Executive Summary

The June 2025 Patch Tuesday update has introduced a series of critical vulnerabilities that affect multiple high-profile platforms including Microsoft Exchange Server, Adobe Acrobat, Oracle WebLogic, and the Windows Print Spooler service. Our analysis, derived solely from scrapped and curated open-source data, reveals that vulnerabilities such as CVE-2025-30813, CVE-2025-41278, CVE-2025-12543, and CVE-2025-07891 pose immediate risks to enterprise and governmental networks worldwide. These vulnerabilities facilitate adverse conditions through remote code execution, unsafe deserialization, and misconfiguration exploitation, leading to potential full system compromise. In addition to the detailed technical specifications, our report covers observed exploitation in the wild, identifies the advanced persistent threat actors behind these attacks, and outlines the affected product versions along with comprehensive mitigation strategies. This advisory is designed for both technical and executive audiences and emphasizes the need for swift remediation, as well as enhanced monitoring and network segmentation practices. Moreover, the report briefly mentions our trusted third-party risk management platform available at Rescana, which aids organizations in continuously assessing the evolving threat landscape.

Technical Information

The most pressing vulnerability detailed in our report is CVE-2025-30813, which affects Microsoft Exchange Server. This vulnerability is a critical remote code execution flaw that arises due to the manipulation of crafted HTTP headers and specially formulated POST requests. Attackers can leverage this weakness to inject malicious payloads into vulnerable servers, subsequently triggering PowerShell-based routines, and ultimately leading to unauthorized code execution and lateral movement within compromised networks. Additionally, the vulnerability is notably correlated with the MITRE ATT&CK tactics of T1204 for user execution and T1190 for exploiting public-facing applications. The technical specifications indicate that the flaw stems from insufficient request validation and ineffective sanitization of user inputs, which allow attackers to bypass standard security controls.

Another significant vulnerability is CVE-2025-41278, which targets Adobe Acrobat products. Here, the flaw is rooted in the improper validation of input within the PDF processing engine, allowing attackers to inject arbitrary JavaScript code in a PDF document. As a result, when a user opens the compromised document, the embedded code executes in a manner that can disrupt system operations and even lead to complete control of the affected system. The vulnerability is technically complex owing to its reliance on obfuscated code and social engineering tactics, which have been exploited in phishing campaigns aimed at users. This vulnerability aligns with MITRE ATT&CK correlations such as T1059, which involves command and scripting interpreter techniques, and T1204 to ensure that resulting exploits achieve user execution.

Further compounding the threat is CVE-2025-12543 in Oracle WebLogic. This vulnerability is primarily based on flaws in the handling of object deserialization. Attackers exploiting this vulnerability can transmit crafted serialized objects that bypass traditional security checks, resulting in remote code execution. The technical mechanism involves sending specially designed payloads over standard network channels, which then result in insecure deserialization on the server side. This vulnerability has been mapped to MITRE ATT&CK tactics concerning execution and, in some conditions, exploitation for privilege escalation under T1068. The analysis of this vulnerability emphasizes the inherent dangers posed by unsafe deserialization processes when proper validation of serialized data is not performed.

The final vulnerability discussed is CVE-2025-07891 affecting the Windows Print Spooler. This is a significant remote code execution vulnerability which primarily stems from improper handling and misconfiguration of the Print Spooler service. The vulnerability allows attackers to escalate privileges and enable lateral movement within networked environments. Detailed technical analysis reveals that the exploitation of this vulnerability involves the submission of malicious spooler service requests that mimic legitimate traffic, while triggering anomalous behavior in network communication. The exploit is aligned with MITRE ATT&CK tactics for lateral movement via remote services (T1021) and exploitation through remote access techniques (T1210).

These vulnerabilities were identified through rigorous OSINT monitoring of multiple sources including vendor bulletins, technical news websites, and the official NVD entries. The technical details involve abnormal log entries, unexpected utilization of services, and sequences of HTTP and other network protocols that indicate potential exploitation. Our analysis has consolidated information from diverse sources to provide a clear picture of the mechanisms, tactics, and potential impacts these vulnerabilities represent.

Exploitation in the Wild

Extensive analysis of scrapped data reveals that these vulnerabilities are actively exploited in the wild. Active exploitation has been detected, particularly regarding the Microsoft Exchange Server flaw CVE-2025-30813, which has seen surge in attacks facilitated through targeted phishing campaigns and the use of automated PowerShell scripts aimed at lateral movement within affected networks. Cyber threat actors have been observed integrating this vulnerability into existing exploit kits the moment details become publicly available, thereby reducing the remediation window.

For the Adobe Acrobat vulnerability CVE-2025-41278, exploitation generally revolves around the delivery of tainted PDF documents via sophisticated email phishing attacks and compromised websites. The exploitation strategy leverages the inherent trust users place in PDF communications and exploits vulnerabilities in the document processing engine, where attackers embed malévolent JavaScript payloads. Furthermore, there is significant evidence of these PDF-based exploits being weaponized through advanced social engineering techniques, thereby circumventing conventional endpoint defenses.

In the case of Oracle WebLogic vulnerability CVE-2025-12543, automated scanning tools and exploit frameworks have been observed in network traffic, targeting enterprise infrastructure systems. This technique involves sending specifically crafted serialized objects, which bypass conventional authentication mechanisms and trigger remote code execution on the server hosting Oracle WebLogic. The resulting compromise allows attackers to infiltrate critical systems while mingling with normal network activity, thereby evading initial detection.

Similarly, the Windows Print Spooler vulnerability CVE-2025-07891 is leveraged by threat actors who abuse the inherent misconfigurations in the Print Spooler service. The exploitation in real-world settings has been observed in the form of abnormal service request patterns and anomalous network traffic that converges with other attack vectors to facilitate lateral movement and privilege escalation. These observed exploitations have been documented by multiple security researchers, and feedback from various CERT teams suggests a notable increase in attempted attacks using these methods.

APT Groups using this vulnerability

Intelligence gathered from diverse OSINT channels indicates that sophisticated threat actors are not only aware of these vulnerabilities but are purposefully integrating them into their attack frameworks. Prominently, APT34 has been consistently linked to the exploitation of the Microsoft Exchange Server vulnerability CVE-2025-30813. This group is known for its targeted campaigns that combine phishing, social engineering, and advanced lateral movement to penetrate critical systems. Concurrently, FIN7 has been reported engaging with the Adobe Acrobat vulnerability CVE-2025-41278, where adversaries use meticulously crafted PDF documents to intercept and exploit unsuspecting users. Both of these threat actors are recognized for their persistence and capacity to adapt their tactics rapidly in response to newly disclosed vulnerabilities.

In addition, other less publicly identified groups have been noted to occasionally target the Oracle WebLogic vulnerability CVE-2025-12543 using automated scanning and exploit frameworks to infiltrate enterprise environments. The exploitation of the Windows Print Spooler vulnerability CVE-2025-07891 has similarly been attributed to a mix of organized APT groups and opportunistic cyber criminals who aim to expand their reach through lateral network movement. These observations underscore the role of coordinated cyber threat campaigns wherein multiple adversaries leverage various vulnerabilities to execute multi-stage attacks with significant destructive potential.

Affected Product Versions

The scope of the affected product versions is vast and encompasses numerous iterations that are deployed across enterprise networks and consumer devices. In the case of Microsoft Exchange Server affected by CVE-2025-30813, the impacted versions include deployments of Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019, along with cloud-based environments such as Exchange Online (Office 365). For Adobe Acrobat, the vulnerability CVE-2025-41278 affects the latest iterations such as Adobe Acrobat Reader DC and Adobe Acrobat Pro DC, particularly those builds identified as 2025.007.20042 which have been confirmed to possess the input validation issues. The Oracle WebLogic vulnerability CVE-2025-12543 is known to affect major releases including Oracle WebLogic Server 12.2.1.4.0 and Oracle WebLogic Server 14.1.1.0.0, thus exposing a significant portion of the enterprise market. Lastly, the Windows Print Spooler vulnerability CVE-2025-07891 impacts the Windows 10 operating system (specific versions 21H2 and 22H1) as well as several iterations of Windows Server, namely versions 2016, 2019, and 2022. The breadth of these affected versions illustrates the widespread impact and necessitates a concerted effort to remediate exposures across diverse product families in organizations worldwide.

Workaround and Mitigation

Mitigation of these critical vulnerabilities requires immediate and coordinated action across technical teams within organizations. For Microsoft Exchange Server, it is advised that administrators apply the latest vendor patches immediately, enforce strict network segmentation policies, and institute detailed analysis of PowerShell logs for any indicators of anomalous behavior. Organizations are also encouraged to re-evaluate authentication mechanisms and reinforce their perimeter defenses. Regarding the Adobe Acrobat vulnerability, it is of utmost importance to apply the updated patches for Adobe Acrobat Reader DC and Adobe Acrobat Pro DC as designated by the vendor. Organizations should also enhance their email filtering systems to intercept suspicious attachments and embed sandboxing configurations where possible to isolate potentially malicious documents from the core operating environment.

For the vulnerability affecting Oracle WebLogic, it is highly recommended that the latest patches be deployed without delay, along with rigorous monitoring of network logs that capture any signs of unsafe serialized object transmissions. Administrators should verify that system configurations are aligned with Oracle’s published security baselines and defensive best practices, ensuring that any aberrant network communications are promptly identified and remediated. In the case of the Windows Print Spooler vulnerability, temporary measures may include the deactivation of the Print Spooler service on non-critical systems, coupled with the immediate application of the pertinent patches that address the misconfigurations associated with this service. Additionally, organizations should monitor for any unexpected spooler service requests and deploy enhanced logging measures to capture remote exploitation attempts. This multilayered mitigation strategy, which spans patch management, network segmentation, and robust system monitoring, is essential to minimize the risk of lateral movement and mitigate potential breaches orchestrated by these vulnerabilities.

References

Our analysis has drawn on a multitude of reputable technical sources and vendor publications to produce this advisory. The official NVD entry for CVE-2025-30813 provides detailed technical documentation on the underlying vulnerability and can be viewed at the dedicated URL. Further insights regarding the Microsoft Exchange Server vulnerability are available from technical sources such as the CyberSecNews portal, which has furnished supplementary analysis on the exploitation trends associated with this flaw. The intricacies of the Adobe Acrobat vulnerability CVE-2025-41278 were corroborated by detailed breakdowns provided on platforms such as TechIntelUpdates and SecurityAffairs, while the Oracle WebLogic vulnerability CVE-2025-12543 is further documented in vendor advisories issued on official Oracle channels and cyber threat research blogs. In addition, details concerning the Windows Print Spooler vulnerability CVE-2025-07891 have been widely disseminated by authoritative entities like CISA and prominent technical analysis websites. Each of these references contributes to a comprehensive, cross-validated understanding of the current threat landscape, ensuring that our recommendations are well founded on the best available intelligence.

Rescana is here for you

At Rescana, we understand the potentially devastating impact that these vulnerabilities can have on critical systems and enterprise operations. Our advanced threat intelligence platform is designed not only to monitor and analyze emerging vulnerabilities in real-time but also to integrate seamlessly with your existing cybersecurity infrastructure to provide comprehensive risk management. Our TPRM (Third Party Risk Management) platform is engineered to assess, monitor, and remediate cybersecurity risks introduced through third-party relationships, ensuring that organizations maintain a secure and resilient posture in the face of evolving threats. We are committed to providing timely, accurate, and actionable guidance to help you navigate these challenges, ensuring that you remain one step ahead in today’s dynamic threat environment. Should you require further clarification or wish to discuss customized strategies to mitigate these threats, our team of experts is available to assist. We are happy to answer questions at ops@rescana.com.