Microsoft has released its May 2025 Patch Tuesday security updates, addressing 72 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This month's update includes fixes for five actively exploited zero-day vulnerabilities and two publicly disclosed flaws.
The five actively exploited zero-days are CVE-2025-30400 (Windows DWM Core Library), CVE-2025-32701 (Windows Common Log File System Driver), CVE-2025-32706 (Windows Common Log File System Driver), CVE-2025-32709 (Windows Ancillary Function Driver for WinSock), and CVE-2025-30397 (Scripting Engine Memory Corruption). All of these vulnerabilities could allow attackers to elevate privileges or execute malicious code, posing significant security risks to affected systems.
In total, Microsoft addressed 6 critical vulnerabilities and 66 important ones. The most common issues are remote code execution (28 bugs), elevation of privilege (17 bugs), information disclosure (15 bugs), denial of service (7 bugs), and spoofing (2 bugs).
Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and critical remote code execution flaws.
Additional steps may be required to fully remediate some vulnerabilities, particularly for enterprise environments. The US Cybersecurity and Infrastructure Security Agency (CISA) has added several of this month's vulnerabilities to its Known Exploited Vulnerabilities Catalog, requesting federal agencies to patch them by June 3, 2025.
Update for Windows 11 users: Microsoft has published KB5058405 for Windows 11. Visit this page to learn what is included in the KB5058405 update.
In May's Patch Tuesday, Microsoft addressed 72 vulnerabilities, including five actively exploited zero-day vulnerabilities and two publicly disclosed flaws that attackers could leverage to compromise systems. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.
The key affected products in this release span Microsoft's ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these security fixes is essential for protecting systems against emerging threats.
Key Highlights are:
Total Flaws and Zero-Day Vulnerabilities: This update resolves 72 total bugs, with five actively exploited zero-days and two publicly disclosed vulnerabilities. Of these, 6 were rated Critical and 66 as Important.
Vulnerability Types: Remote code execution vulnerabilities lead the volume with 28 occurrences, followed by 17 elevation of privilege flaws. Information disclosure (15), denial of service (7), spoofing (2), and security feature bypass (2) vulnerabilities round out the mix.
Zero-Day Threats: The five actively exploited zero-days include Windows DWM Core Library (CVE-2025-30400), Windows Common Log File System Driver (CVE-2025-32701 and CVE-2025-32706), Windows Ancillary Function Driver for WinSock (CVE-2025-32709), and Scripting Engine Memory Corruption (CVE-2025-30397).
Critical-Rated Bugs: Other critical-rated bugs include remote code execution vulnerabilities in Remote Desktop Client (CVE-2025-29966 and CVE-2025-29967), Microsoft Office (CVE-2025-30377 and CVE-2025-30386), and Microsoft Virtual Machine Bus (CVE-2025-29833).
Publicly Disclosed Vulnerabilities: Two vulnerabilities were publicly disclosed but not yet known to be exploited: Microsoft Defender for Identity Spoofing (CVE-2025-26685) and Visual Studio Remote Code Execution (CVE-2025-32702).
Non-Critical Notables: Other major issues include remote code execution flaws in Microsoft Excel and SharePoint, privilege escalations in Windows kernel components, and information disclosure bugs in Windows Routing and Remote Access Service (RRAS).
This May Patch Tuesday continues Microsoft's security maintenance lifecycle into mid-2025. Apply these updates promptly to close vulnerabilities before threats exploit them in your environment.
Microsoft addressed five actively exploited zero-day vulnerabilities and two publicly disclosed vulnerabilities in the May 2025 Patch Tuesday release. These vulnerabilities are particularly concerning because they were being actively exploited in the wild before patches were made available. Let's examine each of these critical vulnerabilities:
Vulnerability type: Elevation of Privilege
Affected product: Windows Desktop Window Manager (DWM) Core Library
CVSS v3 base score: 7.8
Severity rating: Important
This vulnerability allows an authenticated attacker to elevate privileges by exploiting a use-after-free condition in the Windows DWM Core Library. The Desktop Window Manager is a crucial system component in Windows that manages the display of all visual elements on a computer screen.
Microsoft notes that successful exploitation would enable an attacker to gain SYSTEM privileges, effectively giving them complete control over the affected system. This is the seventh EoP vulnerability in the DWM Core Library patched this year, indicating this component remains a frequent target for attackers.
CISA has added CVE-2025-30400 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.
Vulnerability type: Elevation of Privilege
Affected product: Windows Common Log File System Driver
CVSS v3 base score: 7.8
Severity rating: Important
This vulnerability in the Windows Common Log File System (CLFS) Driver allows an authenticated attacker to gain SYSTEM privileges by exploiting a use-after-free condition. CLFS is a high-performance, general-purpose logging subsystem used by kernel and user-mode applications, frequently employed in database systems, messaging systems, and online transactional processing.
Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center, indicating it was discovered during threat hunting operations. This is one of several CLFS vulnerabilities patched this year, continuing a trend from 2024 when multiple CLFS vulnerabilities were exploited in the wild.
CISA has added CVE-2025-32701 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.
Vulnerability type: Elevation of Privilege
Affected product: Windows Common Log File System Driver
CVSS v3 base score: 7.8
Severity rating: Important
This vulnerability also affects the Windows Common Log File System Driver but exploits improper input validation rather than a use-after-free condition. An authenticated attacker can leverage this vulnerability to elevate their privileges to SYSTEM level.
Microsoft attributes the discovery of this flaw to Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team, suggesting multiple security research teams independently discovered exploitation of this vulnerability.
CISA has added CVE-2025-32706 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.
Vulnerability type: Elevation of Privilege
Affected product: Windows Ancillary Function Driver for WinSock
CVSS v3 base score: 7.8
Severity rating: Important
This vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock allows an authenticated attacker to elevate privileges by exploiting a use-after-free condition. The Ancillary Function Driver serves as the entry point for the Windows Sockets (Winsock) API, handling low-level details of network communication.
According to Microsoft's advisory, this vulnerability was disclosed by an "Anonymous" researcher. This is the second AFD vulnerability exploited in 2025, preceded by CVE-2025-21418 which was addressed in February's Patch Tuesday release.
CISA has added CVE-2025-32709 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.
Vulnerability type: Remote Code Execution
Affected product: Microsoft Scripting Engine
CVSS v3 base score: 7.5
Severity rating: Important
This vulnerability allows for remote code execution through the Microsoft Scripting Engine. Exploitation requires an authenticated user to click on a specially crafted link while using Microsoft Edge in Internet Explorer mode. The vulnerability involves "access of resource using incompatible type ('type confusion')" according to Microsoft's advisory.
Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center and notes that successful exploitation could allow an unauthenticated attacker to execute code over a network.
CISA has added CVE-2025-30397 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.
Vulnerability type: Spoofing
Affected product: Microsoft Defender for Identity
CVSS v3 base score: 6.5
Severity rating: Important
This vulnerability allows an unauthenticated attacker with LAN access to perform spoofing attacks due to improper authentication in Microsoft Defender for Identity. Microsoft Defender for Identity is a cloud-based security solution that helps organizations monitor and secure their identities across hybrid environments.
Microsoft attributes the discovery of this flaw to Joshua Murrell with NetSPI. While Microsoft has no evidence that this vulnerability has been exploited in the wild, it was publicly disclosed prior to patch availability.
Vulnerability type: Remote Code Execution
Affected product: Visual Studio
CVSS v3 base score: 7.8
Severity rating: Important
This vulnerability in Visual Studio could allow remote code execution through command injection. According to Microsoft's advisory, an "improper neutralization of special elements used in a command" allows an unauthenticated attacker to execute code locally.
Microsoft has not shared who disclosed this flaw, but notes it was publicly disclosed before patches were available. There is no evidence that this vulnerability has been exploited in the wild.
CVE ID
|
Description
|
CVSSv3
|
Severity
|
Exploited?
|
Publicly disclosed?
|
---|---|---|---|---|---|
CVE-2025-30400
|
Microsoft DWM Core Library Elevation of Privilege Vulnerability
|
7.8
|
Important
|
Yes
|
No
|
CVE-2025-32701
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
7.8
|
Important
|
Yes
|
No
|
CVE-2025-32706
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
7.8
|
Important
|
Yes
|
No
|
CVE-2025-32709
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
|
7.8
|
Important
|
Yes
|
No
|
CVE-2025-30397
|
Scripting Engine Memory Corruption Vulnerability
|
7.5
|
Important
|
Yes
|
No
|
CVE-2025-26685
|
Microsoft Defender for Identity Spoofing Vulnerability
|
6.5
|
Important
|
No
|
Yes
|
CVE-2025-32702
|
Visual Studio Remote Code Execution Vulnerability
|
7.8
|
Important
|
No
|
Yes
|
In addition to the zero-day vulnerabilities, Microsoft addressed five vulnerabilities rated Critical in severity that deserve special attention. These vulnerabilities could allow attackers to achieve remote code execution or access sensitive information, posing significant risks to affected systems.
Vulnerability type: Remote Code Execution
Affected product: Remote Desktop Client
CVSS v3 base score: 8.8
Severity rating: Critical
These two critical vulnerabilities affect the Remote Desktop client and could allow an unauthenticated attacker to execute code remotely on affected systems. Both vulnerabilities involve heap-based buffer overflow conditions that could be exploited without user interaction.
Remote Desktop Protocol (RDP) clients are software applications that allow users to connect to and control remote computers or servers using secure network connections. These vulnerabilities could potentially allow attackers to take complete control of systems when users connect to malicious RDP servers.
The high CVSS score reflects the severity of these flaws, which don't require any user interaction beyond connecting to a compromised or malicious RDP server. Organizations should prioritize patching these vulnerabilities, especially if RDP is utilized extensively in their environment.
Vulnerability type: Remote Code Execution
Affected product: Microsoft Office
CVSS v3 base score: 8.4
Severity rating: Critical
These critical vulnerabilities in Microsoft Office involve use-after-free conditions that could allow an unauthenticated attacker to achieve remote code execution. Successful exploitation would potentially allow attackers to run malicious code with the privileges of the current user.
While Microsoft hasn't provided extensive details about the attack vector, these types of Office vulnerabilities typically involve opening specially crafted files. If the current user has administrative privileges, an attacker could take control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights.
These vulnerabilities represent a significant threat to organizations, particularly given the widespread use of Microsoft Office products. Prioritizing patches for these vulnerabilities is strongly recommended.
Vulnerability type: Remote Code Execution
Affected product: Microsoft Virtual Machine Bus
CVSS v3 base score: 7.1
Severity rating: Critical
This critical vulnerability in the Microsoft Virtual Machine Bus (VMBus) could allow an authenticated attacker to achieve remote code execution by exploiting a time-of-check time-of-use (TOCTOU) race condition. VMBus is a virtual communication channel used within the Microsoft Hyper-V virtualization environment, facilitating communication and data transfer between host and guest partitions.
Successful exploitation could potentially allow a guest virtual machine to execute code on the host system, effectively breaking out of the VM isolation. This type of vulnerability is particularly concerning in multi-tenant environments where virtual machines from different trust boundaries run on the same physical hardware.
While exploitation requires authentication, the potential impact on virtualized environments makes this a high-priority vulnerability to address, especially for cloud service providers and organizations running Hyper-V infrastructure.
Vulnerability type: Information Disclosure
Affected product: Azure
CVSS v3 base score: 8.1
Severity rating: Critical
This critical vulnerability in Microsoft's Azure feedback website could allow unauthorized disclosure of sensitive information. While Microsoft hasn't provided extensive details about the vulnerability, the high CVSS score suggests that the information potentially exposed is of high value or sensitivity.
Information disclosure vulnerabilities in cloud services can have significant impacts, potentially exposing customer data, authentication tokens, or configuration information that could be leveraged for further attacks.
Vulnerability type: Spoofing
Affected product: Azure Storage Resource Provider
CVSS v3 base score: 9.9
Severity rating: Critical
This critical vulnerability in the Azure Storage Resource Provider could allow an attacker to perform spoofing attacks. With an extremely high CVSS score of 9.9, this vulnerability represents one of the most severe issues in this month's Patch Tuesday.
The Azure Storage Resource Provider is a critical component that manages storage accounts and their keys. A spoofing vulnerability in this component could potentially allow attackers to impersonate legitimate users or services, gaining unauthorized access to storage accounts and the data they contain.
Organizations using Azure storage services should prioritize applying these patches to protect their cloud resources from potential compromise.
Vulnerability type: Elevation of Privilege
Affected product: Azure Automation
CVSS v3 base score: 9.9
Severity rating: Critical
This critical vulnerability in Azure Automation could allow an attacker to elevate their privileges. Like the Azure Storage Resource Provider vulnerability, this issue has an extremely high CVSS score of 9.9, indicating its severe potential impact.
Azure Automation is a cloud-based service that allows customers to automate frequent, time-consuming, and error-prone cloud management tasks. An elevation of privilege vulnerability in this service could potentially allow attackers to gain higher levels of access to automation accounts and the resources they manage.
Given the powerful nature of automation services, which often require extensive permissions to operate, this vulnerability could potentially be leveraged to gain broad access across an organization's Azure resources.
CVE ID
|
Description
|
CVSSv3
|
Severity
|
---|---|---|---|
CVE-2025-29972
|
Azure Storage Resource Provider Spoofing Vulnerability
|
9.9
|
Critical
|
CVE-2025-29827
|
Azure Automation Elevation of Privilege Vulnerability
|
9.9
|
Critical
|
CVE-2025-29966
|
Remote Desktop Client Remote Code Execution Vulnerability
|
8.8
|
Critical
|
CVE-2025-29967
|
Remote Desktop Client Remote Code Execution Vulnerability
|
8.8
|
Critical
|
CVE-2025-30377
|
Microsoft Office Remote Code Execution Vulnerability
|
8.4
|
Critical
|
CVE-2025-30386
|
Microsoft Office Remote Code Execution Vulnerability
|
8.4
|
Critical
|
CVE-2025-47732
|
Microsoft Dataverse Remote Code Execution Vulnerability
|
8.7
|
Critical
|
CVE-2025-33072
|
Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability
|
8.1
|
Critical
|
CVE-2025-29833
|
Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
|
7.1
|
Critical
|
In total, 72 vulnerabilities were addressed in May's Patch Tuesday. Remote Code Execution flaws top the list with 28 patches, followed by 17 Elevation of Privilege vulnerabilities and 15 Information Disclosure issues. The rest consist of 7 Denial of Service, 3 Spoofing, and 2 Security Feature Bypass flaws.
Here is the breakdown of the categories patched this month:
1. Remote Code Execution – 28
2. Elevation of Privilege - 17
3. Information Disclosure – 15
4. Denial of Service – 7
5. Spoofing – 3
6. Security Feature Bypass – 2
The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's May 2025 Patch Tuesday:
Vulnerability Category
|
CVE IDs
|
---|---|
Remote Code Execution
|
CVE-2025-29833, CVE-2025-29840, CVE-2025-29962, CVE-2025-29963, CVE-2025-29964, CVE-2025-29966, CVE-2025-29967, CVE-2025-29969, CVE-2025-30377, CVE-2025-30386, CVE-2025-30388, CVE-2025-30397, CVE-2025-32702, CVE-2025-32704, CVE-2025-32705, CVE-2025-47732, CVE-2025-29831, CVE-2025-29977, CVE-2025-29978, CVE-2025-29979, CVE-2025-30375, CVE-2025-30376, CVE-2025-30378, CVE-2025-30379, CVE-2025-30381, CVE-2025-30382, CVE-2025-30383, CVE-2025-30393
|
Elevation of Privilege
|
CVE-2025-24063, CVE-2025-26684, CVE-2025-27468, CVE-2025-27488, CVE-2025-29813, CVE-2025-29826, CVE-2025-29827, CVE-2025-29838, CVE-2025-29841, CVE-2025-29970, CVE-2025-29976, CVE-2025-30385, CVE-2025-30387, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709
|
Information Disclosure
|
CVE-2025-29829, CVE-2025-29830, CVE-2025-29832, CVE-2025-29835, CVE-2025-29836, CVE-2025-29837, CVE-2025-29839, CVE-2025-29956, CVE-2025-29958, CVE-2025-29959, CVE-2025-29960, CVE-2025-29961, CVE-2025-29974, CVE-2025-32703, CVE-2025-33072, CVE-2025-47733
|
Denial of Service
|
CVE-2025-26677, CVE-2025-29954, CVE-2025-29955, CVE-2025-29957, CVE-2025-29968, CVE-2025-29971, CVE-2025-30394
|
Spoofing
|
CVE-2025-26646, CVE-2025-26685, CVE-2025-29825, CVE-2025-29972
|
Security Feature Bypass
|
CVE-2025-21264, CVE-2025-29842
|
Remote code execution vulnerabilities continue to dominate this month's updates, representing nearly 39% of all patched flaws. These vulnerabilities pose significant risks as they can potentially allow attackers to execute arbitrary code on affected systems.
Elevation of privilege vulnerabilities account for approximately 24% of the patched flaws, highlighting the continued focus on vulnerabilities that attackers can leverage to gain higher levels of access once they've established an initial foothold.
Information disclosure vulnerabilities make up about 21% of this month's patches, addressing flaws that could allow attackers to access sensitive information that might be leveraged in further attacks.
Denial of service, spoofing, and security feature bypass vulnerabilities represent smaller portions of the update but should not be overlooked, as they can still pose significant security risks depending on the affected systems and their role in an organization's infrastructure.
Microsoft's May 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
Product Name
|
No. of Vulnerabilities Patched
|
---|---|
Windows Routing and Remote Access Service (RRAS)
|
8
|
Microsoft Office Excel
|
7
|
Windows Media
|
4
|
Windows Common Log File System Driver
|
3
|
Azure
|
3
|
Microsoft Office SharePoint
|
3
|
Remote Desktop Gateway Service
|
3
|
Microsoft Edge (Chromium-based)
|
6
|
Visual Studio
|
2
|
Windows Remote Desktop
|
2
|
Microsoft Office
|
2
|
Microsoft Dataverse
|
2
|
Microsoft Defender
|
2
|
Windows Kernel
|
2
|
Windows Hyper-V
|
1
|
Windows NTFS
|
1
|
Windows Ancillary Function Driver for WinSock
|
1
|
Windows SMB
|
1
|
Windows Deployment Services
|
1
|
Windows DWM
|
1
|
Windows Virtual Machine Bus
|
1
|
Windows Win32K - GRFX
|
1
|
Microsoft Scripting Engine
|
1
|
Microsoft Office Outlook
|
1
|
Microsoft Office PowerPoint
|
1
|
Microsoft PC Manager
|
1
|
Microsoft Power Apps
|
1
|
Windows Hardware Lab Kit
|
1
|
Windows Installer
|
1
|
Windows File Server
|
1
|
Windows Trusted Runtime Interface Driver
|
1
|
Windows LDAP
|
1
|
Active Directory Certificate Services (AD CS)
|
1
|
Microsoft Brokering File System
|
1
|
Web Threat Defense (WTD.sys)
|
1
|
Azure Storage Resource Provider
|
1
|
Azure File Sync
|
1
|
Azure DevOps
|
1
|
Azure Automation
|
1
|
.NET, Visual Studio, and Build Tools for Visual Studio
|
1
|
Universal Print Management Service
|
1
|
UrlMon
|
1
|
Visual Studio Code
|
1
|
Windows Drivers
|
1
|
Windows Fundamentals
|
1
|
Windows Secure Kernel Mode
|
1
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft PC Manager Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Azure Storage Resource Provider Spoofing Vulnerability
|
No
|
No
|
9.9
|
|
Azure Automation Elevation of Privilege Vulnerability
|
No
|
No
|
9.9
|
|
Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability
|
No
|
No
|
9.8
|
|
Microsoft Power Apps Information Disclosure Vulnerability
|
No
|
No
|
9.1
|
|
Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability
|
No
|
No
|
8.1
|
|
Microsoft Azure File Sync Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Edge (Chromium-based) Spoofing Vulnerability
|
No
|
No
|
6.5
|
|
Chromium: CVE-2025-4372 Use after free in WebAudio
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-4096 Heap buffer overflow in HTML
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-4052 Inappropriate implementation in DevTools
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-4051 Insufficient data validation in DevTools
|
No
|
No
|
N/A
|
|
Chromium: CVE-2025-4050 Out of bounds memory access in DevTools
|
No
|
No
|
N/A
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Azure DevOps Server Elevation of Privilege Vulnerability
|
No
|
No
|
10
|
|
.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability
|
No
|
No
|
8
|
|
Visual Studio Remote Code Execution Vulnerability
|
No
|
Yes
|
7.8
|
|
Visual Studio Code Security Feature Bypass Vulnerability
|
No
|
No
|
7.1
|
|
Visual Studio Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Media Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Remote Desktop Client Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Remote Desktop Client Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
Yes
|
No
|
7.8
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
Yes
|
No
|
7.8
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
|
Yes
|
No
|
7.8
|
|
NTFS Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Kernel Streaming Service Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Remote Desktop Services Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
|
Scripting Engine Memory Corruption Vulnerability
|
Yes
|
No
|
7.5
|
|
MS-EVEN RPC Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
|
Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
|
No
|
No
|
7.1
|
|
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Windows Remote Access Connection Manager Information Disclosure Vulnerability
|
No
|
No
|
6.5
|
|
Active Directory Certificate Services (AD CS) Denial of Service Vulnerability
|
No
|
No
|
6.5
|
|
Windows Deployment Services Denial of Service Vulnerability
|
No
|
No
|
6.2
|
|
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
|
No
|
No
|
5.9
|
|
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
|
No
|
No
|
5.9
|
|
Windows Kernel Information Disclosure Vulnerability
|
No
|
No
|
5.7
|
|
Windows Installer Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
|
Windows SMB Information Disclosure Vulnerability
|
No
|
No
|
5.4
|
|
Windows Multiple UNC Provider Driver Information Disclosure Vulnerability
|
No
|
No
|
4
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Dataverse Remote Code Execution Vulnerability
|
No
|
No
|
8.7
|
|
Microsoft Dataverse Elevation of Privilege Vulnerability
|
No
|
No
|
7.3
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
8.4
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
8.4
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
8.4
|
|
Microsoft SharePoint Server Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft SharePoint Server Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft PowerPoint Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Outlook Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Excel Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft SharePoint Server Remote Code Execution Vulnerability
|
No
|
No
|
7.4
|
|
Microsoft SharePoint Server Remote Code Execution Vulnerability
|
No
|
No
|
7
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Graphics Component Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Defender Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Microsoft Defender for Identity Spoofing Vulnerability
|
No
|
Yes
|
6.5
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Media Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows Media Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows Media Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft DWM Core Library Elevation of Privilege Vulnerability
|
Yes
|
No
|
7.8
|
|
Microsoft Brokering File System Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
Web Threat Defense (WTD.sys) Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
UrlMon Security Feature Bypass Vulnerability
|
No
|
No
|
7.5
|
|
Windows ExecutionContext Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7.4
|
|
Universal Print Management Service Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Hyper-V Denial of Service Vulnerability
|
No
|
No
|
6.2
|
|
Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
Microsoft's May 2025 Patch Tuesday release addressed 72 total vulnerabilities, headlined by fixes for five actively exploited zero-day flaws and two publicly disclosed vulnerabilities:
CVE-2025-30400 (Microsoft DWM Core Library Elevation of Privilege)
CVE-2025-32701 (Windows Common Log File System Driver Elevation of Privilege)
CVE-2025-32706 (Windows Common Log File System Driver Elevation of Privilege)
CVE-2025-32709 (Windows Ancillary Function Driver for WinSock Elevation of Privilege)
CVE-2025-30397 (Scripting Engine Memory Corruption)
CVE-2025-26685 (Microsoft Defender for Identity Spoofing) - publicly disclosed
CVE-2025-32702 (Visual Studio Remote Code Execution) - publicly disclosed
Additional key vulnerabilities included:
Critical remote code execution bugs in Remote Desktop Client (CVE-2025-29966, CVE-2025-29967)
Critical remote code execution vulnerabilities in Microsoft Office (CVE-2025-30377, CVE-2025-30386)
Critical vulnerabilities in Azure services, including Azure Storage Resource Provider (CVE-2025-29972) and Azure Automation (CVE-2025-29827)
Multiple critical and important remote code execution vulnerabilities in Microsoft Excel, SharePoint, and other Office components
In total, 28 critical or high-severity remote code execution bugs were addressed this month along with 17 important elevation of privilege flaws. Information disclosure, denial of service, spoofing, and security feature bypass issues rounded out the rest.
The presence of five actively exploited zero-days highlights the ongoing challenge of securing complex systems against determined adversaries. The continuing pattern of exploitation targeting components like the Windows Common Log File System Driver and DWM Core Library should prompt security teams to closely monitor these areas in their threat models.
Organizations should prioritize patching these vulnerabilities, with particular emphasis on the actively exploited zero-days and critical remote code execution flaws. CISA has already added several of these vulnerabilities to its Known Exploited Vulnerabilities Catalog with a remediation deadline of June 3, 2025, further underscoring their severity.
We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.