In May 2025, Microsoft’s Patch Tuesday has delivered a crucial batch of updates, fixing 72 vulnerabilities across a variety of products, including five actively exploited zero-day flaws. This update brings much-needed security patches, addressing critical issues that could leave users and organizations exposed to attacks.
Zero-day vulnerabilities are flaws that are discovered by attackers before the software vendor has a chance to issue a fix. These flaws are particularly dangerous as they allow attackers to exploit them without any official security updates to counter the threats.
For May’s Patch Tuesday, Microsoft has patched five such zero-day vulnerabilities, with details provided for each one. These flaws involve dangerous exploits, such as the elevation of privileges and remote code execution, which could give attackers unauthorized access to critical systems.
One of the most concerning zero-day vulnerabilities fixed this month is CVE-2025-30400, which targets the Microsoft DWM Core Library. This vulnerability allows attackers to escalate their privileges to SYSTEM level, which means they can gain full access to a victim’s system. Microsoft explained that this flaw stems from a "use after free" error in the DWM, which allows authorized attackers to elevate their privileges locally.
The discovery of this flaw was credited to Microsoft's Threat Intelligence Center, and it highlights how an attacker could take advantage of the flaw to gain control of a compromised system.
Microsoft also patched two other elevation of privilege vulnerabilities in the Windows Common Log File System Driver. Both CVE-2025-32701 and CVE-2025-32706 allow attackers to escalate their privileges to SYSTEM level. Microsoft explained that one of these vulnerabilities is caused by a "use after free" issue, while the other is the result of improper input validation.
Both flaws were discovered through collaboration, with Benoit Sevens of Google Threat Intelligence and the CrowdStrike Research Team credited for their part in uncovering CVE-2025-32706. The security breach could enable attackers to gain full control of a target system, making it essential for users to patch the system immediately.
Another significant vulnerability that was fixed is CVE-2025-32709, which affects the Windows Ancillary Function Driver for WinSock. The flaw allows attackers to exploit a "use after free" issue to gain SYSTEM privileges. This vulnerability was publicly disclosed by an anonymous researcher, and it is particularly dangerous as it enables attackers to gain control of the targeted machine remotely.
Another critical zero-day vulnerability fixed in the May 2025 updates is CVE-2025-30397, which affects the Microsoft Scripting Engine. This remote code execution vulnerability can be triggered when users click on a specially crafted link while using Microsoft Edge or Internet Explorer. Once the flaw is exploited, it allows unauthorized attackers to execute code on a victim's machine, possibly gaining access to sensitive information.
Microsoft’s Threat Intelligence Center attributes this discovery to their ongoing security research efforts.
While the active zero-day flaws pose the most immediate threat, the May update also addresses two publicly disclosed vulnerabilities that could still lead to significant risks for users.
CVE-2025-26685 is a flaw in Microsoft Defender for Identity, which allows attackers to spoof another account. This spoofing vulnerability can be exploited by unauthenticated attackers within a local area network (LAN), potentially allowing malicious actors to impersonate users and gain unauthorized access to systems and data.
This vulnerability was discovered by Joshua Murrell from NetSPI, further emphasizing the role of external researchers in keeping Microsoft’s security up to date.
The second publicly disclosed zero-day is CVE-2025-32702, a remote code execution vulnerability in Visual Studio. This flaw can be exploited by attackers to execute commands locally on a target system by exploiting improper neutralization of special elements in a command (command injection).
Although the specific researcher or group behind the discovery remains unidentified, this flaw highlights the risks posed by development environments, which are often targeted by attackers looking to execute malicious code remotely.
While the five zero-day vulnerabilities dominate the headlines, this month’s Patch Tuesday update also addresses 72 vulnerabilities in total. These include a wide range of flaws, from remote code execution to denial of service vulnerabilities, and they affect numerous Microsoft products.
Among the 72 flaws, 28 are related to remote code execution, while 17 are elevation of privilege vulnerabilities — meaning attackers could gain higher system access levels. Several information disclosure vulnerabilities (15 in total) were also patched, ensuring that sensitive data cannot be leaked from vulnerable systems.
17 Elevation of Privilege Vulnerabilities: Attackers can gain higher access rights, enabling them to execute unauthorized actions.
28 Remote Code Execution Vulnerabilities: Attackers could run malicious code remotely, potentially compromising the entire system.
15 Information Disclosure Vulnerabilities: Flaws that could expose sensitive data to unauthorized parties.
7 Denial of Service Vulnerabilities: These flaws could cause applications or systems to become unresponsive.
2 Security Feature Bypass Vulnerabilities: Attackers may bypass important security features.
2 Spoofing Vulnerabilities: These flaws allow attackers to impersonate legitimate users or services.
Beyond the zero-day vulnerabilities, Microsoft has also rolled out critical patches for several other services, including:
Microsoft Dataverse: Fixed critical remote code execution vulnerabilities, ensuring the safety of users who rely on this platform for managing business data.
Remote Desktop Services: Fixed vulnerabilities that allowed remote code execution, ensuring that systems are safe from unauthorized access via RDP.
Microsoft Office: Multiple critical flaws were addressed, including remote code execution vulnerabilities in Excel, PowerPoint, Outlook, and SharePoint.
Additionally, several patches were released for Azure services, Microsoft Defender, Windows Hyper-V, and Visual Studio, all of which are critical components of the Microsoft ecosystem.
Microsoft’s May 2025 Patch Tuesday highlights the company’s ongoing commitment to addressing vulnerabilities and improving security. By releasing updates to patch zero-day vulnerabilities, along with numerous other flaws, Microsoft ensures that users remain protected from both known and emerging threats.
While the zero-day flaws patched this month are certainly cause for concern, the extensive list of security fixes underscores how Microsoft is continuously evolving its security protocols to safeguard users across its diverse ecosystem.