May 2025 Patch Tuesday: What You Need to Know
Microsoft’s May 2025 Patch Tuesday addressed 78 vulnerabilities, including five actively exploited zero-day flaws and 11 critical-rated vulnerabilities. These updates span across Windows, Office, Azure, SharePoint, and other core Microsoft services.
Key Vulnerabilities Remediated
Actively Exploited Zero-Day Vulnerabilities
CVE-2025-32706 – Windows Common Log File System Driver
Elevation of Privilege via improper input validation. Exploited in the wild.
CVSS: 7.8CVE-2025-32701 – Windows Common Log File System Driver
Use-after-free flaw allowing SYSTEM-level privilege escalation.
CVSS: 7.8CVE-2025-32709 – Windows Ancillary Function Driver for WinSock
Exploitable via crafted files or websites.
CVSS: 7.8CVE-2025-30400 – Microsoft DWM Core Library
Use-after-free vulnerability enabling SYSTEM privilege escalation.
CVSS: 7.8CVE-2025-30397 – Microsoft Scripting Engine
Memory corruption flaw triggered via malicious links.
CVSS: 7.5
Critical Remote Code Execution (RCE) Vulnerabilities
CVE-2025-29966 & CVE-2025-29967 – Windows Remote Desktop Client
Heap-based buffer overflow. Exploitable by malicious RDP servers.
CVSS: 8.8CVE-2025-30377 & CVE-2025-30386 – Microsoft Office
Use-after-free flaws exploitable via Preview Pane.
CVSS: 8.4CVE-2025-29833 – Windows Virtual Machine Bus (VMBus)
TOCTOU race condition enabling RCE.
CVSS: 7.1
Vulnerability Breakdown
| Category | Count | Severity |
|---|---|---|
| Remote Code Execution (RCE) | 28 | 5 Critical, 23 Important |
| Elevation of Privilege | 18 | All Important |
| Information Disclosure | 14 | All Important |
| Denial of Service (DoS) | 7 | All Important |
| Spoofing | 2 | All Important |
| Security Feature Bypass | 2 | All Important |
Risks and Known Issues
- Preview Pane Exploits: Office vulnerabilities (e.g., CVE-2025-30386) can be triggered without user interaction, making them especially dangerous in environments where file previews are enabled
- Remote Desktop Client Vulnerabilities: RDP client-side flaws (CVE-2025-29966/29967) could allow full system compromise if users connect to malicious servers
- TOCTOU Race Conditions: VMBus and Print Management vulnerabilities require careful patch validation due to their complexity and potential for exploitation
Recommendations
- Patch Immediately: Prioritise zero-day and critical RCE vulnerabilities, especially in Office, RDP, and Windows kernel components.
- Disable Preview Pane: In Outlook and Windows Explorer to mitigate Office-based attacks.
- Review Patch Coverage: Ensure all systems, including legacy and virtualised environments, are included in patching schedules.
- Monitor for Exploits: Use Snort rules and endpoint detection tools to watch for exploitation attempts (e.g., Snort rules 64848–64867)
