Full Report
Microsoft addressed over 1,100 CVEs as part of Patch Tuesday releases in 2025, including 40 zero-day vulnerabilities.Key takeaways:Microsoft's 2025 Patch Tuesday releases addressed 1,130 CVEs for a second year in a row where the CVE count was over 1,000. Elevation of Privilege vulnerabilities accounted for 38.3% of all Patch Tuesday vulnerabilities in 2025, with Remote Code Execution flaws trailing at 30.8%. In 2025, Microsoft's Patch Tuesday updates addressed 41 zero-day vulnerabilities.BackgroundMicrosoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 22nd anniversary. The Tenable Research Special Operations Team (RSO) first covered the 20th anniversary in 2023, followed by our 2024 year in review publication, covering the trends and significant vulnerabilities from the 2024 Patch Tuesday releases.AnalysisIn 2025, Microsoft patched 1,130 CVEs throughout the year across a number of products. This was a 12% increase compared to 2024, when Microsoft patched 1,009 CVEs. With another year of Patch Tuesday releases behind us, Microsoft has yet to break its 2020 record with 1,245 CVE’s patched. However, this is the second year in a row that Microsoft crossed the 1,000 CVE threshold, and the third time since Patch Tuesday’s inception.In 2025, Microsoft broke its record for the most CVEs patched in a month twice. The year started off with the largest Patch Tuesday release with 157 CVEs patched. This record was broken again in October with 167 CVEs patched.Patch Tuesday 2025 by severityEach month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.Over the last three years, the bulk of the Patch Tuesday vulnerabilities continue to be rated as important, accounting for 91.3% of all CVEs patched, followed by critical at 8.1%. Moderate accounted for 0.4%, while there were no CVEs rated as low in 2025.Patch Tuesday 2025 by impactIn addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.In 2024, RCE vulnerabilities led the impact category, however 2025 saw EoP vulnerabilities taking the lead with 38.3% of all Patch Tuesday vulnerabilities. RCE accounted for 30.8%, followed by information disclosure flaws at 14.2% and DoS vulnerabilities at 7.7%. In a strange coincidence, this year there were only 4 CVEs categorized as tampering, which was the same in 2024. In both 2024 and 2025, tampering flaws accounted for only 0.4%.Patch Tuesday 2025 zero-day vulnerabilitiesIn 2025, Microsoft patched 41 CVEs that were identified as zero-day vulnerabilities. Of the 41 CVEs, 24 were exploited in the wild. While not all zero-days were exploited, we classify zero-days as those vulnerabilities that were disclosed prior to being patched by the vendor.Looking deeper at the 24 CVEs that were exploited in the wild, 62.5% were EoP flaws. EoP vulnerabilities are often leveraged by advanced persistent threat (APT) actors and determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, RCEs were the second most prominent vulnerabilities across Patch Tuesday, accounting for 20.8% of zero-day flaws.While only a small number of zero-days were addressed as part of 2025’s Patch Tuesday releases, we took a deeper dive into some of the more notable zero-days from the year. The table below includes these CVEs along with details on their exploitation activity.CVEDescriptionExploitation ActivityCVE-2025-24983Windows Win32 Kernel Subsystem Elevation of Privilege VulnerabilityUsed with the PipeMagic backdoor to spread ransomware.CVE-2025-29824Windows Common Log File System Driver Elevation of Privilege VulnerabilityExploited by Storm-2460, also known as RansomEXX. Abused by the PipeMagic backdoor in order to spread ransomware.CVE-2025-26633Microsoft Management Console Security Feature Bypass VulnerabilityExploited by Water Gamayu (aka EncryptHub, Larva-208) to deploy the MSC EvilTwin trojan loader. The attack campaigns also saw several malware variants abused, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc and the Rhadamanthys stealer.CVE-2025-33053Internet Shortcut Files Remote Code Execution VulnerabilityExploited by the APT known as Stealth Falcon (aka FruityArmor, G0038) to deploy Horus Agent malware.CVE-2025-49704Microsoft SharePoint Remote Code Execution VulnerabilityExploited by multiple APTs and nation-state actors including Linen Typhoon (aka Emissary Panda), Violet Typhoon, Storm-2603 and Warlock ransomware (aka GOLD SALEM). Chained with CVE-2025-49706 in an attack dubbed ToolShell.CVE-2025-49706Microsoft SharePoint Server Spoofing VulnerabilityExploited by multiple APTs and nation-state actors including Linen Typhoon (aka Emissary Panda), Violet Typhoon, Storm-2603 and Warlock ransomware (aka GOLD SALEM). Chained with CVE-2025-49704 in an attack dubbed ToolShell.ConclusionWith 2025’s Patch Tuesday releases in our rear-view mirror, it’s evident that we continue to see an upward trend in the number of vulnerabilities addressed year over year by Microsoft. With the lion's share of the market for operating systems, it’s imperative that defenders are quick to apply patches on the monthly release of Patch Tuesday updates. Attackers are often opportunistic and ready to capitalize on the latest exploitable vulnerabilities. As always, the RSO team will continue our monthly cadence of Patch Tuesday blogs, ensuring our readers have the actionable information necessary to take immediate action and improve their organization's security posture.Get more informationTenable Blog: Microsoft Patch Tuesday 2024 Year in ReviewTenable Blog: Microsoft Patch Tuesday 2023 Year in ReviewJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
As a vulnerability research specialist, here is the actionable summary based on the provided context regarding Microsoft's 2025 Patch Tuesday releases:
---
## 2025 Microsoft Patch Tuesday Overview Summary
In 2025, Microsoft patched **1,130 CVEs**, marking the second consecutive year exceeding 1,000 vulnerabilities addressed. Elevation of Privilege (EoP) vulnerabilities were the most common impact type, and 41 zero-day vulnerabilities were addressed, 24 of which were confirmed to be exploited in the wild.
### Key Trend Analysis:
* **Volume:** 1,130 CVEs patched (12% increase from 2024).
* **Dominant Impact:** **Elevation of Privilege (EoP)** at 38.3%, followed by Remote Code Execution (RCE) at 30.8%.
* **Severity Focus:** 91.3% of vulnerabilities were rated **Important**, and 8.1% were rated **Critical**. No low-severity vulnerabilities were present.
* **Zero-Days:** 41 zero-days addressed; 62.5% of exploited zero-days were EoP flaws, indicating a focus by threat actors on post-compromise privilege escalation.
---
## Featured Zero-Day Vulnerability Summaries (Exploited in the Wild)
The context provided specific details on several notable, actively exploited vulnerabilities from the 2025 Patch Tuesday disclosures.
### Vulnerability: Windows Win32 Kernel Subsystem EoP (PipeMagic Context)
## CVE Details
- CVE ID: CVE-2025-24983
- CVSS Score: *Not explicitly provided in text* (Severity likely High/Critical given exploitation context)
- CWE: *Not explicitly provided in text*
## Affected Systems
- Products: Windows Win32 Kernel Subsystem
- Versions: *Not specified*
- Configurations: *Not specified*
## Vulnerability Description
An Elevation of Privilege (EoP) vulnerability within the Windows Win32 Kernel Subsystem.
## Exploitation
- Status: Exploited in the wild
- Complexity: *Inferred Medium/High based on kernel context*
- Attack Vector: *Likely Local or requires initial foothold*
## Impact
- Confidentiality: *Not specified*
- Integrity: High (Enables system changes via elevated context)
- Availability: *Not specified*
## Remediation
### Patches
- **Action:** Apply the relevant Microsoft security update addressing CVE-2025-24983.
### Workarounds
- *No specific workarounds provided in the text.*
## Detection
- **Indicators of Compromise:** Association with the **PipeMagic backdoor** malware used for ransomware spreading.
- **Detection Methods and Tools:** Monitor kernel-level activity deviations.
## References
- Vendor advisories: Microsoft Patch Tuesday [Year not specified, implied 2025]
---
### Vulnerability: Windows Common Log File System Driver EoP (RansomEXX/PipeMagic Context)
## CVE Details
- CVE ID: CVE-2025-29824
- CVSS Score: *Not explicitly provided in text*
- CWE: *Not explicitly provided in text*
## Affected Systems
- Products: Windows Common Log File System Driver
- Versions: *Not specified*
- Configurations: *Not specified*
## Vulnerability Description
An Elevation of Privilege (EoP) vulnerability residing in the Windows Common Log File System Driver.
## Exploitation
- Status: Exploited in the wild
- Complexity: *Inferred Medium/High*
- Attack Vector: *Likely Local or requires initial foothold*
## Impact
- Confidentiality: *Not specified*
- Integrity: High
- Availability: *Not specified*
## Remediation
### Patches
- **Action:** Apply the relevant Microsoft security update addressing CVE-2025-29824.
### Workarounds
- *No specific workarounds provided in the text.*
## Detection
- **Indicators of Compromise:** Activity linked to threat actor **Storm-2460 (RansomEXX)** and reuse by the **PipeMagic backdoor**.
- **Detection Methods and Tools:** Monitor driver manipulation and suspected kernel interaction.
## References
- Vendor advisories: Microsoft Patch Tuesday [Year not specified, implied 2025]
---
### Vulnerability: Microsoft Management Console Security Feature Bypass (Water Gamayu Context)
## CVE Details
- CVE ID: CVE-2025-26633
- CVSS Score: *Not explicitly provided in text*
- CWE: Security Feature Bypass
## Affected Systems
- Products: Microsoft Management Console (MMC)
- Versions: *Not specified*
- Configurations: *Not specified*
## Vulnerability Description
A Security Feature Bypass vulnerability in the Microsoft Management Console.
## Exploitation
- Status: Exploited in the wild
- Complexity: *Inferred Low/Medium*
- Attack Vector: *Likely User Interaction Required*
## Impact
- Confidentiality: *Not specified*
- Integrity: *Not specified*
- Availability: *Not specified*
## Remediation
### Patches
- **Action:** Apply the relevant Microsoft security update addressing CVE-2025-26633.
### Workarounds
- *No specific workarounds provided in the text.*
## Detection
- **Indicators of Compromise:** Deployment of the **MSC EvilTwin trojan loader** by threat actor **Water Gamayu**. Associated malware included EncryptHub stealer, DarkWisp, SilentPrism, Stealc, and Rhadamanthys stealer.
- **Detection Methods and Tools:** Monitor for the execution of these specific malware families.
## References
- Vendor advisories: Microsoft Patch Tuesday [Year not specified, implied 2025]
---
### Vulnerability: Internet Shortcut Files RCE (Stealth Falcon Context)
## CVE Details
- CVE ID: CVE-2025-33053
- CVSS Score: *Not explicitly provided in text*
- CWE: Remote Code Execution (RCE)
## Affected Systems
- Products: Internet Shortcut Files component
- Versions: *Not specified*
- Configurations: *Potentially involving malicious file handling/opening*
## Vulnerability Description
A Remote Code Execution (RCE) vulnerability affecting Internet Shortcut Files.
## Exploitation
- Status: Exploited in the wild
- Complexity: *Inferred Low (often achievable via file open)*
- Attack Vector: *Likely Network/Local File Access*
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- **Action:** Apply the relevant Microsoft security update addressing CVE-2025-33053.
### Workarounds
- *No specific workarounds provided in the text.*
## Detection
- **Indicators of Compromise:** Used by APT group **Stealth Falcon** (FruityArmor, G0038) to deploy **Horus Agent malware**.
- **Detection Methods and Tools:** Deploy controls focusing on suspicious execution paths following the processing of internet shortcut files.
## References
- Vendor advisories: Microsoft Patch Tuesday [Year not specified, implied 2025]
---
### Vulnerability: Chained Microsoft SharePoint Flaws (ToolShell Attack)
The context highlights two vulnerabilities chained together in a significant attack designated **ToolShell**:
#### 1. RCE Flaw (CVE-2025-49704)
## CVE Details
- CVE ID: CVE-2025-49704
- CVSS Score: *Not explicitly provided in text*
- CWE: Remote Code Execution (RCE)
## Affected Systems
- Products: Microsoft SharePoint
- Versions: *Not specified*
- Configurations: *Not specified*
## Vulnerability Description
A Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server.
## Exploitation
- Status: Exploited in the wild
- Complexity: *Inferred Medium/High (part of a chain)*
- Attack Vector: *Likely Network*
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- **Action:** Apply the relevant Microsoft security update addressing CVE-2025-49704 **AND** chain vulnerability CVE-2025-49706.
### Workarounds
- *No specific workarounds provided in the text.*
## Detection
- **Indicators of Compromise:** Used by multiple APTs including **Linen Typhoon, Violet Typhoon, Storm-2603, and Warlock ransomware**, as part of the **ToolShell** attack chain.
- **Detection Methods and Tools:** Focus on SharePoint application and web traffic anomalies.
## References
- Vendor advisories: Microsoft Patch Tuesday [Year not specified, implied 2025]
#### 2. Spoofing Flaw (CVE-2025-49706)
## CVE Details
- CVE ID: CVE-2025-49706
- CVSS Score: *Not explicitly provided in text*
- CWE: Spoofing
## Affected Systems
- Products: Microsoft SharePoint Server
- Versions: *Not specified*
- Configurations: *Not specified*
## Vulnerability Description
A Spoofing vulnerability found in Microsoft SharePoint Server, leveraged in tandem with CVE-2025-49704.
## Exploitation
- Status: Exploited in the wild
- Complexity: *Inferred Medium/High (part of a chain)*
- Attack Vector: *Likely Network*
## Impact
- Confidentiality: *Not specified*
- Integrity: *Not specified*
- Availability: *Not specified*
## Remediation
### Patches
- **Action:** Apply the relevant Microsoft security update addressing CVE-2025-49706 **AND** chain vulnerability CVE-2025-49704.
### Workarounds
- *No specific workarounds provided in the text.*
## Detection
- **Indicators of Compromise:** Associated with the **ToolShell** attack chain involving APTs **Linen Typhoon, Violet Typhoon, Storm-2603, and Warlock ransomware**.
- **Detection Methods and Tools:** Monitor SharePoint authentication and request flows that might indicate successful session hijacking or credential misuse.
## References
- Vendor advisories: Microsoft Patch Tuesday [Year not specified, implied 2025]