Contact us
En
Русский English
Services Company Blog
En
Русский English
MS Patch Tuesday

Analysis of Microsoft Patch Tuesday updates - May 2025

Executive Summary

On Tuesday, May 13, 2025, Microsoft released its monthly security patch addressing 78 vulnerabilities across its products.

By severity:

  • Important - 66;
  • Critical - 11;
  • Low - 1.

Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities

Special attention should be paid to the following 7 vulnerabilities. Fixing them is the highest priority:

  • CVE-2025-26685 (CVSS 6.5; Important) - Microsoft Defender for Identity Spoofing Vulnerability (Spoofing). Inadequate authentication in Microsoft Defender for Identity allows an unauthenticated attacker to impersonate another user or computer in the network.
  • CVE-2025-30397 (CVSS 7.5; Important) - Scripting Engine Memory Corruption Vulnerability (Remote Code Execution). A type confusion vulnerability in Microsoft Scripting Engine allows a remote attacker to execute arbitrary code in the system.
  • CVE-2025-30400 (CVSS 7.8; Important) - Microsoft DWM Core Library Elevation of Privilege Vulnerability (Elevation of Privilege). A Use-After-Free vulnerability in Desktop Window Manager allows a local authenticated attacker to elevate privileges.
  • CVE-2025-32701 (CVSS 7.8; Important) - Windows Common Log File System Driver Elevation of Privilege Vulnerability (Elevation of Privilege). A Use-After-Free vulnerability in Common Log File System Driver allows a local authenticated attacker to elevate privileges.
  • CVE-2025-32702 (CVSS 7.8; Important) - Visual Studio Remote Code Execution Vulnerability (Remote Code Execution). An error in Visual Studio ("Code injection") allows an unauthenticated attacker to execute code locally in the system.
  • CVE-2025-32706 (CVSS 7.8; Important) - Windows Common Log File System Driver Elevation of Privilege Vulnerability (Elevation of Privilege). Incorrect input validation in the driver allows a local authenticated attacker to elevate privileges.
  • CVE-2025-32709 (CVSS 7.8; Important) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (Elevation of Privilege). CWE-416: Use-After-Free, which allows a local authenticated attacker to elevate privileges.

Microsoft’s May 2025 Patch Tuesday was particularly substantial, addressing 78 vulnerabilities. The distribution by severity shows that the majority (66) are classified as "Important", 11 vulnerabilities are classified as "Critical", and require immediate attention. Key trends observed this month include:

  • Elevation of Privilege vulnerability mitigation: The majority of the fixes (especially among the priority ones) are aimed at mitigating Elevation of Privilege vulnerabilities. This indicates that Microsoft is continuing to strengthen the security of Windows and related components.
  • Vulnerabilities in Microsoft Office and related applications: A large number of vulnerabilities (mainly Remote Code Execution) were discovered in Microsoft Office, including Excel and PowerPoint. This underscores the importance of regularly updating these applications, as they are often targeted by attackers.
  • Vulnerabilities in cloud services: Fixes for Azure DevOps Server, Azure Automation, Azure Storage, and other cloud services indicate the growing complexity of ensuring security in cloud infrastructures.
  • Remote Code Execution vulnerabilities: The significant number of vulnerabilities allowing remote code execution require special attention, as they can be used to compromise systems without requiring physical access.
  • Vulnerabilities in Windows components: The discovery of vulnerabilities in key Windows components, such as Windows Media, Remote Desktop Services, and the Windows Kernel, underscores the need for a comprehensive approach to ensuring the security of the operating system. In general, the May 2025 Patch Tuesday demonstrates a wide range of vulnerabilities affecting various Microsoft products and services. It is recommended to prioritize the installation of updates, especially for vulnerabilities with a high severity rating and those that are actively being exploited.

Full List of Vulnerabilities

Below is a table of all vulnerabilities fixed this month.

CVETitleTypeCVSSSeverityExploitedPublicly Disclosed
CVE-2025-30400Microsoft DWM Core Library Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantYesNo
CVE-2025-32701Windows Common Log File System Driver Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantYesNo
CVE-2025-32702Visual Studio Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoYes
CVE-2025-32706Windows Common Log File System Driver Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantYesNo
CVE-2025-32709Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantYesNo
CVE-2025-30397Scripting Engine Memory Corruption VulnerabilityRemote Code Execution7.5ImportantYesNo
CVE-2025-26685Microsoft Defender for Identity Spoofing VulnerabilitySpoofing6.5ImportantNoYes
CVE-2025-29813Azure DevOps Server Elevation of Privilege VulnerabilityElevation of Privilege10.0CriticalNoNo
CVE-2025-29827Azure Automation Elevation of Privilege VulnerabilityElevation of Privilege9.9CriticalNoNo
CVE-2025-29972Azure Storage Resource Provider Spoofing VulnerabilitySpoofing9.9CriticalNoNo
CVE-2025-30387Document Intelligence Studio On-Prem Elevation of Privilege VulnerabilityElevation of Privilege9.8ImportantNoNo
CVE-2025-47733Microsoft Power Apps Information Disclosure VulnerabilityInformation Disclosure9.1CriticalNoNo
CVE-2025-29840Windows Media Remote Code Execution VulnerabilityRemote Code Execution8.8ImportantNoNo
CVE-2025-29962Windows Media Remote Code Execution VulnerabilityRemote Code Execution8.8ImportantNoNo
CVE-2025-29963Windows Media Remote Code Execution VulnerabilityRemote Code Execution8.8ImportantNoNo
CVE-2025-29964Windows Media Remote Code Execution VulnerabilityRemote Code Execution8.8ImportantNoNo
CVE-2025-29966Remote Desktop Client Remote Code Execution VulnerabilityRemote Code Execution8.8CriticalNoNo
CVE-2025-29967Remote Desktop Client Remote Code Execution VulnerabilityRemote Code Execution8.8CriticalNoNo
CVE-2025-47732Microsoft Dataverse Remote Code Execution VulnerabilityRemote Code Execution8.7CriticalNoNo
CVE-2025-30377Microsoft Office Remote Code Execution VulnerabilityRemote Code Execution8.4CriticalNoNo
CVE-2025-30386Microsoft Office Remote Code Execution VulnerabilityRemote Code Execution8.4CriticalNoNo
CVE-2025-32704Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution8.4ImportantNoNo
CVE-2025-33072Microsoft msagsfeedback.azurewebsites.net Information Disclosure VulnerabilityInformation Disclosure8.1CriticalNoNo
CVE-2025-26646.NET, Visual Studio, and Build Tools for Visual Studio Spoofing VulnerabilitySpoofing8.0ImportantNoNo
CVE-2025-24063Kernel Streaming Service Driver Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantNoNo
CVE-2025-29970Microsoft Brokering File System Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantNoNo
CVE-2025-29975Microsoft PC Manager Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantNoNo
CVE-2025-29976Microsoft SharePoint Server Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantNoNo
CVE-2025-29977Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-29978Microsoft PowerPoint Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-29979Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30375Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30376Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30379Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30381Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30382Microsoft SharePoint Server Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30383Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30385Windows Common Log File System Driver Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantNoNo
CVE-2025-30388Windows Graphics Component Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-30393Microsoft Excel Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-32705Microsoft Outlook Remote Code Execution VulnerabilityRemote Code Execution7.8ImportantNoNo
CVE-2025-32707NTFS Elevation of Privilege VulnerabilityElevation of Privilege7.8ImportantNoNo
CVE-2025-26677Windows Remote Desktop Gateway (RD Gateway) Denial of Service VulnerabilityDenial of Service7.5ImportantNoNo
CVE-2025-29831Windows Remote Desktop Services Remote Code Execution VulnerabilityRemote Code Execution7.5ImportantNoNo
CVE-2025-29842UrlMon Security Feature Bypass VulnerabilitySecurity Feature Bypass7.5ImportantNoNo
CVE-2025-29969MS-EVEN RPC Remote Code Execution VulnerabilityRemote Code Execution7.5ImportantNoNo
CVE-2025-29971Web Threat Defense (WTD.sys) Denial of Service VulnerabilityDenial of Service7.5ImportantNoNo
CVE-2025-29838Windows ExecutionContext Driver Elevation of Privilege VulnerabilityElevation of Privilege7.4ImportantNoNo
CVE-2025-30384Microsoft SharePoint Server Remote Code Execution VulnerabilityRemote Code Execution7.4ImportantNoNo
CVE-2025-29826Microsoft Dataverse Elevation of Privilege VulnerabilityElevation of Privilege7.3ImportantNoNo
CVE-2025-21264Visual Studio Code Security Feature Bypass VulnerabilitySecurity Feature Bypass7.1ImportantNoNo
CVE-2025-29833Microsoft Virtual Machine Bus (VMBus) Remote Code Execution VulnerabilityRemote Code Execution7.1CriticalNoNo
CVE-2025-27468Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityElevation of Privilege7.0ImportantNoNo
CVE-2025-29841Universal Print Management Service Elevation of Privilege VulnerabilityElevation of Privilege7.0ImportantNoNo
CVE-2025-29973Microsoft Azure File Sync Elevation of Privilege VulnerabilityElevation of Privilege7.0ImportantNoNo
CVE-2025-30378Microsoft SharePoint Server Remote Code Execution VulnerabilityRemote Code Execution7.0ImportantNoNo
CVE-2025-26684Microsoft Defender Elevation of Privilege VulnerabilityElevation of Privilege6.7ImportantNoNo
CVE-2025-27488Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege VulnerabilityElevation of Privilege6.7ImportantNoNo
CVE-2025-29825Microsoft Edge (Chromium-based) Spoofing VulnerabilitySpoofing6.5LowNoNo
CVE-2025-29830Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29832Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29835Windows Remote Access Connection Manager Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29836Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29958Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29959Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29960Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29961Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityInformation Disclosure6.5ImportantNoNo
CVE-2025-29968Active Directory Certificate Services (AD CS) Denial of Service VulnerabilityDenial of Service6.5ImportantNoNo
CVE-2025-29955Windows Hyper-V Denial of Service VulnerabilityDenial of Service6.2ImportantNoNo
CVE-2025-29957Windows Deployment Services Denial of Service VulnerabilityDenial of Service6.2ImportantNoNo
CVE-2025-29954Windows Lightweight Directory Access Protocol (LDAP) Denial of Service VulnerabilityDenial of Service5.9ImportantNoNo
CVE-2025-30394Windows Remote Desktop Gateway (RD Gateway) Denial of Service VulnerabilityDenial of Service5.9ImportantNoNo
CVE-2025-29974Windows Kernel Information Disclosure VulnerabilityInformation Disclosure5.7ImportantNoNo
CVE-2025-29829Windows Trusted Runtime Interface Driver Information Disclosure VulnerabilityInformation Disclosure5.5ImportantNoNo
CVE-2025-29837Windows Installer Information Disclosure VulnerabilityInformation Disclosure5.5ImportantNoNo
CVE-2025-32703Visual Studio Information Disclosure VulnerabilityInformation Disclosure5.5ImportantNoNo
CVE-2025-29956Windows SMB Information Disclosure VulnerabilityInformation Disclosure5.4ImportantNoNo
CVE-2025-29839Windows Multiple UNC Provider Driver Information Disclosure VulnerabilityInformation Disclosure4.0ImportantNoNo

Conclusion

May's Patch Tuesday 2025 requires organizations to take a proactive approach to vulnerability management. The focus on fixes for Windows, cloud services, and developer products indicates an expansion of the attack surface and the need for a comprehensive security strategy. In addition to installing updates, it is recommended to analyze the impact of vulnerabilities on a specific infrastructure and consider additional security measures, such as network segmentation and enhanced monitoring. Given the wide range of affected products, automating the update process and regularly scanning for vulnerabilities will become key factors in maintaining a secure environment. It is important to note that the lack of information about active exploitation of vulnerabilities at the moment does not justify a decrease in the priority of their elimination. Information about vulnerabilities becomes publicly available, and attackers can quickly develop exploits, even if they have not yet been detected in the wild. Therefore, timely patching remains critically important for preventing potential attacks and protecting against future threats.

Paranoid Security How Attackers Abuse Signed Drivers to Take Over Infrastructure. Using BYOVD to Bypass PPL Protection Mechanisms in Windows. February 5
Vulnerability Research How Attackers Abuse Signed Drivers to Take Over Infrastructure. Using BYOVD to Bypass PPL Protection Mechanisms in Windows.
Paranoid Security Microsoft Patch Tuesday Analysis – January 2026 January 13
MS Patch Tuesday Microsoft Patch Tuesday Analysis – January 2026
Paranoid Security FortiOS 8.0 firmware analysis & rootfs decryption January 12
FortiOS 8.0 firmware analysis & rootfs decryption