Microsoft Patch Tuesday, May 2025 Security Update Review
Table of Contents
- Microsoft Patch Tuesday for May 2025
- Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- EVALUATE Vendor-Suggested Mitigation with Policy Audit
- Qualys Monthly Webinar Series
Microsoft’s May 2025 Patch Tuesday rolls out critical security updates, addressing multiple vulnerabilities across Windows, Office, and other key products. Here’s a quick breakdown of what you need to know.
Microsoft Patch Tuesday for May 2025
In this month’s Patch Tuesday, May 2025 edition, Microsoft addressed 76 vulnerabilities. The updates include five critical and 66 important severity vulnerabilities. In this month’s updates, Microsoft has addressed six zero-day vulnerabilities being exploited in the wild.
Microsoft has addressed six vulnerabilities in Microsoft Edge (Chromium-based) in this month’s updates.
Microsoft Patch Tuesday, May edition includes updates for vulnerabilities in Windows Routing and Remote Access Service (RRAS), Windows Virtual Machine Bus, Windows Installer, Windows Drivers, Windows File Server, Azure, Windows Win32K – GRFX, Microsoft Scripting Engine, and more.
Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).
The May 2025 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 2 | Important: 2 |
| Denial of Service Vulnerability | 7 | Important: 7 |
| Elevation of Privilege Vulnerability | 18 | Important: 18 |
| Information Disclosure Vulnerability | 14 | Important: 14 |
| Remote Code Execution Vulnerability | 28 | Critical: 5 Important: 23 |
| Security Feature Bypass Vulnerability | 2 | Important: 2 |
Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability
Microsoft Defender for Identity is a cloud-based security solution that helps organizations monitor and secure their identities across hybrid environments. It enhances security by providing an identity-centric approach to threat detection, leveraging data from on-premises Active Directory and cloud-based identities.
The improper authentication vulnerability could allow an unauthenticated attacker with LAN access to perform spoofing over an adjacent network.
CVE-2025-30400: Microsoft DWM Core Library Elevation of Privilege Vulnerability
The Microsoft Desktop Window Manager (DWM) Core Library is a crucial system component in Windows that manages the display of all visual elements on a computer screen.
The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
CISA added the CVE-2025-30400 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.
CVE-2025-32701: Windows Common Log File System Driver Elevation of Privilege Vulnerability
The Windows Common Log File System (CLFS) is a high-performance, general-purpose logging subsystem used by kernel and user-mode applications. It’s designed for building transactional logs and is frequently employed in applications like database systems, messaging systems, and online transactional processing (OLTP).
The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
CISA added the CVE-2025-32701 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.
CVE-2025-32706: Windows Common Log File System Driver Elevation of Privilege Vulnerability
The improper input validation vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
CISA added the CVE-2025-32706 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.
CVE-2025-30397: Scripting Engine Memory Corruption Vulnerability
A scripting engine is a software component that interprets and executes instructions written in a scripting language. It’s essentially a runtime environment that processes scripts, allowing them to interact with an application or system.
An attacker must convince an authenticated user to click a link to initiate remote code execution. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute code over a network.
CISA added the CVE-2025-30397 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.
CVE-2025-32709: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
The Windows Ancillary Function Driver (AFD) is a kernel-mode driver that serves as the entry point for the Windows Sockets (Winsock) API. It handles the low-level details of network communication, acting as a bridge between applications using the Winsock API and the network stack.
The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
CISA added the CVE-2025-32709 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.
Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
CVE-2025-29966 & CVE-2025-29967: Remote Desktop Client Remote Code Execution Vulnerability
A Remote Desktop Protocol client is a software application that allows users to connect to and control a remote computer or server, using a secure network connection. It essentially enables users to operate a remote machine as if they were physically sitting in front of it.
The heap-based buffer overflow vulnerability may allow an unauthenticated attacker to execute code remotely.
CVE-2025-30377 & CVE-2025-30386: Microsoft Office Remote Code Execution Vulnerability
The use-after-free vulnerability could allow an unauthenticated attacker to achieve remote code execution.
CVE-2025-29833: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
The Microsoft Virtual Machine Bus (VMBus) is a virtual communication channel used within the Microsoft Hyper-V virtualization environment. It facilitates communication and data transfer between the parent (host) and child (guest) partitions, enabling virtual machines (VMs) to access and interact with resources on the host system.
Time-of-check time-of-use (toctou) race condition in Windows Virtual Machine Bus could allow an authenticated attacker to achieve remote code execution.
Other Microsoft Vulnerability Highlights
- CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution.
- CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system.
- CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally.
- CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network.
- CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally.
- CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Visual Studio Code, Windows Kernel, .NET, Visual Studio, and Build Tools for Visual Studio, Remote Desktop Gateway Service, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Windows Secure Kernel Mode, Windows Hardware Lab Kit, Azure DevOps, Microsoft Edge (Chromium-based), Microsoft Dataverse, Azure Automation, Windows Trusted Runtime Interface Driver, Windows Media, Universal Print Management Service, UrlMon, Windows LDAP – Lightweight Directory Access Protocol, Windows Hyper-V, Windows SMB, Windows Deployment Services, Windows Remote Desktop, Active Directory Certificate Services (AD CS), Windows Fundamentals, Microsoft Brokering File System, Web Threat Defense (WTD.sys), Azure Storage Resource Provider, Azure File Sync, Microsoft PC Manager, Microsoft Office SharePoint, Microsoft Office Excel, Microsoft Office PowerPoint, Microsoft Office, Windows Common Log File System Driver, Windows DWM, Visual Studio, Microsoft Office Outlook, Windows NTFS, Windows Ancillary Function Driver for WinSock, and Microsoft Power Apps.
EVALUATE Vendor-Suggested Mitigation with Policy Audit
With Qualys Policy Audit’s Out-of-the-Box Mitigation or Compensatory Controls, reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards, such as CIS, DISA-STIG.
Qualys Policy Audit team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best practice that exists in a default state and could reduce the severity of a vulnerability’s exploitation.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Audit Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:
CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability
This vulnerability has a CVSS: 3.1 6.5 / 5.7
Policy Audit Control IDs (CIDs):
- 10968 Network access: Restrict clients allowed to make remote calls to SAM
- 2181 Current list of Groups and User Accounts granted the ‘Access this computer from the network’ right
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [10968, 2181]
The next Patch Tuesday is June 10, and we will be back with details and patch analysis then. Until then, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches