Microsoft's May 2025 Patch Tuesday: Critical Fixes for 5 Dangerous Zero-Day Vulnerabilities and 72 Other Flaws

Microsoft's May 2025 Patch Tuesday: Critical Fixes for 5 Dangerous Zero-Day Vulnerabilities and 72 Other Flaws
By: Search More Team
Posted On: 14 May

In May 2025, Microsoft’s Patch Tuesday has delivered a crucial batch of updates, fixing 72 vulnerabilities across a variety of products, including five actively exploited zero-day flaws. This update brings much-needed security patches, addressing critical issues that could leave users and organizations exposed to attacks.

Fixes for Actively Exploited Zero-Days

Zero-day vulnerabilities are flaws that are discovered by attackers before the software vendor has a chance to issue a fix. These flaws are particularly dangerous as they allow attackers to exploit them without any official security updates to counter the threats.

For May’s Patch Tuesday, Microsoft has patched five such zero-day vulnerabilities, with details provided for each one. These flaws involve dangerous exploits, such as the elevation of privileges and remote code execution, which could give attackers unauthorized access to critical systems.

CVE-2025-30400 - Elevation of Privileges in the DWM Core Library

One of the most concerning zero-day vulnerabilities fixed this month is CVE-2025-30400, which targets the Microsoft DWM Core Library. This vulnerability allows attackers to escalate their privileges to SYSTEM level, which means they can gain full access to a victim’s system. Microsoft explained that this flaw stems from a "use after free" error in the DWM, which allows authorized attackers to elevate their privileges locally.

The discovery of this flaw was credited to Microsoft's Threat Intelligence Center, and it highlights how an attacker could take advantage of the flaw to gain control of a compromised system.

CVE-2025-32701 and CVE-2025-32706 - Exploited Vulnerabilities in Windows Common Log File System Driver

Microsoft also patched two other elevation of privilege vulnerabilities in the Windows Common Log File System Driver. Both CVE-2025-32701 and CVE-2025-32706 allow attackers to escalate their privileges to SYSTEM level. Microsoft explained that one of these vulnerabilities is caused by a "use after free" issue, while the other is the result of improper input validation.

Both flaws were discovered through collaboration, with Benoit Sevens of Google Threat Intelligence and the CrowdStrike Research Team credited for their part in uncovering CVE-2025-32706. The security breach could enable attackers to gain full control of a target system, making it essential for users to patch the system immediately.

CVE-2025-32709 - WinSock Driver Elevation of Privilege Vulnerability

Another significant vulnerability that was fixed is CVE-2025-32709, which affects the Windows Ancillary Function Driver for WinSock. The flaw allows attackers to exploit a "use after free" issue to gain SYSTEM privileges. This vulnerability was publicly disclosed by an anonymous researcher, and it is particularly dangerous as it enables attackers to gain control of the targeted machine remotely.

CVE-2025-30397 - Scripting Engine Memory Corruption in Microsoft Edge

Another critical zero-day vulnerability fixed in the May 2025 updates is CVE-2025-30397, which affects the Microsoft Scripting Engine. This remote code execution vulnerability can be triggered when users click on a specially crafted link while using Microsoft Edge or Internet Explorer. Once the flaw is exploited, it allows unauthorized attackers to execute code on a victim's machine, possibly gaining access to sensitive information.

Microsoft’s Threat Intelligence Center attributes this discovery to their ongoing security research efforts.

Publicly Disclosed Zero-Day Vulnerabilities

While the active zero-day flaws pose the most immediate threat, the May update also addresses two publicly disclosed vulnerabilities that could still lead to significant risks for users.

CVE-2025-26685 - Microsoft Defender for Identity Spoofing Vulnerability

CVE-2025-26685 is a flaw in Microsoft Defender for Identity, which allows attackers to spoof another account. This spoofing vulnerability can be exploited by unauthenticated attackers within a local area network (LAN), potentially allowing malicious actors to impersonate users and gain unauthorized access to systems and data.

This vulnerability was discovered by Joshua Murrell from NetSPI, further emphasizing the role of external researchers in keeping Microsoft’s security up to date.

CVE-2025-32702 - Visual Studio Remote Code Execution Vulnerability

The second publicly disclosed zero-day is CVE-2025-32702, a remote code execution vulnerability in Visual Studio. This flaw can be exploited by attackers to execute commands locally on a target system by exploiting improper neutralization of special elements in a command (command injection).

Although the specific researcher or group behind the discovery remains unidentified, this flaw highlights the risks posed by development environments, which are often targeted by attackers looking to execute malicious code remotely.

The Scale of May 2025’s Security Fixes: 72 Flaws in Total

While the five zero-day vulnerabilities dominate the headlines, this month’s Patch Tuesday update also addresses 72 vulnerabilities in total. These include a wide range of flaws, from remote code execution to denial of service vulnerabilities, and they affect numerous Microsoft products.

Among the 72 flaws, 28 are related to remote code execution, while 17 are elevation of privilege vulnerabilities — meaning attackers could gain higher system access levels. Several information disclosure vulnerabilities (15 in total) were also patched, ensuring that sensitive data cannot be leaked from vulnerable systems.

A Breakdown of the Categories of Patches:

17 Elevation of Privilege Vulnerabilities: Attackers can gain higher access rights, enabling them to execute unauthorized actions.

28 Remote Code Execution Vulnerabilities: Attackers could run malicious code remotely, potentially compromising the entire system.

15 Information Disclosure Vulnerabilities: Flaws that could expose sensitive data to unauthorized parties.

7 Denial of Service Vulnerabilities: These flaws could cause applications or systems to become unresponsive.

2 Security Feature Bypass Vulnerabilities: Attackers may bypass important security features.

2 Spoofing Vulnerabilities: These flaws allow attackers to impersonate legitimate users or services.

Other Critical Fixes and Updates

Beyond the zero-day vulnerabilities, Microsoft has also rolled out critical patches for several other services, including:

Microsoft Dataverse: Fixed critical remote code execution vulnerabilities, ensuring the safety of users who rely on this platform for managing business data.

Remote Desktop Services: Fixed vulnerabilities that allowed remote code execution, ensuring that systems are safe from unauthorized access via RDP.

Microsoft Office: Multiple critical flaws were addressed, including remote code execution vulnerabilities in Excel, PowerPoint, Outlook, and SharePoint.

Additionally, several patches were released for Azure services, Microsoft Defender, Windows Hyper-V, and Visual Studio, all of which are critical components of the Microsoft ecosystem.

Microsoft’s Ongoing Efforts to Secure Users

Microsoft’s May 2025 Patch Tuesday highlights the company’s ongoing commitment to addressing vulnerabilities and improving security. By releasing updates to patch zero-day vulnerabilities, along with numerous other flaws, Microsoft ensures that users remain protected from both known and emerging threats.

While the zero-day flaws patched this month are certainly cause for concern, the extensive list of security fixes underscores how Microsoft is continuously evolving its security protocols to safeguard users across its diverse ecosystem.