In its May 2025 Patch Tuesday release, Microsoft has addressed a total of 78 security vulnerabilities, including five zero-day flaws that have been actively exploited in the wild. These vulnerabilities span across various Microsoft products and components, underscoring the ongoing challenges organizations face in maintaining secure IT environments.
This comprehensive update includes 11 Critical, 66 Important, and 1 Low severity vulnerabilities. The flaws range from remote code execution (RCE) and privilege escalation to information disclosure issues. Notably, one of the vulnerabilities carries a perfect CVSS score of 10.0, highlighting its severity.
Summary of Key Vulnerabilities
- Total vulnerabilities patched: 78
- Critical: 11
- Important: 66
- Low: 1
- Actively exploited zero-days: 5
- Highest CVSS score: 10.0
1. Actively Exploited Zero-Day Vulnerabilities
The following five vulnerabilities have been observed in active exploitation:
- CVE-2025-30397 (CVSS 7.5) – Scripting Engine Memory Corruption
- Impact: Arbitrary code execution via memory corruption.
- Exploitation vector: Malicious web page or script.
- Risk: Full system takeover if user has admin privileges.
- CVE-2025-30400 (CVSS 7.8) – Desktop Window Manager (DWM) Core Library Privilege Escalation
- Third such exploit since 2023.
- Previous similar vulnerabilities were exploited to deliver QakBot malware.
- CVE-2025-32701 (CVSS 7.8) – Common Log File System (CLFS) Driver Privilege Escalation
- CVE-2025-32706 (CVSS 7.8) – CLFS Driver Privilege Escalation
- CLFS has now seen at least eight such flaws exploited since 2022.
- Related to recent Play ransomware attacks.
- CVE-2025-32709 (CVSS 7.8) – Ancillary Function Driver for WinSock Privilege Escalation
- Third such flaw exploited in the past year.
- Past exploitations tied to North Korean Lazarus Group.
These vulnerabilities have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline of June 3, 2025, for federal agencies.
2. Highest Severity Vulnerability – CVSS 10.0
- CVE-2025-29813 – Azure DevOps Server Privilege Escalation
- CVSS: 10.0 (Critical)
- Description: Allows unauthorized attackers to elevate privileges over a network.
- Status: Already mitigated in cloud environments.
- Customer Action: No action needed for Azure-hosted instances.
3. Noteworthy Flaws in Microsoft Defender
- CVE-2025-26684 (CVSS 6.7) – Microsoft Defender for Endpoint for Linux
- Issue: A Python helper script may run an untrusted Java binary with root privileges.
- Impact: Local privilege escalation.
- Reported by: Rich Mirch (Stratascale)
- CVE-2025-26685 (CVSS 6.5) – Microsoft Defender for Identity Spoofing
- Risk: Adversaries can spoof and obtain NTLM hashes.
- Conditions: Requires LAN access and Kerberos fallback to NTLM.
4. Insights & Industry Response
Action1 CEO Alex Vovk highlighted the risk from CVE-2025-30397, noting the ease with which threat actors can exploit web-based attack vectors to compromise systems via scripting engine flaws.
Tenable’s Satnam Narang noted the trend of DWM Core Library being a repeated target, with 26 vulnerabilities patched since 2022. The exploitation of DWM bugs continues to be a preferred vector for privilege escalation.
Symantec, a Broadcom subsidiary, tied previous CLFS exploits (like CVE-2025-29824) to ransomware actors, including the Play ransomware family.
5. Other Vendors Issuing Patches
Security updates have also been issued by:
- Adobe, AWS, AMD, Apple, Arm, ASUS, Bosch, Broadcom (VMware), Canon, Cisco, Citrix, CODESYS, Dell, Drupal, F5, Fortinet, Fortra, GitLab, Google (Android, Pixel, Chrome, Cloud, Wear OS), HP, HPE (Aruba), IBM, Intel, Ivanti, Juniper, Lenovo, MediaTek, Mitel, Mitsubishi, Moxa, Mozilla (Firefox, Thunderbird), NVIDIA, Palo Alto Networks, Qualcomm, Samsung, SAP, Schneider, Siemens, SonicWall, Splunk, TP-Link, Trend Micro, Veritas, Zoom, Zyxel and others.
These updates underscore the necessity for organizations to adopt a proactive patch management strategy that includes not just Microsoft products but the broader ecosystem.
Conclusion
The May 2025 Patch Tuesday is a stark reminder of the critical importance of timely patching, especially with multiple zero-days already being weaponized by threat actors. Organizations are urged to prioritize the application of these patches, especially for vulnerabilities under active exploitation and those with critical severity scores.
Security teams should also review telemetry for signs of exploitation, verify that automated patching is functioning as intended, and stay informed through advisories such as CISA’s KEV catalog.
Cybersecurity is a shared responsibility. Timely action can prevent significant damage from known and actively exploited vulnerabilities.
Action Steps:
Conduct internal threat hunting for indicators of compromise (IoCs) linked to these CVEs.
Apply all May 2025 Microsoft updates, with priority on zero-days and CVSS 10.0 vulnerabilities.
Monitor advisories from CISA, MSRC, and other vendors.
SoloSecurities
Add comment