Microsoft Patch Tuesday May 2025

This month’s Patch Tuesday has been released, addressing 72 vulnerabilities, including five zero-days that were actively exploited in the wild. Among these, two were publicly disclosed before patches were available. This update brings critical fixes to several severe vulnerabilities, including six marked as “Critical,” with five allowing remote code execution and one enabling information disclosure.

Breakdown of the Vulnerabilities:

The vulnerabilities fixed this month span various categories, with the following breakdown:

1. 17 Elevation of Privilege Vulnerabilities

2. 2 Security Feature Bypass Vulnerabilities

3. 28 Remote Code Execution Vulnerabilities

4. 15 Information Disclosure Vulnerabilities

5. 7 Denial of Service Vulnerabilities

6. 2 Spoofing Vulnerabilities

It's important to note that this list excludes security flaws patched earlier in the month, affecting Azure, Dataverse, Mariner, and Microsoft Edge.

Five Actively Exploited Zero-Days

This month’s update addresses five zero-day vulnerabilities, including one actively exploited flaw. Microsoft defines a zero-day as a flaw that is publicly disclosed or actively exploited, without an official fix being available. The actively exploited zero-day in this update is as follows:

1. CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability

This vulnerability allows attackers to escalate privileges and gain SYSTEM-level access. The flaw exists due to a "use after free" in the Windows Desktop Window Manager (DWM), which can be exploited by authorised attackers to elevate their privileges. Microsoft’s Threat Intelligence Center discovered this flaw.

Other key zero-days include:

1. CVE-2025-32701 and CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

These vulnerabilities are also related to "use after free" issues and improper input validation, allowing attackers to elevate privileges to SYSTEM-level. Discovered by Microsoft’s Threat Intelligence Center, Benoit Sevens of Google’s Threat Intelligence Group, and CrowdStrike’s Advanced Research Team, these flaws affect Windows Common Log File System Driver.

1. CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

This vulnerability, related to a "use after free" issue in Windows Ancillary Function Driver for WinSock, enables attackers to escalate their privileges locally. It was disclosed by an anonymous researcher.

1. CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability

This remote code execution flaw affects Microsoft Edge and Internet Explorer. A resource access issue through "type confusion" allows an attacker to execute code over a network by tricking an authenticated user into clicking on a specially crafted link. The flaw was discovered by the Microsoft Threat Intelligence Center.

Publicly Disclosed Zero-Days

In addition to the actively exploited zero-days, two publicly disclosed vulnerabilities were also fixed:

1. CVE-2025-26685 - Microsoft Defender for Identity Spoofing Vulnerability

This vulnerability in Microsoft Defender for Identity allows unauthenticated attackers to spoof another account through improper authentication, impacting local area networks. The flaw was disclosed by Joshua Murrell at NetSPI.

1. CVE-2025-32702 - Visual Studio Remote Code Execution Vulnerability

A flaw in Visual Studio allows attackers to execute code remotely via command injection. This flaw, which affects unprivileged users, was disclosed, but Microsoft has not identified the researcher behind it.

Other Vendor Updates

May 2025 also saw several updates from other prominent technology companies, including:

1. Apple released security updates for iOS, iPadOS, and macOS.

2. Cisco fixed a high-severity vulnerability in IOS XE Software for Wireless LAN Controllers.

3. Fortinet patched a zero-day flaw in FortiVoice, actively exploited in the wild.

4. Google released security updates for Android, fixing a zero-click vulnerability in FreeType 2.

5. Intel issued a microcode update addressing a “Branch Privilege Injection” flaw.

6. SAP released updates to fix critical remote code execution flaws in several of its products.

7. SonicWall fixed a zero-day vulnerability exploited in attacks.

To Sum Up

Microsoft’s May 2025 Patch Tuesday includes critical security patches for several serious vulnerabilities, including those actively exploited in the wild. It’s crucial for businesses and individuals to apply these updates as soon as possible to mitigate potential security risks.

If you’d like support with vulnerability management or want to understand how these threats could affect your organisation, get in touch with our team or explore how our platform can help simplify patching and reduce cyber risk.