May, 2025: Patch Tuesday - Seven "Important" Zero Days

Welcome to my May Patch Tuesday newsletter. Today Microsoft released 71 updates and an additional 22 in the past month for a total of 93 updates.

We have 7 zero-days to look at:

  • Currently exploited:
    • CVE-2025-30397
      • Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.
    • CVE-2025-30400
      • Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
    • CVE-2025-32701
      • Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
    • CVE-2025-32706
      • Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
    • CVE-2025-32709
      • Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
  • Publicly known:
    • CVE-2025-32702
      • Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally.
    • CVE-2025-26685
      • Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network.

As you can see in the chart below, the five that are currently exploited affect various OS's. The two publicly known vulnerability updates affect two other platforms; CVE-2025-32702 affects Visual Studio 2022 and 2019 and CVE-2025-26685 affects MS Defender for Identity. Although we have these seven, the good news is MS gives all of them a severity rating of "Important". Despite this, you will want to make sure these get updated as soon as possible.

In addition to these we have 17 others that are rated critical. Of these, 5 have a CVSS of 9.0 or greater. They are:

So we do have a good bit of updating that needs to be done. So download, update and reboot those systems. See you next month!

I'd also like to give some attention to one of my webinars. Last month my software company, LOGbinder, had a major release update to our Supercharger for Windows Event Collection application. The feedback I received for this webinar was phenomenal. If you'd like to see or listen to the recording you can see it here.

Happy patching!

Patch data provided by:

LOGbinder.com

Technology

Products Affected

Severity

Reference

Workaround/ Exploited / Publicly Disclosed

Vulnerability Info

Windows

Windows 10, 11 including HLK

Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2025 including Server Core Installations

Remote Desktop Client

Windows App Client

Critical

CVE-2025-24063
CVE-2025-26677
CVE-2025-27468
CVE-2025-27488
CVE-2025-29829
CVE-2025-29830
CVE-2025-29831
CVE-2025-29832
CVE-2025-29833
CVE-2025-29835
CVE-2025-29836
CVE-2025-29837
CVE-2025-29838
CVE-2025-29839
CVE-2025-29840
CVE-2025-29841
CVE-2025-29842
CVE-2025-29954
CVE-2025-29955
CVE-2025-29956
CVE-2025-29957
CVE-2025-29958
CVE-2025-29959
CVE-2025-29960
CVE-2025-29961
CVE-2025-29962
CVE-2025-29963
CVE-2025-29964
CVE-2025-29966
CVE-2025-29967
CVE-2025-29968
CVE-2025-29969
CVE-2025-29970
CVE-2025-29971
CVE-2025-29974
CVE-2025-30385
CVE-2025-30388
CVE-2025-30394
CVE-2025-30397*
CVE-2025-30400*
CVE-2025-32701*
CVE-2025-32706*

CVE-2025-32707
CVE-2025-32709*

Workaround: No
Exploited: Yes*
Public: No

Denial of Service

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Edge

Chromium-based

Important

CVE-2025-29825
CVE-2025-29834
CVE-2025-3619
CVE-2025-3620
CVE-2025-4050
CVE-2025-4051
CVE-2025-4052
CVE-2025-4096
CVE-2025-4372

Workaround: No
Exploited: No
Public: No

Remote Code Execution

Spoofing

Office

365 Apps for Enterprise

Excel 2016

Office 2016, 2019

LTSC 2021, 2024 including for Mac

Office for Android/Universal

Online Server

Critical

CVE-2025-29977
CVE-2025-29978
CVE-2025-29979
CVE-2025-30375
CVE-2025-30376
CVE-2025-30377
CVE-2025-30379
CVE-2025-30381
CVE-2025-30383
CVE-2025-30386
CVE-2025-30388
CVE-2025-30393
CVE-2025-32704
CVE-2025-32705

Workaround: No
Exploited: No
Public: No

Remote Code Execution

SharePoint

Enterprise Server 2016

Server 2019

Server Subscription Edition

Important

CVE-2025-29976
CVE-2025-30378
CVE-2025-30382
CVE-2025-30384

Workaround: No
Exploited: No
Public: No

Elevation of Privilege

Remote Code Execution

Azure

AI Bot Service

AI Document Intelligence Studio

Automation

File Sync v19/20

Functions

Machine Learning

Storage Resource Provider (SRP)

Virtual Desktop

msagsfeedback.azure
websites.net

Power Apps

HLK for Server 2022

Critical

CVE-2025-21416
CVE-2025-27488
CVE-2025-29827
CVE-2025-29972
CVE-2025-29973
CVE-2025-30387
CVE-2025-30389
CVE-2025-30390
CVE-2025-30392
CVE-2025-33072
CVE-2025-33074
CVE-2025-47733

Workaround: No
Exploited: No
Public: No

Elevation of Privilege

Information Disclosure

Remote Code Execution

Spoofing

Developer Tools

.NET 8.0 & 9.0 on Linux/MacOS/Windows

Azure DevOps

Build Tools for VS 2022

Visual Studio 2017 15.9-15.0

Visual Studio 2019 16.11-16.0

Visual Studio 2022 17.8, 17.10, 17.12, 17.13

Visual Studio Code

Critical

CVE-2025-21264
CVE-2025-26646
CVE-2025-29813
CVE-2025-32702*
CVE-2025-32703

Workaround: No
Exploited: No
Public: Yes*

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Spoofing

Apps

Microsoft PC Manager

Important

CVE-2025-29975

Workaround: No
Exploited: No
Public: No

Elevation of Privilege

Dynamics

365 Customer Service

Microsoft Dataverse

Power Automate for Desktop

Critical

CVE-2025-29817
CVE-2025-29826
CVE-2025-30391
CVE-2025-47732

Workaround: No
Exploited: No
Public: No

Elevation of Privilege

Information Disclosure

Remote Code Execution

System Center

Defender for Endpoint for Linux

Defender for Identity

Important

CVE-2025-26684
CVE-2025-26685*

Workaround: No
Exploited: No
Public: Yes

Elevation of Privilege

Spoofing