Microsoft's monthly security update cycle hit an unprecedented snag this week when the company was forced to delay its June Patch Tuesday release due to undisclosed compatibility problems affecting certain devices. This marks a rare departure from Microsoft's typical approach of rapidly deploying security fixes to protect users from emerging threats.
Critical Security Fixes Put on Hold
The delayed update, designated as KB5060842, was intended to address 66 security vulnerabilities across Windows and Microsoft systems. Among these fixes were two particularly concerning zero-day flaws—one actively exploited in the wild and another publicly disclosed. The active exploit, tracked as CVE-2025-33053, represents a remote-code-execution vulnerability in Microsoft Windows Web Distributed Authoring and Versioning that could allow attackers to execute malicious code when users click specially crafted WebDav URLs.
June 2025 Patch Tuesday Statistics:
- Total vulnerabilities addressed: 66
- Critical severity bugs: 10
- Zero-day vulnerabilities: 2 (1 actively exploited, 1 publicly disclosed)
- Remote-code-execution flaws: 25 (8 critical)
- Elevation-of-privilege flaws: 13 (2 critical)
- Information-disclosure flaws: 17
- Denial-of-service flaws: 6
- Security-feature-bypass flaws: 3
- Spoofing flaws: 2
Unprecedented Delay Raises Concerns
Security experts have noted that Microsoft has never before throttled the distribution of Windows security updates in this manner. The company typically prioritizes immediate deployment of these patches to shield users from known exploits and vulnerabilities. A Microsoft support official confirmed the compatibility issues but provided limited details, stating only that a small number of devices are affected and that a revised update would be released in the near term.
Scope of Affected Systems Remains Unknown
The specific nature of the compatibility problems and which device models are impacted remains unclear. Microsoft's vague communication has left IT administrators and users uncertain about whether their systems are among those experiencing issues. The company has indicated that the update is being gradually rolled out to devices running Windows 11 version 24H2, suggesting a more cautious deployment strategy than usual.
Affected Microsoft Products:
- Windows 11 version 24H2
- Microsoft Office (Excel, SharePoint)
- Power Automate
- Windows Cryptographic Services
- Windows KDC Proxy Service
- Windows Netlogon
- Windows Remote Desktop Services
Broader Security Implications
Beyond the zero-day vulnerabilities, the delayed patch addresses 10 critical-severity bugs, including five affecting Microsoft Office applications like Excel and SharePoint. The remaining critical issues span across Power Automate, Windows Cryptographic Services, Windows KDC Proxy Service, Windows Netlogon, and Windows Remote Desktop Services. The second zero-day vulnerability, CVE-2025-33073, involves a Windows SMB elevation-of-privilege flaw that could allow attackers to gain system-level access through malicious scripts.
Key Zero-Day Vulnerabilities:
- CVE-2025-33053: Remote-code-execution flaw in Windows Web Distributed Authoring and Versioning (actively exploited by "Stealth Falcon" group)
- CVE-2025-33073: Windows SMB elevation-of-privilege vulnerability allowing SYSTEM privileges through malicious scripts
What Users Should Expect
Microsoft has assured users that those with affected devices will receive a corrected version of the update containing all June 2025 security improvements. The company continues working on resolving the compatibility issues while balancing the urgent need to protect users from the documented security threats. For most users, Windows updates install automatically, but manual checks can be performed through the Windows Update settings to ensure the latest patches are applied once they become available.