66 Microsoft CVE's and macOS Sequoia Security Updates: Automox Cybersecurity Expert Analysis

Welcome to June 2025's Patch Tuesday! With Microsoft releasing only 66 vulnerabilities, this month marks a lighter entry in its patching cycle. In contrast, macOS Sequoia delivered several important security updates. From OpenSSH flaws to chained exploits within Apple’s ecosystem, June’s updates underscore why a proactive patching strategy remains essential.

For more in depth coverage, be sure to listen to the Automox Patch [FIX] Tuesday podcast.

To put this month in perspective, here’s a look at the past 12 months of Microsoft Patch Tuesday releases.

macOS OpenSSH Vulnerabilities

Included in the macOS Sequoia 15.5 update, Apple released patches for CVE-2025-26466 (CVSS 5.9/10) and CVE-2025-26465 (CVSS 6.8/10). These OpenSSH vulnerabilities can be chained together, increasing the risk of SSH session hijacking on affected systems.

CVE-2025-26466 is a denial-of-service vulnerability triggered by repeated ping messages from a malicious client. This exhausts memory and CPU resources, creating a degraded state. Once that condition occurs, CVE-2025-26465 allows attackers to bypass host key verification when the VerifyHostKeyDNS setting is enabled, opening the door for man-in-the-middle attacks.

If you're managing macOS endpoints, or any systems running OpenSSH 9.9p1 or earlier, apply the latest patches immediately. If patching is delayed:

• Disable VerifyHostKeyDNS as a temporary safeguard.

• Adjust SSH parameters like LoginGraceTime, and remove unnecessary startup scripts.

• Avoid exposing SSH to the public internet. Use bastion hosts or certificate-based trust models to control access.

– Ryan Braunstein, Security Manager, Automox

Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability

CVE-2024-33053 (CVSS 8.8/10)  is a remote code execution (RCE) vulnerability that allows attackers to exploit Web Distributed Authoring and Versioning (WebDAV) file operations to execute arbitrary code with elevated privileges. The attack involves uploading a malicious file using a PUT request, renaming it via MOVE with a semicolon-injected filename, and triggering execution through a crafted URL, effectively bypassing standard security controls.

WebDAV is an HTTP extension that lets users remotely manage files and directories on a server. It's often used in document management systems, collaboration platforms, and legacy file-sharing tools.

This vulnerability stems from how WebDAV handles file commands like PUT and MOVE, which can be abused when the service is misconfigured or unnecessarily exposed. Although WebDAV isn’t enabled by default, its presence in legacy or specialized systems still makes it a relevant target.

If you're using WebDAV:

• Apply the latest patches immediately.

• Run the service under a low-privilege account.

• Enforce strict access controls and least-privilege configurations.

• Monitor for unexpected file operations or suspicious requests.

If WebDAV isn’t essential to your environment, it is recommended to disable it entirely.

– Seth Hoyt, Senior Security Engineer, Automox

macOS Sequoia mDNSResponder

CVE-2025-31222  is a privilege escalation vulnerability in the mDNSResponder service on macOS Sequoia. This service supports zero-configuration networking by resolving local hostnames to IP addresses. A local attacker could exploit this flaw by injecting malformed data into mDNS responses or abusing service calls, gaining elevated privileges in the process.

If immediate patching isn’t possible, enabling System Integrity Protection (SIP) can mitigate the risk by restricting mDNSResponder and limiting access from untrusted local users.

This vulnerability becomes more dangerous when chained with others like CVE-2025-31244, where a sandbox escape can precede privilege escalation. Even without remote code execution, local privilege escalation flaws often serve as critical components in complex attack chains and should be remediated quickly.

– Mat Lee, Senior Security Engineer, Automox

iCloud Keychain and Quarantine Sandbox Vulnerabilities

CVE-2025-31213 exposes iCloud Keychain metadata — including usernames and associated websites — without decrypting stored passwords. CVE-2025-31244 enables a sandbox bypass through macOS’s quarantine service. When chained, a sandbox escape could give attackers access to Keychain metadata, increasing the risk of phishing or impersonation.

Applying the relevant patches is an important first step. To further reduce exposure, educating employees  (...and friends and family) on strong password practices remains one of the most effective forms of protection. Encourage the following habits:

• Rely on password managers to generate and securely store unique, complex credentials. It’s 2025. Why are you trying to remember passwords? 

• If you have to use a password, use long, memorable passphrases: strings of random words that are easy to remember but hard to guess.

• Combine strong passwords with multifactor authentication for an added layer of defense.

– Mat Lee, Senior Security Engineer, Automox

Even during light months like June, critical vulnerabilities make patching a non-negotiable part of your security strategy. It only takes one exploited vulnerability to compromise systems, exfiltrate data, or gain a foothold in your environment. Whether it's safeguarding SSH access, web file services, or user credentials, timely updates are your frontline defense. Automox console lets you streamline this process, reduce exposure windows, and maintain operational resilience.

Until next month; patch regularly, patch often.