Table of Contents
  • Home
  • /
  • Blog
  • /
  • Breaking Down the Latest May 2025 Patch Tuesday Report
May 14, 2025
|
23m

Breaking Down the Latest May 2025 Patch Tuesday Report


A magnifying glass examines business graphs beside bold text reading "Patch Tuesday May 2025" on a red background.

Microsoft has released its May 2025 Patch Tuesday security updates, addressing 72 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This month's update includes fixes for five actively exploited zero-day vulnerabilities and two publicly disclosed flaws.

The five actively exploited zero-days are CVE-2025-30400 (Windows DWM Core Library), CVE-2025-32701 (Windows Common Log File System Driver), CVE-2025-32706 (Windows Common Log File System Driver), CVE-2025-32709 (Windows Ancillary Function Driver for WinSock), and CVE-2025-30397 (Scripting Engine Memory Corruption). All of these vulnerabilities could allow attackers to elevate privileges or execute malicious code, posing significant security risks to affected systems.

In total, Microsoft addressed 6 critical vulnerabilities and 66 important ones. The most common issues are remote code execution (28 bugs), elevation of privilege (17 bugs), information disclosure (15 bugs), denial of service (7 bugs), and spoofing (2 bugs).

Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and critical remote code execution flaws.

Additional steps may be required to fully remediate some vulnerabilities, particularly for enterprise environments. The US Cybersecurity and Infrastructure Security Agency (CISA) has added several of this month's vulnerabilities to its Known Exploited Vulnerabilities Catalog, requesting federal agencies to patch them by June 3, 2025.

Update for Windows 11 users: Microsoft has published KB5058405 for Windows 11. Visit this page to learn what is included in the KB5058405 update.

Key Highlights - Patch Tuesday May 2025

In May's Patch Tuesday, Microsoft addressed 72 vulnerabilities, including five actively exploited zero-day vulnerabilities and two publicly disclosed flaws that attackers could leverage to compromise systems. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.

The key affected products in this release span Microsoft's ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these security fixes is essential for protecting systems against emerging threats.

Key Highlights are:

  1. Total Flaws and Zero-Day Vulnerabilities: This update resolves 72 total bugs, with five actively exploited zero-days and two publicly disclosed vulnerabilities. Of these, 6 were rated Critical and 66 as Important.

  2. Vulnerability Types: Remote code execution vulnerabilities lead the volume with 28 occurrences, followed by 17 elevation of privilege flaws. Information disclosure (15), denial of service (7), spoofing (2), and security feature bypass (2) vulnerabilities round out the mix.

  3. Zero-Day Threats: The five actively exploited zero-days include Windows DWM Core Library (CVE-2025-30400), Windows Common Log File System Driver (CVE-2025-32701 and CVE-2025-32706), Windows Ancillary Function Driver for WinSock (CVE-2025-32709), and Scripting Engine Memory Corruption (CVE-2025-30397).

  4. Critical-Rated Bugs: Other critical-rated bugs include remote code execution vulnerabilities in Remote Desktop Client (CVE-2025-29966 and CVE-2025-29967), Microsoft Office (CVE-2025-30377 and CVE-2025-30386), and Microsoft Virtual Machine Bus (CVE-2025-29833).

  5. Publicly Disclosed Vulnerabilities: Two vulnerabilities were publicly disclosed but not yet known to be exploited: Microsoft Defender for Identity Spoofing (CVE-2025-26685) and Visual Studio Remote Code Execution (CVE-2025-32702).

  6. Non-Critical Notables: Other major issues include remote code execution flaws in Microsoft Excel and SharePoint, privilege escalations in Windows kernel components, and information disclosure bugs in Windows Routing and Remote Access Service (RRAS).

This May Patch Tuesday continues Microsoft's security maintenance lifecycle into mid-2025. Apply these updates promptly to close vulnerabilities before threats exploit them in your environment.

Zero-day Vulnerabilities Patched in May 2025

Microsoft addressed five actively exploited zero-day vulnerabilities and two publicly disclosed vulnerabilities in the May 2025 Patch Tuesday release. These vulnerabilities are particularly concerning because they were being actively exploited in the wild before patches were made available. Let's examine each of these critical vulnerabilities:

CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Desktop Window Manager (DWM) Core Library

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability allows an authenticated attacker to elevate privileges by exploiting a use-after-free condition in the Windows DWM Core Library. The Desktop Window Manager is a crucial system component in Windows that manages the display of all visual elements on a computer screen.

Microsoft notes that successful exploitation would enable an attacker to gain SYSTEM privileges, effectively giving them complete control over the affected system. This is the seventh EoP vulnerability in the DWM Core Library patched this year, indicating this component remains a frequent target for attackers.

CISA has added CVE-2025-30400 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-32701 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Common Log File System Driver

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability in the Windows Common Log File System (CLFS) Driver allows an authenticated attacker to gain SYSTEM privileges by exploiting a use-after-free condition. CLFS is a high-performance, general-purpose logging subsystem used by kernel and user-mode applications, frequently employed in database systems, messaging systems, and online transactional processing.

Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center, indicating it was discovered during threat hunting operations. This is one of several CLFS vulnerabilities patched this year, continuing a trend from 2024 when multiple CLFS vulnerabilities were exploited in the wild.

CISA has added CVE-2025-32701 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Common Log File System Driver

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability also affects the Windows Common Log File System Driver but exploits improper input validation rather than a use-after-free condition. An authenticated attacker can leverage this vulnerability to elevate their privileges to SYSTEM level.

Microsoft attributes the discovery of this flaw to Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team, suggesting multiple security research teams independently discovered exploitation of this vulnerability.

CISA has added CVE-2025-32706 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Ancillary Function Driver for WinSock

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock allows an authenticated attacker to elevate privileges by exploiting a use-after-free condition. The Ancillary Function Driver serves as the entry point for the Windows Sockets (Winsock) API, handling low-level details of network communication.

According to Microsoft's advisory, this vulnerability was disclosed by an "Anonymous" researcher. This is the second AFD vulnerability exploited in 2025, preceded by CVE-2025-21418 which was addressed in February's Patch Tuesday release.

CISA has added CVE-2025-32709 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Scripting Engine

CVSS v3 base score: 7.5

Severity rating: Important

This vulnerability allows for remote code execution through the Microsoft Scripting Engine. Exploitation requires an authenticated user to click on a specially crafted link while using Microsoft Edge in Internet Explorer mode. The vulnerability involves "access of resource using incompatible type ('type confusion')" according to Microsoft's advisory.

Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center and notes that successful exploitation could allow an unauthenticated attacker to execute code over a network.

CISA has added CVE-2025-30397 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-26685 - Microsoft Defender for Identity Spoofing Vulnerability

Vulnerability type: Spoofing

Affected product: Microsoft Defender for Identity

CVSS v3 base score: 6.5

Severity rating: Important

This vulnerability allows an unauthenticated attacker with LAN access to perform spoofing attacks due to improper authentication in Microsoft Defender for Identity. Microsoft Defender for Identity is a cloud-based security solution that helps organizations monitor and secure their identities across hybrid environments.

Microsoft attributes the discovery of this flaw to Joshua Murrell with NetSPI. While Microsoft has no evidence that this vulnerability has been exploited in the wild, it was publicly disclosed prior to patch availability.

CVE-2025-32702 - Visual Studio Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Visual Studio

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability in Visual Studio could allow remote code execution through command injection. According to Microsoft's advisory, an "improper neutralization of special elements used in a command" allows an unauthenticated attacker to execute code locally.

Microsoft has not shared who disclosed this flaw, but notes it was publicly disclosed before patches were available. There is no evidence that this vulnerability has been exploited in the wild.

CVE ID
Description
CVSSv3
Severity
Exploited?
Publicly disclosed?
CVE-2025-30400
Microsoft DWM Core Library Elevation of Privilege Vulnerability
7.8
Important
Yes
No
CVE-2025-32701
Windows Common Log File System Driver Elevation of Privilege Vulnerability
7.8
Important
Yes
No
CVE-2025-32706
Windows Common Log File System Driver Elevation of Privilege Vulnerability
7.8
Important
Yes
No
CVE-2025-32709
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
7.8
Important
Yes
No
CVE-2025-30397
Scripting Engine Memory Corruption Vulnerability
7.5
Important
Yes
No
CVE-2025-26685
Microsoft Defender for Identity Spoofing Vulnerability
6.5
Important
No
Yes
CVE-2025-32702
Visual Studio Remote Code Execution Vulnerability
7.8
Important
No
Yes

Critical Vulnerabilities Patched in May 2025

In addition to the zero-day vulnerabilities, Microsoft addressed five vulnerabilities rated Critical in severity that deserve special attention. These vulnerabilities could allow attackers to achieve remote code execution or access sensitive information, posing significant risks to affected systems.

CVE-2025-29966 & CVE-2025-29967 - Remote Desktop Client Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Remote Desktop Client

CVSS v3 base score: 8.8

Severity rating: Critical

These two critical vulnerabilities affect the Remote Desktop client and could allow an unauthenticated attacker to execute code remotely on affected systems. Both vulnerabilities involve heap-based buffer overflow conditions that could be exploited without user interaction.

Remote Desktop Protocol (RDP) clients are software applications that allow users to connect to and control remote computers or servers using secure network connections. These vulnerabilities could potentially allow attackers to take complete control of systems when users connect to malicious RDP servers.

The high CVSS score reflects the severity of these flaws, which don't require any user interaction beyond connecting to a compromised or malicious RDP server. Organizations should prioritize patching these vulnerabilities, especially if RDP is utilized extensively in their environment.

CVE-2025-30377 & CVE-2025-30386 - Microsoft Office Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Office

CVSS v3 base score: 8.4

Severity rating: Critical

These critical vulnerabilities in Microsoft Office involve use-after-free conditions that could allow an unauthenticated attacker to achieve remote code execution. Successful exploitation would potentially allow attackers to run malicious code with the privileges of the current user.

While Microsoft hasn't provided extensive details about the attack vector, these types of Office vulnerabilities typically involve opening specially crafted files. If the current user has administrative privileges, an attacker could take control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights.

These vulnerabilities represent a significant threat to organizations, particularly given the widespread use of Microsoft Office products. Prioritizing patches for these vulnerabilities is strongly recommended.

CVE-2025-29833 - Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Virtual Machine Bus

CVSS v3 base score: 7.1

Severity rating: Critical

This critical vulnerability in the Microsoft Virtual Machine Bus (VMBus) could allow an authenticated attacker to achieve remote code execution by exploiting a time-of-check time-of-use (TOCTOU) race condition. VMBus is a virtual communication channel used within the Microsoft Hyper-V virtualization environment, facilitating communication and data transfer between host and guest partitions.

Successful exploitation could potentially allow a guest virtual machine to execute code on the host system, effectively breaking out of the VM isolation. This type of vulnerability is particularly concerning in multi-tenant environments where virtual machines from different trust boundaries run on the same physical hardware.

While exploitation requires authentication, the potential impact on virtualized environments makes this a high-priority vulnerability to address, especially for cloud service providers and organizations running Hyper-V infrastructure.

CVE-2025-33072 - Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability

Vulnerability type: Information Disclosure

Affected product: Azure

CVSS v3 base score: 8.1

Severity rating: Critical

This critical vulnerability in Microsoft's Azure feedback website could allow unauthorized disclosure of sensitive information. While Microsoft hasn't provided extensive details about the vulnerability, the high CVSS score suggests that the information potentially exposed is of high value or sensitivity.

Information disclosure vulnerabilities in cloud services can have significant impacts, potentially exposing customer data, authentication tokens, or configuration information that could be leveraged for further attacks.

CVE-2025-29972 - Azure Storage Resource Provider Spoofing Vulnerability

Vulnerability type: Spoofing

Affected product: Azure Storage Resource Provider

CVSS v3 base score: 9.9

Severity rating: Critical

This critical vulnerability in the Azure Storage Resource Provider could allow an attacker to perform spoofing attacks. With an extremely high CVSS score of 9.9, this vulnerability represents one of the most severe issues in this month's Patch Tuesday.

The Azure Storage Resource Provider is a critical component that manages storage accounts and their keys. A spoofing vulnerability in this component could potentially allow attackers to impersonate legitimate users or services, gaining unauthorized access to storage accounts and the data they contain.

Organizations using Azure storage services should prioritize applying these patches to protect their cloud resources from potential compromise.

CVE-2025-29827 - Azure Automation Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Azure Automation

CVSS v3 base score: 9.9

Severity rating: Critical

This critical vulnerability in Azure Automation could allow an attacker to elevate their privileges. Like the Azure Storage Resource Provider vulnerability, this issue has an extremely high CVSS score of 9.9, indicating its severe potential impact.

Azure Automation is a cloud-based service that allows customers to automate frequent, time-consuming, and error-prone cloud management tasks. An elevation of privilege vulnerability in this service could potentially allow attackers to gain higher levels of access to automation accounts and the resources they manage.

Given the powerful nature of automation services, which often require extensive permissions to operate, this vulnerability could potentially be leveraged to gain broad access across an organization's Azure resources.

CVE ID
Description
CVSSv3
Severity
CVE-2025-29972
Azure Storage Resource Provider Spoofing Vulnerability
9.9
Critical
CVE-2025-29827
Azure Automation Elevation of Privilege Vulnerability
9.9
Critical
CVE-2025-29966
Remote Desktop Client Remote Code Execution Vulnerability
8.8
Critical
CVE-2025-29967
Remote Desktop Client Remote Code Execution Vulnerability
8.8
Critical
CVE-2025-30377
Microsoft Office Remote Code Execution Vulnerability
8.4
Critical
CVE-2025-30386
Microsoft Office Remote Code Execution Vulnerability
8.4
Critical
CVE-2025-47732
Microsoft Dataverse Remote Code Execution Vulnerability
8.7
Critical
CVE-2025-33072
Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability
8.1
Critical
CVE-2025-29833
Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
7.1
Critical

Vulnerabilities by Category

In total, 72 vulnerabilities were addressed in May's Patch Tuesday. Remote Code Execution flaws top the list with 28 patches, followed by 17 Elevation of Privilege vulnerabilities and 15 Information Disclosure issues. The rest consist of 7 Denial of Service, 3 Spoofing, and 2 Security Feature Bypass flaws.

Here is the breakdown of the categories patched this month:

1. Remote Code Execution – 28

2. Elevation of Privilege - 17

3. Information Disclosure – 15

4. Denial of Service – 7

5. Spoofing – 3

6. Security Feature Bypass – 2

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's May 2025 Patch Tuesday:

Vulnerability Category
CVE IDs
Remote Code Execution
CVE-2025-29833, CVE-2025-29840, CVE-2025-29962, CVE-2025-29963, CVE-2025-29964, CVE-2025-29966, CVE-2025-29967, CVE-2025-29969, CVE-2025-30377, CVE-2025-30386, CVE-2025-30388, CVE-2025-30397, CVE-2025-32702, CVE-2025-32704, CVE-2025-32705, CVE-2025-47732, CVE-2025-29831, CVE-2025-29977, CVE-2025-29978, CVE-2025-29979, CVE-2025-30375, CVE-2025-30376, CVE-2025-30378, CVE-2025-30379, CVE-2025-30381, CVE-2025-30382, CVE-2025-30383, CVE-2025-30393
Elevation of Privilege
CVE-2025-24063, CVE-2025-26684, CVE-2025-27468, CVE-2025-27488, CVE-2025-29813, CVE-2025-29826, CVE-2025-29827, CVE-2025-29838, CVE-2025-29841, CVE-2025-29970, CVE-2025-29976, CVE-2025-30385, CVE-2025-30387, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709
Information Disclosure
CVE-2025-29829, CVE-2025-29830, CVE-2025-29832, CVE-2025-29835, CVE-2025-29836, CVE-2025-29837, CVE-2025-29839, CVE-2025-29956, CVE-2025-29958, CVE-2025-29959, CVE-2025-29960, CVE-2025-29961, CVE-2025-29974, CVE-2025-32703, CVE-2025-33072, CVE-2025-47733
Denial of Service
CVE-2025-26677, CVE-2025-29954, CVE-2025-29955, CVE-2025-29957, CVE-2025-29968, CVE-2025-29971, CVE-2025-30394
Spoofing
CVE-2025-26646, CVE-2025-26685, CVE-2025-29825, CVE-2025-29972
Security Feature Bypass
CVE-2025-21264, CVE-2025-29842

Remote code execution vulnerabilities continue to dominate this month's updates, representing nearly 39% of all patched flaws. These vulnerabilities pose significant risks as they can potentially allow attackers to execute arbitrary code on affected systems.

Elevation of privilege vulnerabilities account for approximately 24% of the patched flaws, highlighting the continued focus on vulnerabilities that attackers can leverage to gain higher levels of access once they've established an initial foothold.

Information disclosure vulnerabilities make up about 21% of this month's patches, addressing flaws that could allow attackers to access sensitive information that might be leveraged in further attacks.

Denial of service, spoofing, and security feature bypass vulnerabilities represent smaller portions of the update but should not be overlooked, as they can still pose significant security risks depending on the affected systems and their role in an organization's infrastructure.

List of Products Patched in May 2025 Patch Tuesday Report

Microsoft's May 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Product Name
No. of Vulnerabilities Patched
Windows Routing and Remote Access Service (RRAS)
8
Microsoft Office Excel
7
Windows Media
4
Windows Common Log File System Driver
3
Azure
3
Microsoft Office SharePoint
3
Remote Desktop Gateway Service
3
Microsoft Edge (Chromium-based)
6
Visual Studio
2
Windows Remote Desktop
2
Microsoft Office
2
Microsoft Dataverse
2
Microsoft Defender
2
Windows Kernel
2
Windows Hyper-V
1
Windows NTFS
1
Windows Ancillary Function Driver for WinSock
1
Windows SMB
1
Windows Deployment Services
1
Windows DWM
1
Windows Virtual Machine Bus
1
Windows Win32K - GRFX
1
Microsoft Scripting Engine
1
Microsoft Office Outlook
1
Microsoft Office PowerPoint
1
Microsoft PC Manager
1
Microsoft Power Apps
1
Windows Hardware Lab Kit
1
Windows Installer
1
Windows File Server
1
Windows Trusted Runtime Interface Driver
1
Windows LDAP
1
Active Directory Certificate Services (AD CS)
1
Microsoft Brokering File System
1
Web Threat Defense (WTD.sys)
1
Azure Storage Resource Provider
1
Azure File Sync
1
Azure DevOps
1
Azure Automation
1
.NET, Visual Studio, and Build Tools for Visual Studio
1
Universal Print Management Service
1
UrlMon
1
Visual Studio Code
1
Windows Drivers
1
Windows Fundamentals
1
Windows Secure Kernel Mode
1

Summary tables

Apps vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft PC Manager Elevation of Privilege Vulnerability
No
No
7.8

Azure vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Azure Storage Resource Provider Spoofing Vulnerability
No
No
9.9
Azure Automation Elevation of Privilege Vulnerability
No
No
9.9
Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability
No
No
9.8
Microsoft Power Apps Information Disclosure Vulnerability
No
No
9.1
Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability
No
No
8.1
Microsoft Azure File Sync Elevation of Privilege Vulnerability
No
No
7

Azure Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability
No
No
6.7

Browser vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Edge (Chromium-based) Spoofing Vulnerability
No
No
6.5
Chromium: CVE-2025-4372 Use after free in WebAudio
No
No
N/A
Chromium: CVE-2025-4096 Heap buffer overflow in HTML
No
No
N/A
Chromium: CVE-2025-4052 Inappropriate implementation in DevTools
No
No
N/A
Chromium: CVE-2025-4051 Insufficient data validation in DevTools
No
No
N/A
Chromium: CVE-2025-4050 Out of bounds memory access in DevTools
No
No
N/A

Developer Tools vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Azure DevOps Server Elevation of Privilege Vulnerability
No
No
10
.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability
No
No
8
Visual Studio Remote Code Execution Vulnerability
No
Yes
7.8
Visual Studio Code Security Feature Bypass Vulnerability
No
No
7.1
Visual Studio Information Disclosure Vulnerability
No
No
5.5

ESU Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows Media Remote Code Execution Vulnerability
No
No
8.8
Remote Desktop Client Remote Code Execution Vulnerability
No
No
8.8
Remote Desktop Client Remote Code Execution Vulnerability
No
No
8.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Yes
No
7.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Yes
No
7.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
No
No
7.8
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Yes
No
7.8
NTFS Elevation of Privilege Vulnerability
No
No
7.8
Kernel Streaming Service Driver Elevation of Privilege Vulnerability
No
No
7.8
Windows Remote Desktop Services Remote Code Execution Vulnerability
No
No
7.5
Scripting Engine Memory Corruption Vulnerability
Yes
No
7.5
MS-EVEN RPC Remote Code Execution Vulnerability
No
No
7.5
Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
No
No
7.1
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
No
No
7
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
No
No
6.5
Windows Remote Access Connection Manager Information Disclosure Vulnerability
No
No
6.5
Active Directory Certificate Services (AD CS) Denial of Service Vulnerability
No
No
6.5
Windows Deployment Services Denial of Service Vulnerability
No
No
6.2
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
No
No
5.9
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
No
No
5.9
Windows Kernel Information Disclosure Vulnerability
No
No
5.7
Windows Installer Information Disclosure Vulnerability
No
No
5.5
Windows SMB Information Disclosure Vulnerability
No
No
5.4
Windows Multiple UNC Provider Driver Information Disclosure Vulnerability
No
No
4

Microsoft Dynamics vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Dataverse Remote Code Execution Vulnerability
No
No
8.7
Microsoft Dataverse Elevation of Privilege Vulnerability
No
No
7.3

Microsoft Office vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Office Remote Code Execution Vulnerability
No
No
8.4
Microsoft Office Remote Code Execution Vulnerability
No
No
8.4
Microsoft Excel Remote Code Execution Vulnerability
No
No
8.4
Microsoft SharePoint Server Remote Code Execution Vulnerability
No
No
7.8
Microsoft SharePoint Server Elevation of Privilege Vulnerability
No
No
7.8
Microsoft PowerPoint Remote Code Execution Vulnerability
No
No
7.8
Microsoft Outlook Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Microsoft SharePoint Server Remote Code Execution Vulnerability
No
No
7.4
Microsoft SharePoint Server Remote Code Execution Vulnerability
No
No
7

Microsoft Office ESU Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows Graphics Component Remote Code Execution Vulnerability
No
No
7.8

System Center vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Defender Elevation of Privilege Vulnerability
No
No
6.7
Microsoft Defender for Identity Spoofing Vulnerability
No
Yes
6.5

Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows Media Remote Code Execution Vulnerability
No
No
8.8
Windows Media Remote Code Execution Vulnerability
No
No
8.8
Windows Media Remote Code Execution Vulnerability
No
No
8.8
Microsoft DWM Core Library Elevation of Privilege Vulnerability
Yes
No
7.8
Microsoft Brokering File System Elevation of Privilege Vulnerability
No
No
7.8
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
No
No
7.5
Web Threat Defense (WTD.sys) Denial of Service Vulnerability
No
No
7.5
UrlMon Security Feature Bypass Vulnerability
No
No
7.5
Windows ExecutionContext Driver Elevation of Privilege Vulnerability
No
No
7.4
Universal Print Management Service Elevation of Privilege Vulnerability
No
No
7
Windows Hyper-V Denial of Service Vulnerability
No
No
6.2
Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability
No
No
5.5

Bottom Line

Microsoft's May 2025 Patch Tuesday release addressed 72 total vulnerabilities, headlined by fixes for five actively exploited zero-day flaws and two publicly disclosed vulnerabilities:

  • CVE-2025-30400 (Microsoft DWM Core Library Elevation of Privilege)

  • CVE-2025-32701 (Windows Common Log File System Driver Elevation of Privilege)

  • CVE-2025-32706 (Windows Common Log File System Driver Elevation of Privilege)

  • CVE-2025-32709 (Windows Ancillary Function Driver for WinSock Elevation of Privilege)

  • CVE-2025-30397 (Scripting Engine Memory Corruption)

  • CVE-2025-26685 (Microsoft Defender for Identity Spoofing) - publicly disclosed

  • CVE-2025-32702 (Visual Studio Remote Code Execution) - publicly disclosed

Additional key vulnerabilities included:

  • Critical remote code execution bugs in Remote Desktop Client (CVE-2025-29966, CVE-2025-29967)

  • Critical remote code execution vulnerabilities in Microsoft Office (CVE-2025-30377, CVE-2025-30386)

  • Critical vulnerabilities in Azure services, including Azure Storage Resource Provider (CVE-2025-29972) and Azure Automation (CVE-2025-29827)

  • Multiple critical and important remote code execution vulnerabilities in Microsoft Excel, SharePoint, and other Office components

In total, 28 critical or high-severity remote code execution bugs were addressed this month along with 17 important elevation of privilege flaws. Information disclosure, denial of service, spoofing, and security feature bypass issues rounded out the rest.

The presence of five actively exploited zero-days highlights the ongoing challenge of securing complex systems against determined adversaries. The continuing pattern of exploitation targeting components like the Windows Common Log File System Driver and DWM Core Library should prompt security teams to closely monitor these areas in their threat models.

Organizations should prioritize patching these vulnerabilities, with particular emphasis on the actively exploited zero-days and critical remote code execution flaws. CISA has already added several of these vulnerabilities to its Known Exploited Vulnerabilities Catalog with a remediation deadline of June 3, 2025, further underscoring their severity.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Report

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe