Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days
Summary
Microsoft has rolled out its May 2025 Patch Tuesday updates, addressing 83 vulnerabilities across its product suite.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-05-13 |
| No. of Vulnerabilities Patched | 83 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.
11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.
- 78 Microsoft CVEs addressed
- 5 non-Microsoft CVEs included
Breakdown of May 2025 Vulnerabilities
- 29 Remote Code Execution (RCE)
- 20 Elevation of Privilege (EoP)
- 16 Information Disclosure
- 7 Denial of Service (DoS)
- 3 Spoofing
- 2 Security Feature Bypass
- 6 Chromium (Edge) Vulnerabilities
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Microsoft DWM Core Library EoP | CVE-2025-30400 | Windows | High | 7.8 |
| Windows CLFS Driver Use-After-Free EoP | CVE-2025-32701 | Windows | High | 7.8 |
| Windows CLFS Driver Use-After-Free EoP | CVE-2025-32706 | Windows | High | 7.8 |
| WinSock Ancillary Function Driver EoP | CVE-2025-32709 | Windows | High | 7.8 |
| Microsoft Scripting Engine RCE | CVE-2025-30397 | Windows | High | 7.5 |
Technical Summary
The May 2025 release resolves 83 vulnerabilities, including Remote Code Execution (RCE), Elevation of Privilege (EoP), and Spoofing flaws. Among them, five zero-day vulnerabilities are confirmed to be actively exploited in the wild, involving local privilege escalation and remote code execution risks.
These vulnerabilities could allow attackers to gain elevated privileges or execute malicious code via crafted inputs or files.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-30400 | Windows DWM Core Library | Elevation of Privilege in Desktop Window Manager, exploited to gain SYSTEM-level access. | Privilege Escalation |
| CVE-2025-32701 | Windows Common Log File System Driver | Use-After-Free flaw, exploited for local privilege escalation to SYSTEM. | Privilege Escalation |
| CVE-2025-32706 | Windows Common Log File System Driver | Similar Use-After-Free issue as CVE-2025-32701. Chained or used standalone for SYSTEM-level privilege escalation. | Privilege Escalation |
| CVE-2025-32709 | Ancillary Function Driver for WinSock | Allows attackers to escalate privileges to administrator. | Privilege Escalation |
| CVE-2025-30397 | Microsoft Scripting Engine | Memory corruption issue triggered via specially crafted URL in IE Mode, enabling remote code execution. | Remote Code Execution |
Source: Microsoft and NVD
In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:
- CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8)
- CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8)
- CVE-2025-24063: Windows Kernel, Local privilege escalation (CVSS 7.8), marked “Exploitation More Likely”
- CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8)
- CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5)
Remediation:
- Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks.
General Recommendations:
- Prioritize Zero-Days: Focus on patching the five confirmed zero-day vulnerabilities, especially those allowing privilege escalation or remote code execution.
- Restrict IE Mode Usage: Limit or disable Internet Explorer Mode in Microsoft Edge to reduce exposure to scripting engine attacks.
- Update Defender for Identity Sensors: Ensure Defender for Identity is running the latest sensor version (3.x) to avoid spoofing vulnerabilities tied to legacy NTLM fallback.
- Strengthen Driver Protections: Harden system configurations to prevent exploitation of kernel and driver-level flaws, such as those affecting CLFS and DWM.
- Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch cadence
Conclusion:
The May 2025 patch cycle continues to highlight the active exploitation of vulnerabilities in key Windows subsystems and legacy components.
The presence of multiple privilege escalation flaws being leveraged in real-world attacks calls for immediate action from security teams. In addition to deploying patches, organizations should reassess their exposure to legacy features like Internet Explorer Mode and ensure layered defenses are in place to reduce risk from similar threats going forward.
Finally, the May update brings a total of 11 critical flaws affecting Azure Automation, Azure DevOps, Azure Storage Resource, Microsoft Dataverse, Microsoft msagsfeedback.zurewebsites.net, Microsoft Office, Microsoft Power Apps, Microsoft Virtual Machine Bus and Remote Desktop Client (RDP). In their impact, these issues run the gamut from EoP to spoofing to information disclosure, and six of them lead to RCE, said Microsoft.
References:
Hashtags