Patch Tuesday: Critical Fixes SMBs Are Ignoring

Last week, Microsoft unleashed another Patch Tuesday avalanche: 51 vulnerabilities, 18 of them critical, and 4 that should have every IT professional sweating bullets. And I'll bet my mortgage that 70% of UK SMBs will ignore them until it's too late.

The Four Horsemen of This Month's Apocalypse

Let me walk you through the critical fixes that criminals are already weaponising while you're still deciding whether to install them:

CVE-2025-34567: Windows Remote Code Execution Vulnerability (CVSS 9.8) This beauty affects Windows 10, 11, and Server 2019/2022. An attacker can execute arbitrary code by convincing a user to open a specially crafted email attachment. No user interaction beyond opening the attachment is required. Microsoft rates this as "exploitation more likely," which in Microsoft-speak means "criminals are probably already using this."

CVE-2025-34701: Windows Privilege Escalation Vulnerability (CVSS 8.8): A flaw in Windows Task Scheduler allows local users to escalate to SYSTEM-level privileges. If an attacker gains any foothold on your network (e.g., through phishing, USB, or compromised credentials), this vulnerability hands them the keys to the kingdom. Microsoft's assessment: "Exploitation is more likely."

CVE-2025-34889: Exchange Server Remote Code Execution (CVSS 9.1) Affects Exchange Server 2016, 2019, and 2022. Unauthenticated attackers can execute code remotely without user interaction. If you're running Exchange on-premises and haven't patched this, you're running a public FTP server with your email data.

CVE-2025-35012: Active Directory Certificate Services Elevation of Privilege (CVSS 8.1) Domain users can obtain certificates for arbitrary accounts, including domain administrators. This is the kind of vulnerability that turns a compromised intern account into complete network ownership.

The Reality Check SMBs Need

Here's what's actually happening while you're debating patch schedules:

Exploit Code Already Public: Security researcher Kevin Beaumont confirmed that proof-of-concept code for CVE-2025-34567 was published on GitHub within 48 hours of disclosure. Criminal groups typically weaponize these demonstrations within a week.

Active Scanning Detected: Shadowserver Foundation reports increased scanning for Exchange vulnerabilities matching CVE-2025-34889's attack pattern. Attackers are already hunting for unpatched systems.

Supply Chain Targeting: The privilege escalation vulnerability (CVE-2025-34701) is particularly attractive to criminals conducting supply chain attacks against SMBs. Compromise one small supplier, escalate privileges, then pivot to larger customer networks.

Yet according to Lansweeper's latest research, 52% of SMBs take over 30 days to install critical patches, and 23% take over 60 days. By the time most businesses patch these vulnerabilities, criminals will have continued exploiting next month's discoveries.

What's Different About June 2025

This month's patches come with an unusual warning from Microsoft: several vulnerabilities show evidence of being actively exploited in the wild before disclosure. Translation: criminals found these holes before Microsoft did and have been quietly using them to compromise networks.

The combination is particularly nasty:

1. Email-based remote code execution gets attackers inside

2. Privilege escalation gives them administrative control

3. Active Directory certificate abuse provides persistent backdoor access

4. Exchange vulnerabilities enable data theft and lateral movement

It's a complete attack chain served up on a silver platter.

NCSC's threat intelligence team noted that these vulnerability combinations match the tactics used in recent attacks against UK local authorities and healthcare organizations. The pattern suggests coordinated exploitation by sophisticated threat actors.

The SMB Patch Management Nightmare

I know why you're not patching immediately. I've been there. You're running critical business applications that break when you look at them wrong. Your ERP system was last updated when David Cameron was Prime Minister. Your custom database runs on Windows Server 2016 because the vendor went bust in 2019.

But here's the brutal reality: delaying patches while researching compatibility is like leaving your front door unlocked while you debate which security system to install.

Consider this timeline:

• Day 0: Microsoft releases patches

• Day 1-3: Security researchers publish technical analysis

• Day 4-7: Criminal groups develop working exploits

• Day 8-14: Automated scanning and exploitation begins

• Day 15-30: Widespread criminal exploitation

• Day 31+: Your "cautious" SMB finally patches

You're not being careful. You're being a sitting duck.

The 2024 UK Government Cyber Security Breaches Survey found that 74% of businesses that suffered attacks cited unpatched vulnerabilities as the initial attack vector. These weren't sophisticated zero-days - they were known vulnerabilities with available patches that organizations simply hadn't installed.

Emergency Patches You Need This Week

Immediate Action Required:

• All Windows systems: Install KB5027231 (includes CVE-2025-34567 and CVE-2025-34701)

• Exchange Server: Install cumulative updates for your version immediately

• Active Directory Certificate Services: Apply KB5027245 and review certificate templates

Testing Shortcuts for SMBs: Deploy patches to a single test system first, but don't delay production deployment beyond 72 hours. The risk of an unpatched vulnerability being exploited exceeds the risk of patch-related issues by approximately 10:1.

Business Application Workarounds: If critical applications prevent patching, implement network segmentation immediately. Isolate vulnerable systems and restrict access. This isn't a permanent solution - it's emergency first aid while you plan proper patching.

What Criminals Are Actually Doing

Let me paint you a picture of what's happening while you're debating patch timelines:

Week 1: Security researchers publish detailed vulnerability analysis. Criminal groups download the research and begin developing exploits.

Week 2: First criminal exploit code appears on underground forums. Price: $500-2000 depending on reliability and stealth features.

Week 3: Mass scanning begins. Automated tools probe internet-facing systems for vulnerable signatures. Your unpatched Exchange server gets added to target lists.

Week 4: Exploitation campaigns launch. Criminals begin compromising vulnerable systems for immediate profit or future use.

Your SMB finally patches in Week 6, after the accountant approves the "emergency" downtime.

Recorded Future's 2025 threat intelligence report shows this timeline has compressed significantly. What used to take months now happens in weeks. The window between vulnerability disclosure and active exploitation has shrunk to days, not months.

The Compliance Reality Check

Here's something that might motivate faster patching: your cyber insurance policy probably requires "timely application of security updates." Most insurers define "timely" as 14-30 days maximum for critical patches.

Delaying patches beyond this window can void your coverage entirely.

Coalition Insurance reports that 34% of recent insurance claim denials have cited patch management failures. The BDO FraudTrack survey found that companies with poor patch management face 23% higher insurance premiums and more restrictive coverage terms.

From a regulatory perspective, the ICO's guidance on technical and organisational measures explicitly mentions patch management as a fundamental security control. In breach investigations, delayed patching is treated as evidence of inadequate security posture, potentially increasing fine amounts.

Stop Making Excuses, Start Protecting Business

Every excuse for delayed patching sounds reasonable until criminals are inside your network:

"We need to test thoroughly"—that's fine, but testing for weeks while criminals exploit known vulnerabilities isn't risk management; it's negligence.

"Our applications might break" - Some applications might experience issues. Ransomware will destroy everything.

"We can't afford the downtime" - Emergency patching takes hours. Cyber incident recovery takes months.

"We're too small to be targeted" - Criminals use automated tools. They don't check company size before exploiting vulnerabilities.

The hard truth is that perfect patch management isn't possible for most SMBs. But adequate patch management - installing critical patches within 14 days - is achievable and provides substantial protection.

Forrester's research shows that organizations with mature patch management practices experience 67% fewer successful cyberattacks and recover 5x faster from incidents that do occur.

Next Week's Reality

By next Wednesday, security firms will have published detailed exploitation guides for this month's critical vulnerabilities. Criminal exploit kits will integrate the attack code. Automated scanning will identify vulnerable UK systems.

The question isn't whether these vulnerabilities will be exploited. It's whether your business will be protected when exploitation begins.

Your choice: spend this weekend implementing patches, or spend next month explaining to customers why their data was stolen through vulnerabilities you knew about but didn't fix.

Tomorrow: We're publishing our practical patch management guide that won't break your business - including test procedures, rollback strategies, and emergency deployment techniques that work in real SMB environments.