Full Report
Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”. Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2025-30397 is a remote code
Analysis Summary
# Vulnerability: May 2025 Microsoft Security Updates (78 Vulnerabilities, 5 Exploited in Wild)
## CVE Details
- CVE ID: Multiple (e.g., CVE-2025-30397, CVE-2025-32709, CVE-2025-30386, etc.)
- CVSS Score: Varies (Critical examples include 8.3, 8.4, 8.8 mentioned)
- CWE: Not specified for all, but includes Use-After-Free, Buffer Overflow, TOCTOU.
## Affected Systems
- Products: Microsoft Scripting Engine, Ancillary Function Driver for WinSock, DWM Core Library, Windows Common Log File System Driver, Microsoft Office, Azure ML Compute, Nuance PowerScribe 360, Remote Desktop Client, Virtual Machine Bus, Kernel Streaming Service Driver, Universal Print Management Service, Web Threat Defense (WTD.sys), Microsoft SharePoint Server, Windows Graphics Component, and others.
- Versions: Not explicitly detailed in the summary (refer to vendor advisory for specifics).
- Configurations: Varies by vulnerability; RDP connection to a malicious server for RDC issues; direct email interaction for Office RCE.
## Vulnerability Description
Microsoft released 78 security updates, 11 of which are rated "Critical." Five vulnerabilities are being actively exploited in the wild. These include Remote Code Execution (RCE) in the Scripting Engine, Elevation of Privilege (EoP) in several drivers (WinSock, CFS), and RCE/EoP/Info Disclosure in productivity and platform components.
**Key Vulnerabilities Highlighted:**
* **CVE-2025-30386 (Office RCE - Critical):** A Use-After-Free scenario in Microsoft Office. Exploitation is rated "More likely," requiring only that a victim view an email sent by the attacker (no clicks necessary).
* **CVE-2025-30377 (Office RCE - Critical):** RCE in Microsoft Office with an assessed low attack complexity.
* **CVE-2025-29966/CVE-2025-29967 (RDP Client RCE - Critical):** Heap-based Buffer Overflows triggered when a vulnerable client connects to a malicious Remote Desktop Server.
* **CVE-2025-29833 (VMBus RCE - Critical):** A Time-of-check Time-of-use (TOCTOU) race condition.
## Exploitation
- Status: **Five vulnerabilities actively exploited in the wild.** Three critical vulnerabilities (CVE-2025-30386, CVE-2025-30390, CVE-2025-30398) are explicitly marked as "Exploitation more likely."
- Complexity: Varies from **Low** (e.g., CVE-2025-30386) to **High** (e.g., CVE-2025-29833).
- Attack Vector: Network, Local (depending on the specific flaw, RCE likely leads to Network/Remote exploitation).
## Impact
Impact levels (Confidentiality, Integrity, Availability) are not explicitly scored beyond the severity rating, but Critical RCE vulnerabilities imply High impact across all three pillars if successfully exploited.
## Remediation
### Patches
- Apply the May 2025 security updates released by Microsoft.
- Specific fixed versions are not listed but are contained within the May 2025 rollup/security-only updates.
### Workarounds
- None explicitly detailed in the summary, but immediate patching is strongly recommended due to active exploitation.
## Detection
- **Indicators of Compromise (IOCs):** Specific attack signatures associated with the five actively exploited vulnerabilities.
- **Detection methods and tools:**
- Cisco Security Firewall customers should update their SRU (Security Response Update).
- Open-source Snort Subscriber Rule Set customers should download the latest rule pack.
- **New Snort Rules Released:** 64848-64867.
- **New Snort 3 Rules Released:** 64852-64853, 301192-301200, and 301203.
## References
- Vendor Advisories: Microsoft MSRC Update Guide (May 2025)
- Relevant links:
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32709
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30400
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32701
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32706
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30386
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30390
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30398
- msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30377
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29966
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29967
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29833
- msrc.microsoft.com/update-guide/ (For complete list)
- snort.org/