Microsoft’s May 2025 Patch Tuesday includes security updates for 72 vulnerabilities, featuring five actively exploited zero-days and two additional publicly disclosed flaws. The update also addresses six critical vulnerabilities, five involving remote code execution (RCE) and one classified as an information disclosure issue.
Breakdown of Vulnerabilities
The vulnerabilities patched this month fall into the following categories:
- 17 Elevation of Privilege (EoP) vulnerabilities
- 28 Remote Code Execution (RCE) vulnerabilities
- 15 Information Disclosure vulnerabilities
- 7 Denial of Service (DoS) vulnerabilities
- 2 Security Feature Bypass vulnerabilities
- 2 Spoofing vulnerabilities
This count does not include vulnerabilities related to Azure, Microsoft Edge, Dataverse, or Mariner, which were addressed earlier this month. Non-security updates released include Windows 11 KB5058411 and KB5058405, and Windows 10 KB5058379.
Zero-Day Vulnerabilities
This month’s Patch Tuesday addresses five zero-day vulnerabilities confirmed to be actively exploited in the wild:
CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability
Affects: Windows DWM Core Library
A use-after-free flaw in the Desktop Window Manager (DWM) allows a local, authorized attacker to elevate privileges to SYSTEM.
CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affects: Windows Common Log File System Driver
Use-after-free vulnerability enabling local privilege escalation to SYSTEM.
CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affects: Same driver as CVE-2025-32701
This vulnerability stems from improper input validation, allowing local attackers to elevate to SYSTEM.
CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Affects: Ancillary Function Driver for WinSock
Another use-after-free vulnerability, permitting SYSTEM-level elevation via local exploitation.
CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability
Affects: Microsoft Scripting Engine
This remote code execution vulnerability arises from a type confusion bug. Exploitation requires tricking a user into clicking a crafted link in Microsoft Edge or Internet Explorer.
Publicly Disclosed Vulnerabilities
CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability
Affects: Microsoft Defender for Identity
Allows unauthenticated LAN-based attackers to spoof identities due to improper authentication validation.
CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability
Affects: Visual Studio
A command injection flaw enabling unauthenticated local RCE through improper handling of special elements in commands.
Other Critical Vulnerabilities
In addition to the zero-days, Microsoft patched several critical vulnerabilities this month. Five are remote code execution flaws across key components, and one involves an information disclosure flaw with a high impact rating. Detailed CVE references for these critical issues have not yet been included in Microsoft’s summary documentation, but their classification as critical indicates high potential for system compromise if left unpatched.
Adobe and Other Vendor Updates
Several major vendors issued important updates in May 2025:
- Apple: Released updates for iOS, iPadOS, and macOS
- Cisco: Patched a maximum severity bug in IOS XE Wireless LAN Controllers
- Fortinet: Addressed multiple flaws, including an actively exploited zero-day in FortiVoice
- Google: Fixed 62 Android bugs, including a zero-click RCE in FreeType 2
- Intel: Published CPU microcode updates to mitigate Branch Privilege Injection, a vulnerability capable of leaking sensitive data from privileged memory
- SAP: Released updates for multiple products, including critical RCE vulnerabilities
- SonicWall: Patched a zero-day that had been exploited in active attacks
Recommendations for Users and Administrators
Given the scope and severity of the May updates, especially the five actively exploited vulnerabilities, users and administrators should prioritize patching affected Windows systems immediately. Elevated privilege vulnerabilities—particularly those exploited in the wild—pose a significant threat to enterprise environments and should be addressed with urgency.
Pay special attention to environments running Desktop Window Manager (DWM), systems with network exposure to Edge or Internet Explorer, and any configuration leveraging Microsoft Defender for Identity or Visual Studio. Organizations should validate patch deployment success and closely monitor for any signs of post-exploitation behavior or lateral movement attempts.
Full patch details and associated guidance can be reviewed in Microsoft’s Security Update Guide.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
