Randy Franklin Smith's Ultimate Windows Security

Upcoming Webinars

Shining a Light on the Hidden Risks of Non-Human Identities

Webinar Library

Latest Blogs

How to Detect Pass-the-Hash Attacks Blog Series

Come meet Randy in Orlando at Microsoft Ignite at Quest's Booth #1818

Detecting Pass-the-Hash with Honeypots

Catch Malware Hiding in WMI with Sysmon

For of all sad words of tongue or pen, the saddest are these: 'We weren’t logging’

Experimenting with Windows Security: Controls for Enforcing Policies

Sysmon Event IDs 1, 6, 7 Report All the Binary Code Executing on Your Network

Yet Another Ransomware Can That Can be Immediately Detected with Process Tracking on Workstations

Cracking AD Passwords with NTDSXtract, Dsusers.py and John the Ripper

Cracking local windows passwords with Mimikatz, LSA dump and Hashcat

Top Resources

Security Log

Additional Resources

May, 2025: Patch Tuesday - Seven "Important" Zero Days

Welcome to my May Patch Tuesday newsletter. Today Microsoft released 71 updates and an additional 22 in the past month for a total of 93 updates.

We have 7 zero-days to look at:

Currently exploited:
- CVE-2025-30397
  - Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.
- CVE-2025-30400
  - Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
- CVE-2025-32701
  - Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
- CVE-2025-32706
  - Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
- CVE-2025-32709
  - Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Publicly known:
- CVE-2025-32702
  - Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally.
- CVE-2025-26685
  - Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network.

As you can see in the chart below, the five that are currently exploited affect various OS's. The two publicly known vulnerability updates affect two other platforms; CVE-2025-32702 affects Visual Studio 2022 and 2019 and CVE-2025-26685 affects MS Defender for Identity. Although we have these seven, the good news is MS gives all of them a severity rating of "Important". Despite this, you will want to make sure these get updated as soon as possible.

In addition to these we have 17 others that are rated critical. Of these, 5 have a CVSS of 9.0 or greater. They are:

So we do have a good bit of updating that needs to be done. So download, update and reboot those systems. See you next month!

I'd also like to give some attention to one of my webinars. Last month my software company, LOGbinder, had a major release update to our Supercharger for Windows Event Collection application. The feedback I received for this webinar was phenomenal. If you'd like to see or listen to the recording you can see it here.

Happy patching!

Patch data provided by:
Technology	Products Affected	Severity	Reference	Workaround/ Exploited / Publicly Disclosed	Vulnerability Info
Windows	Windows 10, 11 including HLK Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2025 including Server Core Installations Remote Desktop Client Windows App Client	Critical	CVE-2025-24063 CVE-2025-26677 CVE-2025-27468 CVE-2025-27488 CVE-2025-29829 CVE-2025-29830 CVE-2025-29831 CVE-2025-29832 CVE-2025-29833 CVE-2025-29835 CVE-2025-29836 CVE-2025-29837 CVE-2025-29838 CVE-2025-29839 CVE-2025-29840 CVE-2025-29841 CVE-2025-29842 CVE-2025-29954 CVE-2025-29955 CVE-2025-29956 CVE-2025-29957 CVE-2025-29958 CVE-2025-29959 CVE-2025-29960 CVE-2025-29961 CVE-2025-29962 CVE-2025-29963 CVE-2025-29964 CVE-2025-29966 CVE-2025-29967 CVE-2025-29968 CVE-2025-29969 CVE-2025-29970 CVE-2025-29971 CVE-2025-29974 CVE-2025-30385 CVE-2025-30388 CVE-2025-30394 CVE-2025-30397* CVE-2025-30400* CVE-2025-32701* CVE-2025-32706* CVE-2025-32707 CVE-2025-32709*	Workaround: No Exploited: Yes* Public: No	Denial of Service Elevation of Privilege Information Disclosure Remote Code Execution Security Feature Bypass
Edge	Chromium-based	Important	CVE-2025-29825 CVE-2025-29834 CVE-2025-3619 CVE-2025-3620 CVE-2025-4050 CVE-2025-4051 CVE-2025-4052 CVE-2025-4096 CVE-2025-4372	Workaround: No Exploited: No Public: No	Remote Code Execution Spoofing
Office	365 Apps for Enterprise Excel 2016 Office 2016, 2019 LTSC 2021, 2024 including for Mac Office for Android/Universal Online Server	Critical	CVE-2025-29977 CVE-2025-29978 CVE-2025-29979 CVE-2025-30375 CVE-2025-30376 CVE-2025-30377 CVE-2025-30379 CVE-2025-30381 CVE-2025-30383 CVE-2025-30386 CVE-2025-30388 CVE-2025-30393 CVE-2025-32704 CVE-2025-32705	Workaround: No Exploited: No Public: No	Remote Code Execution
SharePoint	Enterprise Server 2016 Server 2019 Server Subscription Edition	Important	CVE-2025-29976 CVE-2025-30378 CVE-2025-30382 CVE-2025-30384	Workaround: No Exploited: No Public: No	Elevation of Privilege Remote Code Execution
Azure	AI Bot Service AI Document Intelligence Studio Automation File Sync v19/20 Functions Machine Learning Storage Resource Provider (SRP) Virtual Desktop msagsfeedback.azure websites.net Power Apps HLK for Server 2022	Critical	CVE-2025-21416 CVE-2025-27488 CVE-2025-29827 CVE-2025-29972 CVE-2025-29973 CVE-2025-30387 CVE-2025-30389 CVE-2025-30390 CVE-2025-30392 CVE-2025-33072 CVE-2025-33074 CVE-2025-47733	Workaround: No Exploited: No Public: No	Elevation of Privilege Information Disclosure Remote Code Execution Spoofing
Developer Tools	.NET 8.0 & 9.0 on Linux/MacOS/Windows Azure DevOps Build Tools for VS 2022 Visual Studio 2017 15.9-15.0 Visual Studio 2019 16.11-16.0 Visual Studio 2022 17.8, 17.10, 17.12, 17.13 Visual Studio Code	Critical	CVE-2025-21264 CVE-2025-26646 CVE-2025-29813 CVE-2025-32702* CVE-2025-32703	Workaround: No Exploited: No Public: Yes*	Elevation of Privilege Information Disclosure Remote Code Execution Security Feature Bypass Spoofing
Apps	Microsoft PC Manager	Important	CVE-2025-29975	Workaround: No Exploited: No Public: No	Elevation of Privilege
Dynamics	365 Customer Service Microsoft Dataverse Power Automate for Desktop	Critical	CVE-2025-29817 CVE-2025-29826 CVE-2025-30391 CVE-2025-47732	Workaround: No Exploited: No Public: No	Elevation of Privilege Information Disclosure Remote Code Execution
System Center	Defender for Endpoint for Linux Defender for Identity	Important	CVE-2025-26684 CVE-2025-26685*	Workaround: No Exploited: No Public: Yes	Elevation of Privilege Spoofing

Send me this chart next Patch Tuesday.

User name:
Password:
	/ Forgot?
	Register

May 2025 Patch Monday	"Patch Tuesday - Seven "Important" Zero Days " - sponsored by Supercharger

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.