June 2025 Patch Tuesday: are your IAM controls keeping up?

TL;DR: Microsoft’s June 2025 Patch Tuesday covers 66 vulnerabilities, including one actively exploited bug, with five cloud criticals and three identity-centric flaws spanning SharePoint, Schannel, KDC Proxy, Netlogon, and Office apps, according to Unosecur. Patch speed alone is insufficient when unauthenticated RCE and privilege escalation can move straight into identity infrastructure and tenant compromise.

NHIMG editorial — based on content published by Unosecur: Microsoft’s June 2025 Patch Tuesday analysis of cloud criticals, IAM flaws, and Office 365 RCEs

By the numbers:

• Microsoft’s June 2025 Patch Tuesday update has covered 66 vulnerabilities, including one actively exploited bug.
• Research by Akamai Technologies found that in 91% of assessed environments, non-administrative users had the necessary permissions to perform this attack.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: What breaks when a cloud RCE reaches identity services before patching is complete?

A: When remote code execution reaches SharePoint, KDC Proxy, or Netlogon before remediation, the attacker can move from application foothold to authentication control.

Q: Why do Netlogon and KDC Proxy flaws matter more than ordinary server bugs?

A: They matter because they sit inside the trust fabric that governs authentication.

Q: How do security teams know whether delegated Active Directory permissions are creating hidden risk?

A: Look for non-administrative users who can influence privileged directory objects, create derivative identities, or trigger privilege inheritance without a formal approval step.

Practitioner guidance

• Prioritize identity-path patching first Patch SharePoint, Schannel, KDC Proxy, and Netlogon before lower-impact fixes when the affected service can reach directory or tenant infrastructure.
• Audit delegated directory permissions for escalation routes Review where non-administrative users can influence privileged directory objects, especially around dMSA creation and inherited access.
• Disable unused exposure paths such as WebDAV Turn off WebDAV where it is not required and reduce the reachable surface on systems that also host authentication or collaboration services.

What's in the full analysis

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step remediation priorities for SharePoint, Schannel, KDC Proxy, and Netlogon across mixed Windows estates
• Specific mitigation guidance for BadSuccessor, including dMSA restriction and the referenced Akamai script
• The full Office 365 Connector workflow for mapping users, guests, service accounts, and tokens across collaboration services
• The article’s own TPV versus MTTR framing for tracking patch velocity against live incident response

👉 Read Unosecur's analysis of Microsoft's June 2025 Patch Tuesday and identity risks →

June 2025 Patch Tuesday: are your IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →