Microsoft has released its May 2025 Patch Tuesday security updates, addressing 72 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This month's update includes fixes for five actively exploited zero-day vulnerabilities and two publicly disclosed flaws.

The five actively exploited zero-days are CVE-2025-30400 (Windows DWM Core Library), CVE-2025-32701 (Windows Common Log File System Driver), CVE-2025-32706 (Windows Common Log File System Driver), CVE-2025-32709 (Windows Ancillary Function Driver for WinSock), and CVE-2025-30397 (Scripting Engine Memory Corruption). All of these vulnerabilities could allow attackers to elevate privileges or execute malicious code, posing significant security risks to affected systems.

In total, Microsoft addressed 6 critical vulnerabilities and 66 important ones. The most common issues are remote code execution (28 bugs), elevation of privilege (17 bugs), information disclosure (15 bugs), denial of service (7 bugs), and spoofing (2 bugs).

Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and critical remote code execution flaws.

Additional steps may be required to fully remediate some vulnerabilities, particularly for enterprise environments. The US Cybersecurity and Infrastructure Security Agency (CISA) has added several of this month's vulnerabilities to its Known Exploited Vulnerabilities Catalog, requesting federal agencies to patch them by June 3, 2025.

Update for Windows 11 users: Microsoft has published KB5058405 for Windows 11. Visit this page to learn what is included in the KB5058405 update.

Key Highlights - Patch Tuesday May 2025

In May's Patch Tuesday, Microsoft addressed 72 vulnerabilities, including five actively exploited zero-day vulnerabilities and two publicly disclosed flaws that attackers could leverage to compromise systems. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.

The key affected products in this release span Microsoft's ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these security fixes is essential for protecting systems against emerging threats.

Key Highlights are:

This May Patch Tuesday continues Microsoft's security maintenance lifecycle into mid-2025. Apply these updates promptly to close vulnerabilities before threats exploit them in your environment.

Zero-day Vulnerabilities Patched in May 2025

Microsoft addressed five actively exploited zero-day vulnerabilities and two publicly disclosed vulnerabilities in the May 2025 Patch Tuesday release. These vulnerabilities are particularly concerning because they were being actively exploited in the wild before patches were made available. Let's examine each of these critical vulnerabilities:

CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Desktop Window Manager (DWM) Core Library

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability allows an authenticated attacker to elevate privileges by exploiting a use-after-free condition in the Windows DWM Core Library. The Desktop Window Manager is a crucial system component in Windows that manages the display of all visual elements on a computer screen.

Microsoft notes that successful exploitation would enable an attacker to gain SYSTEM privileges, effectively giving them complete control over the affected system. This is the seventh EoP vulnerability in the DWM Core Library patched this year, indicating this component remains a frequent target for attackers.

CISA has added CVE-2025-30400 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-32701 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Common Log File System Driver

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability in the Windows Common Log File System (CLFS) Driver allows an authenticated attacker to gain SYSTEM privileges by exploiting a use-after-free condition. CLFS is a high-performance, general-purpose logging subsystem used by kernel and user-mode applications, frequently employed in database systems, messaging systems, and online transactional processing.

Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center, indicating it was discovered during threat hunting operations. This is one of several CLFS vulnerabilities patched this year, continuing a trend from 2024 when multiple CLFS vulnerabilities were exploited in the wild.

CISA has added CVE-2025-32701 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Common Log File System Driver

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability also affects the Windows Common Log File System Driver but exploits improper input validation rather than a use-after-free condition. An authenticated attacker can leverage this vulnerability to elevate their privileges to SYSTEM level.

Microsoft attributes the discovery of this flaw to Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team, suggesting multiple security research teams independently discovered exploitation of this vulnerability.

CISA has added CVE-2025-32706 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Ancillary Function Driver for WinSock

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock allows an authenticated attacker to elevate privileges by exploiting a use-after-free condition. The Ancillary Function Driver serves as the entry point for the Windows Sockets (Winsock) API, handling low-level details of network communication.

According to Microsoft's advisory, this vulnerability was disclosed by an "Anonymous" researcher. This is the second AFD vulnerability exploited in 2025, preceded by CVE-2025-21418 which was addressed in February's Patch Tuesday release.

CISA has added CVE-2025-32709 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Scripting Engine

CVSS v3 base score: 7.5

Severity rating: Important

This vulnerability allows for remote code execution through the Microsoft Scripting Engine. Exploitation requires an authenticated user to click on a specially crafted link while using Microsoft Edge in Internet Explorer mode. The vulnerability involves "access of resource using incompatible type ('type confusion')" according to Microsoft's advisory.

Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center and notes that successful exploitation could allow an unauthenticated attacker to execute code over a network.

CISA has added CVE-2025-30397 to its Known Exploited Vulnerabilities Catalog and requested federal agencies to patch it before June 3, 2025.

CVE-2025-26685 - Microsoft Defender for Identity Spoofing Vulnerability

Vulnerability type: Spoofing

Affected product: Microsoft Defender for Identity

CVSS v3 base score: 6.5

Severity rating: Important

This vulnerability allows an unauthenticated attacker with LAN access to perform spoofing attacks due to improper authentication in Microsoft Defender for Identity. Microsoft Defender for Identity is a cloud-based security solution that helps organizations monitor and secure their identities across hybrid environments.

Microsoft attributes the discovery of this flaw to Joshua Murrell with NetSPI. While Microsoft has no evidence that this vulnerability has been exploited in the wild, it was publicly disclosed prior to patch availability.

CVE-2025-32702 - Visual Studio Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Visual Studio

CVSS v3 base score: 7.8

Severity rating: Important

This vulnerability in Visual Studio could allow remote code execution through command injection. According to Microsoft's advisory, an "improper neutralization of special elements used in a command" allows an unauthenticated attacker to execute code locally.

Microsoft has not shared who disclosed this flaw, but notes it was publicly disclosed before patches were available. There is no evidence that this vulnerability has been exploited in the wild.

Critical Vulnerabilities Patched in May 2025

In addition to the zero-day vulnerabilities, Microsoft addressed five vulnerabilities rated Critical in severity that deserve special attention. These vulnerabilities could allow attackers to achieve remote code execution or access sensitive information, posing significant risks to affected systems.

CVE-2025-29966 & CVE-2025-29967 - Remote Desktop Client Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Remote Desktop Client

CVSS v3 base score: 8.8

Severity rating: Critical

These two critical vulnerabilities affect the Remote Desktop client and could allow an unauthenticated attacker to execute code remotely on affected systems. Both vulnerabilities involve heap-based buffer overflow conditions that could be exploited without user interaction.

Remote Desktop Protocol (RDP) clients are software applications that allow users to connect to and control remote computers or servers using secure network connections. These vulnerabilities could potentially allow attackers to take complete control of systems when users connect to malicious RDP servers.

The high CVSS score reflects the severity of these flaws, which don't require any user interaction beyond connecting to a compromised or malicious RDP server. Organizations should prioritize patching these vulnerabilities, especially if RDP is utilized extensively in their environment.

CVE-2025-30377 & CVE-2025-30386 - Microsoft Office Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Office

CVSS v3 base score: 8.4

Severity rating: Critical

These critical vulnerabilities in Microsoft Office involve use-after-free conditions that could allow an unauthenticated attacker to achieve remote code execution. Successful exploitation would potentially allow attackers to run malicious code with the privileges of the current user.

While Microsoft hasn't provided extensive details about the attack vector, these types of Office vulnerabilities typically involve opening specially crafted files. If the current user has administrative privileges, an attacker could take control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights.

These vulnerabilities represent a significant threat to organizations, particularly given the widespread use of Microsoft Office products. Prioritizing patches for these vulnerabilities is strongly recommended.

CVE-2025-29833 - Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Virtual Machine Bus

CVSS v3 base score: 7.1

Severity rating: Critical

This critical vulnerability in the Microsoft Virtual Machine Bus (VMBus) could allow an authenticated attacker to achieve remote code execution by exploiting a time-of-check time-of-use (TOCTOU) race condition. VMBus is a virtual communication channel used within the Microsoft Hyper-V virtualization environment, facilitating communication and data transfer between host and guest partitions.

Successful exploitation could potentially allow a guest virtual machine to execute code on the host system, effectively breaking out of the VM isolation. This type of vulnerability is particularly concerning in multi-tenant environments where virtual machines from different trust boundaries run on the same physical hardware.

While exploitation requires authentication, the potential impact on virtualized environments makes this a high-priority vulnerability to address, especially for cloud service providers and organizations running Hyper-V infrastructure.

CVE-2025-33072 - Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability

Vulnerability type: Information Disclosure

Affected product: Azure

CVSS v3 base score: 8.1

Severity rating: Critical

This critical vulnerability in Microsoft's Azure feedback website could allow unauthorized disclosure of sensitive information. While Microsoft hasn't provided extensive details about the vulnerability, the high CVSS score suggests that the information potentially exposed is of high value or sensitivity.

Information disclosure vulnerabilities in cloud services can have significant impacts, potentially exposing customer data, authentication tokens, or configuration information that could be leveraged for further attacks.

CVE-2025-29972 - Azure Storage Resource Provider Spoofing Vulnerability

Vulnerability type: Spoofing

Affected product: Azure Storage Resource Provider

CVSS v3 base score: 9.9

Severity rating: Critical

This critical vulnerability in the Azure Storage Resource Provider could allow an attacker to perform spoofing attacks. With an extremely high CVSS score of 9.9, this vulnerability represents one of the most severe issues in this month's Patch Tuesday.

The Azure Storage Resource Provider is a critical component that manages storage accounts and their keys. A spoofing vulnerability in this component could potentially allow attackers to impersonate legitimate users or services, gaining unauthorized access to storage accounts and the data they contain.

Organizations using Azure storage services should prioritize applying these patches to protect their cloud resources from potential compromise.

CVE-2025-29827 - Azure Automation Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Azure Automation

CVSS v3 base score: 9.9

Severity rating: Critical

This critical vulnerability in Azure Automation could allow an attacker to elevate their privileges. Like the Azure Storage Resource Provider vulnerability, this issue has an extremely high CVSS score of 9.9, indicating its severe potential impact.

Azure Automation is a cloud-based service that allows customers to automate frequent, time-consuming, and error-prone cloud management tasks. An elevation of privilege vulnerability in this service could potentially allow attackers to gain higher levels of access to automation accounts and the resources they manage.

Given the powerful nature of automation services, which often require extensive permissions to operate, this vulnerability could potentially be leveraged to gain broad access across an organization's Azure resources.

Vulnerabilities by Category

In total, 72 vulnerabilities were addressed in May's Patch Tuesday. Remote Code Execution flaws top the list with 28 patches, followed by 17 Elevation of Privilege vulnerabilities and 15 Information Disclosure issues. The rest consist of 7 Denial of Service, 3 Spoofing, and 2 Security Feature Bypass flaws.

Here is the breakdown of the categories patched this month:

1. Remote Code Execution – 28

2. Elevation of Privilege - 17

3. Information Disclosure – 15

4. Denial of Service – 7

5. Spoofing – 3

6. Security Feature Bypass – 2

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's May 2025 Patch Tuesday:

Remote code execution vulnerabilities continue to dominate this month's updates, representing nearly 39% of all patched flaws. These vulnerabilities pose significant risks as they can potentially allow attackers to execute arbitrary code on affected systems.

Elevation of privilege vulnerabilities account for approximately 24% of the patched flaws, highlighting the continued focus on vulnerabilities that attackers can leverage to gain higher levels of access once they've established an initial foothold.

Information disclosure vulnerabilities make up about 21% of this month's patches, addressing flaws that could allow attackers to access sensitive information that might be leveraged in further attacks.

Denial of service, spoofing, and security feature bypass vulnerabilities represent smaller portions of the update but should not be overlooked, as they can still pose significant security risks depending on the affected systems and their role in an organization's infrastructure.

List of Products Patched in May 2025 Patch Tuesday Report

Microsoft's May 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Azure Windows vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Microsoft Office ESU Windows vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's May 2025 Patch Tuesday release addressed 72 total vulnerabilities, headlined by fixes for five actively exploited zero-day flaws and two publicly disclosed vulnerabilities:

Additional key vulnerabilities included:

In total, 28 critical or high-severity remote code execution bugs were addressed this month along with 17 important elevation of privilege flaws. Information disclosure, denial of service, spoofing, and security feature bypass issues rounded out the rest.

The presence of five actively exploited zero-days highlights the ongoing challenge of securing complex systems against determined adversaries. The continuing pattern of exploitation targeting components like the Windows Common Log File System Driver and DWM Core Library should prompt security teams to closely monitor these areas in their threat models.

Organizations should prioritize patching these vulnerabilities, with particular emphasis on the actively exploited zero-days and critical remote code execution flaws. CISA has already added several of these vulnerabilities to its Known Exploited Vulnerabilities Catalog with a remediation deadline of June 3, 2025, further underscoring their severity.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: