Microsoft’s May 2025 Patch Tuesday: Five New Zero-Days Exploited, 72 Flaws Patched: What You Need to Know

Yesterday, Microsoft released its latest Patch Tuesday security updates, addressing a total of 72 vulnerabilities across its product portfolio-including Windows, Office, Azure, and more. This month’s update is especially urgent, as it patches five zero-day vulnerabilities already being exploited in the wild and two additional flaws that were publicly disclosed prior to the release.

May 2025 Patch Tuesday Breakdown

This month’s Patch Tuesday covers a wide range of vulnerability types:

• 17 Elevation of Privilege Vulnerabilities

• 28 Remote Code Execution (RCE) Vulnerabilities

• 15 Information Disclosure Vulnerabilities

• 7 Denial of Service (DoS) Vulnerabilities

• 2 Security Feature Bypass Vulnerabilities

• 2 Spoofing Vulnerabilities

Microsoft’s security team and external researchers have flagged several of these issues as top priorities for immediate patching, especially those already exploited by attackers.

The Five Actively Exploited Zero-Days

Security experts are urging organizations and individual users to prioritize patching the following five zero-day vulnerabilities, all of which have been observed under active attack123458:

CVE-2025-30400 (DWM Core Library):
This flaw allows attackers with basic network rights to exploit a use-after-free vulnerability in the Desktop Window Manager, granting SYSTEM-level privileges. It affects Windows 10, 11, and Windows Server 2025.

CVE-2025-32701 & CVE-2025-32706 (CLFS Driver):
Both are elevation of privilege vulnerabilities in the Common Log File System Driver, a critical Windows component. Attackers with initial access can escalate privileges to SYSTEM, potentially disabling security tools or harvesting credentials for lateral movement.

CVE-2025-32709 (WinSock):
This vulnerability in the Windows Ancillary Function Driver for WinSock allows attackers to elevate privileges to full administrator through a use-after-free attack.

CVE-2025-30397 (Scripting Engine):
A memory corruption issue in the Microsoft Scripting Engine can be exploited for remote code execution, particularly via Edge in Internet Explorer mode if a user visits a malicious website.

Two Publicly Disclosed Zero-Days

In addition to the actively exploited flaws, Microsoft patched two zero-days that were publicly disclosed before a fix was available:

CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability. Allows attackers with LAN access to perform spoofing and potentially obtain NTLM hashes, raising credential theft concerns.

CVE-2025-32702: Visual Studio Remote Code Execution Vulnerability. Allows local attackers to execute arbitrary code via Visual Studio.

The presence of multiple zero-days under active exploitation significantly increases the risk for unpatched systems. Attackers are leveraging these vulnerabilities to escalate privileges and execute malicious code, often as part of broader campaigns targeting both enterprises and individuals.

Recommendations

• Patch Immediately: Organizations and users should apply the May 2025 updates as soon as possible, especially on Windows 10, Windows 11, and Windows Server systems.

• Review Microsoft’s Security Update Guide: Full details and patch downloads are available on Microsoft’s official May 2025 Security Update Guide.

• Monitor for Exploitation: Security teams should monitor for unusual privilege escalation or credential harvesting activity, as attackers are actively exploiting these vulnerabilities.

With five zero-days already being exploited and two more publicly disclosed, the May 2025 Patch Tuesday is one of the most critical security updates in recent months. Organizations and users are strongly advised to patch immediately to protect against privilege escalation, remote code execution, and credential theft attacks targeting Windows, Office, Azure, and other Microsoft products.

For more Microsoft security news, updates, and how-to guides, visit msftnewsnow.com.