With May Patch Tuesday updates, Microsoft addressed dozens of security vulnerabilities important for customers’ systems. This update bundle also fixed 5 zero-day vulnerabilities that were under attack before a fix. Given the severity of issues, users must ensure updating their systems at the earliest.
Microsoft Fixed Five 5 Zero-Day Flaws
The scheduled monthly security fixes for May 2025 addressed five vulnerabilities under active attack, affecting different Microsoft products. Exploiting one of them could lead to remote code execution, whereas the other four could allow elevated privileges to the adversary. Below is a quick breakdown of these vulnerabilities, for which, Microsoft confirmed to have detected active exploitation attempts.
- CVE-2025-30400 (important severity; CVSS 7.8): A use-after-free vulnerability in Microsoft DWM Core Library could allow an authorized attacker to gain SYSTEM privileges.
- CVE-2025-32709 (important severity; CVSS 7.8): A use-after-free flaw affecting Windows Ancillary Function Driver for WinSock, granting administrator access to a local authorized attacker. Microsoft, for the customers of Windows Server 2008 R2, specified downloading the patch for this vulnerability with KB5061195 (Security-only update) and KB5061196 (Monthly Rollup) out-of-band (OOB) updates. Likewise, Windows Server 2008 users may receive the patch via KB5061197 (Security-only update) and KB5061198 (Monthly Rollup) cumulative OOB updates.
- CVE-2025-32701 (important severity; CVSS 7.8): This use-after-free vulnerability affected the Windows Common Log File System Driver. Exploiting the flaw would grant SYSTEM privileges to an authorized adversary.
- CVE-2025-32706 (important severity; CVSS 7.8): Another improper input validation in Windows Common Log File System driver that could let an authorized adversary gain SYSTEM privileges on the target system. Microsoft acknowledged Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team for reporting this vulnerability.
- CVE-2025-30397 (important severity; CVSS 7.5): A scripting engine memory corruption vulnerability that could let an adversary execute malicious codes on the target device. Exploiting the vulnerability requires an attacker to convince the target user to click on a specially crafted URL, that too when using Microsoft Edge in Internet Explorer Mode. Once done, the unauthenticated attacker could trigger remote code execution.
Other Major Updates In Microsoft May Patch Tuesday
Alongside the five vulnerabilities discussed above, Microsoft also patched two other vulnerabilities that were publicly disclosed before receiving a fix. These include,
- CVE-2025-32702 (important severity; CVSS 7.8): An arbitrary code execution vulnerability in Visual Studio that existed due to the neutralization of special elements used in a command.
- CVE-2025-26685 (important severity; CVSS 6.5): A spoofing vulnerability in Microsoft Defender for Identity that existed due to improper authentication. An unauthenticated attacker with LAN access could exploit the flaw to perform spoofing on the target adjacent network.
Moreover, this month’s update bundle also addressed 11 critical vulnerabilities, including a maximum severity (CVSS 10.0) privilege escalation (CVE-2025-29813) in Azure DevOps Server. Microsoft confirmed full mitigation of this issue, assuring no user interaction for the patch. The firm confirmed the same for another severe privilege escalation (CVSS 9.9) in Azure Automation, and a spoofing vulnerability in Azure Storage Resource Provider (CVE-2025-29972, CVSS 9.9).
In addition, the tech giant addressed 59 other important severity vulnerabilities, releasing fixes for 77 vulnerabilities in all.
Let us know your thoughts in the comments.
