Introduction
In May 2025 [8] [9], Microsoft’s Patch Tuesday updates addressed 72 vulnerabilities [2], including five actively exploited zero-day flaws [1] [8]. These vulnerabilities affect a wide range of Microsoft products, posing significant security risks [1] [7]. The updates underscore the critical importance of timely patching to protect systems from potential exploitation.
Description
Microsoft’s Patch Tuesday updates for May 2025 have addressed a total of 72 vulnerabilities, including five actively exploited zero-day flaws: CVE-2025-32701, CVE-2025-32706, CVE-2025-32709, CVE-2025-30397, and CVE-2025-30400 [3] [4] [5] [6] [7] [9]. These vulnerabilities, which score between 7.5 and 7.8 on the CVSS scale [1], affect a range of products [8], including all supported versions of Windows 10 [4], Windows 11 [4] [6] [9], Windows Server 2012 and later [6], Microsoft Office [3] [8], Azure [8], and Visual Studio [2] [5] [6] [7] [8] [9]. Notably, CVE-2025-32701 and CVE-2025-32706 are critical elevation-of-privilege vulnerabilities in the Windows Common Log File System Driver [3] [6] [9], with CVE-2025-32701 involving a memory corruption flaw and CVE-2025-32706 stemming from improper input validation [6]. Exploitation of either flaw allows an authorized attacker to elevate privileges to SYSTEM after gaining initial access.
CVE-2025-30400, a vulnerability in the Microsoft Desktop Window Manager Core Library, also targets elevation of privilege and affects Windows 10 and later, as well as Windows Server 2016 and newer [6]. Successful exploitation grants system-level privileges [6]. Additionally, CVE-2025-32709 is a use-after-free flaw in the Windows Ancillary Function Driver for WinSock that allows privilege escalation to full administrator [9], requiring local access and low privileges for exploitation. The fifth zero-day, CVE-2025-30397 [2] [4], is a memory corruption vulnerability in the Windows scripting engine that can lead to remote code execution, particularly through Microsoft Edge in Internet Explorer mode via a specially crafted link. Although exploitation requires user interaction and client-side authentication, it remains a potential target for advanced attackers [1], including nation-state actors [1]. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five zero-days to its Known Exploited Vulnerabilities (KEV) list [1].
In addition to the zero-days [1], the security update includes five critical vulnerabilities and 50 high-severity defects [1]. The most critical vulnerabilities are CVE-2025-29813, CVE-2025-29827, CVE-2025-29972 [1], and CVE-2025-30387 [1] [3] [6] [7] [9]. Furthermore, eight vulnerabilities are deemed “more likely” to be exploited [1], including CVE-2025-29976 and CVE-2025-30382 [1], which could allow for privilege escalation and remote code execution in Microsoft SharePoint Server [1]. Additional vulnerabilities include CVE-2025-30386 and CVE-2025-30377, which are remote code execution vulnerabilities in Microsoft Office that can be exploited without user interaction, including through the Preview Pane in Outlook [3].
Users and administrators are urged to apply the patches immediately to mitigate risks [8], as delaying could leave systems vulnerable to ongoing attacks [8]. Experts warn that patching is critical [7], as the average time from public disclosure to exploitation is less than five days [4] [7]. Ransomware affiliates are particularly interested in exploiting elevation of privilege vulnerabilities [7], which require initial access to a compromised host [7], often gained through phishing or stolen credentials [7]. Once access is obtained [7], attackers typically seek to escalate their privileges to gain system-level access [7], potentially disabling security measures or obtaining domain administration permissions [7].
In related news [7], SAP has also released a security update for two zero-day vulnerabilities: CVE-2025-42999 [7], which involves insecure deserialization in Visual Composer [3], allowing privileged users to execute malicious code [3], and CVE-2025-31324 [1] [3] [6], which allows unauthenticated users to upload malicious executables [3], leading to potential system compromise [3]. These updates highlight the increasing sophistication of cyber threats and the importance of proactive security measures to safeguard against these vulnerabilities [8]. Additionally, two publicly disclosed flaws were patched: CVE-2025-26685 [9], a spoofing vulnerability in Microsoft Defender for Identity [9], allowing unauthenticated attackers with LAN access to spoof another account [2], and a remote code execution vulnerability in Visual Studio [2] [5] [9], which requires user interaction for exploitation [6], both of which further emphasize the critical need for timely updates.
Conclusion
The May 2025 Patch Tuesday updates from Microsoft highlight the ongoing threat posed by zero-day vulnerabilities and the necessity for immediate patch application. The rapid pace of exploitation following public disclosure necessitates swift action to protect systems. As cyber threats grow increasingly sophisticated, organizations must prioritize proactive security measures and timely updates to mitigate risks and safeguard their infrastructure.
References
[1] https://cyberscoop.com/microsoft-patch-tuesday-may-2025/
[2] https://lifehacker.com/tech/microsofts-patch-tuesday-update-fixes-seven-zero-days
[3] https://www.csoonline.com/article/3984533/patch-tuesday-for-may-five-zero-day-vulnerabilities-cisos-should-focus-on.html
[4] https://krebsonsecurity.com/2025/05/patch-tuesday-may-2025-edition/
[5] https://www.helpnetsecurity.com/2025/05/13/patch-tuesday-microsoft-fixes-5-actively-exploited-zero-days/
[6] https://www.techtarget.com/searchwindowsserver/news/366623978/Microsoft-tackles-5-Windows-zero-days-on-May-Patch-Tuesday
[7] https://www.infosecurity-magazine.com/news/microsoft-seven-zerodays-may-patch/
[8] https://cybersecuritynews.com/microsoft-patch-tuesday-may-2025/
[9] https://msftnewsnow.com/microsofts-may-2025-patch-tuesday-five-zero-days/
