
• Specific mitigation guidance for BadSuccessor, including dMSA restriction and the referenced Akamai script
• The full Office 365 Connector workflow for mapping users, guests, service accounts, and tokens across collaboration services
• The article’s own TPV versus MTTR framing for tracking patch velocity against live incident response

👉 Unosecur's full post covers the vulnerable services, mitigation priorities, and identity-specific exploit paths in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.