Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws
Today is Microsoft’s May 2025 Patch Tuesday, which includes security updates for 72 flaws, including five actively exploited and two publicly disclosed zero-day vulnerabilities.
This Patch Tuesday also fixes six “Critical” vulnerabilities, five being remote code execution vulnerabilities and another an information disclosure bug.
The number of bugs in each vulnerability category is listed below:
- 17 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 28 Remote Code Execution Vulnerabilities
- 15 Information Disclosure Vulnerabilities
- 7 Denial of Service Vulnerabilities
- 2 Spoofing Vulnerabilities
This count does not include Azure, Dataverse, Mariner, and Microsoft Edge flaws that were fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5058411 and KB5058405 cumulative updates and the Windows 10 KB5058379 update.
Five actively exploited zero-days
This month’s Patch Tuesday fixes one actively exploited zero-day. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.
The actively exploited zero-day vulnerability in today’s updates is:
CVE-2025-30400 – Microsoft DWM Core Library Elevation of Privilege Vulnerability
Microsoft fixed an exploited elevation of privileges vulnerability that gives attackers SYSTEM privileges.
“Use after free in Windows DWM allows an authorized attacker to elevate privileges locally,” reads the advisory.
Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center.
CVE-2025-32701 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft fixed an exploited elevation of privileges vulnerability that gives attackers SYSTEM privileges.
“Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally,” reads the advisory.
Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center.
CVE-2025-32706 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft fixed an exploited elevation of privileges vulnerability that gives attackers SYSTEM privileges.
“Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally,” explains the advisory.
Microsoft attributes the discovery of this flaw to Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team.
CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Microsoft fixed an exploited elevation of privileges vulnerability that gives attackers SYSTEM privileges.
“Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally,” explains Microsoft’s advisory.
This flaw was disclosed by an “Anonymous” researcher.
CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability
Microsoft fixed a remote code execution vulnerability that can be exploited through Microsoft Edge or Internet Explorer.
“Access of resource using incompatible type (‘type confusion’) in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network,” explains Microsoft.
Microsoft says that threat actors need to trick an authenticated user into clicking on a specially crafted link in Edge or Internet Explorer, allowing an unauthenticated attacker to gain remote code execution.
Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center.
Microsoft has not shared any details on how these flaws were exploited in attacks.
The publicly disclosed zero-days are:
CVE-2025-26685 – Microsoft Defender for Identity Spoofing Vulnerability
Microsoft fixes a flaw in Microsoft Defender that allows an unauthenticated attack to spoof another account.
“Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network,” explains Microsoft.
The flaw can be exploited by an unauthenticated attacker with LAN access.
Microsoft attributes the discovery of this flaw to Joshua Murrell with NetSPI.
CVE-2025-32702 – Visual Studio Remote Code Execution Vulnerability
Microsoft fixed a Visual Studio remote code execution flaw that can be exploited by an unauthenticated attacker.
“Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio allows an unauthorized attacker to execute code locally,” explains Microsoft.
Microsoft has not shared who disclosed this flaw.
Recent updates from other companies
Other vendors who released updates or advisories in May 2025 include:
- Apple released security updates for iOS, iPadOS, and macOS.
- Cisco fixed a maximum severity vulnerability in IOS XE Software for Wireless LAN Controllers.
- Fortinet released security updates for numerous products, including an actively exploited zero day used in attacks on FortiVoice.
- Google’s May 2025 security updates for Android fixed an actively exploited zero-click FreeType 2 code execution vulnerability.
- Intel released CPU microcodes for a flaw named “Branch Privilege Injection” that leaks data from privileged memory.
- SAP releases security updates for multiple products, including a critical RCE flaw.
- SonicWall fixes a zero-day vulnerability that was exploited in attacks.
The May 2025 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the May 2025 Patch Tuesday updates.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET, Visual Studio, and Build Tools for Visual Studio | CVE-2025-26646 | .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability | Important |
| Active Directory Certificate Services (AD CS) | CVE-2025-29968 | Active Directory Certificate Services (AD CS) Denial of Service Vulnerability | Important |
| Azure | CVE-2025-33072 | Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability | Critical |
| Azure | CVE-2025-30387 | Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability | Important |
| Azure Automation | CVE-2025-29827 | Azure Automation Elevation of Privilege Vulnerability | Critical |
| Azure DevOps | CVE-2025-29813 | Azure DevOps Server Elevation of Privilege Vulnerability | Critical |
| Azure File Sync | CVE-2025-29973 | Microsoft Azure File Sync Elevation of Privilege Vulnerability | Important |
| Azure Storage Resource Provider | CVE-2025-29972 | Azure Storage Resource Provider Spoofing Vulnerability | Critical |
| Microsoft Brokering File System | CVE-2025-29970 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Microsoft Dataverse | CVE-2025-47732 | Microsoft Dataverse Remote Code Execution Vulnerability | Critical |
| Microsoft Dataverse | CVE-2025-29826 | Microsoft Dataverse Elevation of Privilege Vulnerability | Important |
| Microsoft Defender for Endpoint | CVE-2025-26684 | Microsoft Defender Elevation of Privilege Vulnerability | Important |
| Microsoft Defender for Identity | CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-4050 | Chromium: CVE-2025-4050 Out of bounds memory access in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-4096 | Chromium: CVE-2025-4096 Heap buffer overflow in HTML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-29825 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2025-4052 | Chromium: CVE-2025-4052 Inappropriate implementation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-4051 | Chromium: CVE-2025-4051 Insufficient data validation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-4372 | Chromium: CVE-2025-4372 Use after free in WebAudio | Unknown |
| Microsoft Office | CVE-2025-30377 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2025-30386 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2025-29977 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30383 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-29979 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30376 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30393 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-32704 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30375 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30379 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30381 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2025-32705 | Microsoft Outlook Remote Code Execution Vulnerability | Important |
| Microsoft Office PowerPoint | CVE-2025-29978 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-30378 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-30382 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-30384 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-29976 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important |
| Microsoft PC Manager | CVE-2025-29975 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important |
| Microsoft Power Apps | CVE-2025-47733 | Microsoft Power Apps Information Disclosure Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability | Important |
| Remote Desktop Gateway Service | CVE-2025-26677 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important |
| Remote Desktop Gateway Service | CVE-2025-29967 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Remote Desktop Gateway Service | CVE-2025-29831 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Important |
| Remote Desktop Gateway Service | CVE-2025-30394 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2025-29955 | Windows Hyper-V Denial of Service Vulnerability | Important |
| Universal Print Management Service | CVE-2025-29841 | Universal Print Management Service Elevation of Privilege Vulnerability | Important |
| UrlMon | CVE-2025-29842 | UrlMon Security Feature Bypass Vulnerability | Important |
| Visual Studio | CVE-2025-32703 | Visual Studio Information Disclosure Vulnerability | Important |
| Visual Studio | CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability | Important |
| Visual Studio Code | CVE-2025-21264 | Visual Studio Code Security Feature Bypass Vulnerability | Important |
| Web Threat Defense (WTD.sys) | CVE-2025-29971 | Web Threat Defense (WTD.sys) Denial of Service Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-30385 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Deployment Services | CVE-2025-29957 | Windows Deployment Services Denial of Service Vulnerability | Important |
| Windows Drivers | CVE-2025-29838 | Windows ExecutionContext Driver Elevation of Privilege Vulnerability | Important |
| Windows DWM | CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows File Server | CVE-2025-29839 | Windows Multiple UNC Provider Driver Information Disclosure Vulnerability | Important |
| Windows Fundamentals | CVE-2025-29969 | MS-EVEN RPC Remote Code Execution Vulnerability | Important |
| Windows Hardware Lab Kit | CVE-2025-27488 | Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2025-29837 | Windows Installer Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2025-24063 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2025-29974 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows LDAP – Lightweight Directory Access Protocol | CVE-2025-29954 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Important |
| Windows Media | CVE-2025-29962 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows Media | CVE-2025-29963 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows Media | CVE-2025-29964 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows Media | CVE-2025-29840 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2025-32707 | NTFS Elevation of Privilege Vulnerability | Important |
| Windows Remote Desktop | CVE-2025-29966 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29836 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29959 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29835 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29960 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29832 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29830 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29961 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29958 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Secure Kernel Mode | CVE-2025-27468 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important |
| Windows SMB | CVE-2025-29956 | Windows SMB Information Disclosure Vulnerability | Important |
| Windows Trusted Runtime Interface Driver | CVE-2025-29829 | Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability | Important |
| Windows Virtual Machine Bus | CVE-2025-29833 | Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability | Critical |
| Windows Win32K – GRFX | CVE-2025-30388 | Windows Graphics Component Remote Code Execution Vulnerability | Important |
