ION Advisory: Microsoft’s May 2025 Patch Tuesday

This month’s Patch Tuesday update consists of 78 vulnerabilities for Microsoft products, 11 rated Critical and 5 vulnerabilities (earlier zero-days) are being exploited.

Active Exploitation

The following critical vulnerabilities are already being actively exploited.

• CVE-2025-30400 – Microsoft DWM Core Library Elevation of Privilege Vulnerability – Attackers who successfully exploited this zero-day vulnerability in Desktop Window Manager (DWM) could gain SYSTEM privileges.
• CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability – The deprecated Internet Explorer 11 and Microsoft Edge Legacy applications underlying platforms stack including MSHTML, EdgeHTML and scripting platforms are still supported – the exploitation of the vulnerability enforces the target to use Edge in Internet Explorer Mode.
• CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability – An attacker who successfully exploited this vulnerability in the Windows Sockets API could gain administrator privileges.
• CVE-2025-32701 & CVE-2025-32706 – Windows Common Log File System Driver Elevation of Privilege Vulnerabilities – An attacker who successfully exploited the Windows Common Log File System Driver vulnerabilities could gain SYSTEM privileges.

Critical Vulnerabilities

The following critical vulnerabilities have not yet been known to be be actively exploited, or publicly disclosed.

• CVE-2025-30377 – Microsoft Office Remote Code Execution Vulnerability – the Preview Pane is an attack vector.
• CVE-2025-29966 & CVE-2025-29967 – Remote Desktop Client Remote Code Execution Vulnerabilities – Heap-based buffer overflow vulnerabilities in Remote Desktop Gateway Service which allow an unauthorized attacker to execute code over a network.

The following Critical vulnerabilities have been patched by Microsoft and require no customer interaction.

• CVE-2025-29813 – Azure DevOps Server Elevation of Privilege Vulnerability
• CVE-2025-29827 – Azure Automation Elevation of Privilege Vulnerability
• CVE-2025-29972 – Azure Storage Resource Provider Spoofing Vulnerability
• CVE-2025-47732 – Microsoft Dataverse Remote Code Execution Vulnerability

Publicly Disclosed Vulnerabilities

• CVE-2025-26685 – Microsoft Defender for Identity Spoofing Vulnerability – Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network. Customers that have NTLM completely disabled in their environment and would like to keep SAM-R calls to enable lateral movement path detection feature working, should open a support case requesting to re-enable the feature. Microsoft published the corresponding details in the SAM-R Configuration guide.
• CVE-2025-32702 – Visual Studio Remote Code Execution Vulnerability – Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio allows an unauthorized attacker to execute code locally.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report: Microsoft Patch Tuesday: May 2025 – SANS Internet Storm Center

Patch-A-Palooza: PatchaPalooza