Full Report
Microsoft Patch Tuesday for May 2025 included five actively exploited zero days and another eight vulnerabilities judged to be at high risk of attack. Microsoft Patch Tuesday May 2025 included fixes for 78 Microsoft vulnerabilities in all – six of which were reported and fixed last week – and five Chromium-based Microsoft Edge vulnerabilities. The vulnerabilities reported earlier included critical Azure vulnerabilities rated as high as 10.0 that have already been fixed by Microsoft. Microsoft Patch Tuesday May 2025: Zero Day Vulnerabilities The five zero days were also added to CISA’s Known Exploited Vulnerabilities catalog. They included: CVE-2025-30397, a 7.5-severity Scripting Engine Memory Corruption Vulnerability that requires some effort to exploit. The Type Confusion vulnerability in Microsoft Scripting Engine could allow an unauthorized attacker to execute code over a network, but the attack would need to prepare the target so that it uses Edge in Internet Explorer Mode. The vulnerability also requires an authenticated client to click on a specially crafted URL so an unauthenticated attacker can initiate remote code execution. CVE-2025-30400, a 7.8-rated Microsoft DWM Core Library Elevation of Privilege/Use After Free Vulnerability with low attack complexity that could allow an attacker to gain SYSTEM privileges. CVE-2025-32701, 7.8-severity Windows Common Log File System Driver Elevation of Privilege Vulnerability. This low attack complexity User After Free vulnerability could allow an attacker to gain SYSTEM privileges. CVE-2025-32706, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege Vulnerability. This Improper Input Validation vulnerability requires low attack complexity and could allow an attacker to gain SYSTEM privileges. CVE-2025-32709, a 7.8-severity Windows Ancillary Function Driver for WinSock Elevation of Privilege/Use After Free Vulnerability with low attack complexity that could allow an attacker to gain administrative privileges. Critical Azure Vulnerabilities Six vulnerabilities were reported early, on May 8, and have already been fully mitigated by Microsoft. Among the vulnerabilities were: CVE-2025-29813, a 10.0-rated Azure DevOps Server Elevation of Privilege Vulnerability CVE-2025-29827, a 9.9-rated Azure Automation Elevation of Privilege Vulnerability CVE-2025-29972, a 9.9-severity Azure Storage Resource Provider Spoofing Vulnerability CVE-2025-47733, a 9.1-severity Microsoft Power Apps Information Disclosure Vulnerability CVE-2025-47732, an 8.7-rated Microsoft Dataverse Remote Code Execution Vulnerability High-Risk Vulnerabilities Microsoft judged the following eight vulnerabilities as “exploitation more likely.” They range in severity from 7.0 to 8.4. CVE-2025-30386: Microsoft Office Remote Code Execution Vulnerability (8.4 severity) CVE-2025-24063: Kernel Streaming Service Driver Elevation of Privilege Vulnerability (7.8 severity) CVE-2025-29976: Microsoft SharePoint Server Elevation of Privilege Vulnerability (7.8) CVE-2025-30382: Microsoft SharePoint Server Remote Code Execution Vulnerability (7.8) CVE-2025-30385: Windows Common Log File System Driver Elevation of Privilege Vulnerability (7.8) CVE-2025-30388: Windows Graphics Component Remote Code Execution Vulnerability (7.8) CVE-2025-29971: Web Threat Defense (WTD.sys) Denial of Service Vulnerability (7.5) CVE-2025-29841: Universal Print Management Service Elevation of Privilege Vulnerability (7.0) Other Vendors Releasing Updates Other vendors releasing May 2025 Patch Tuesday fixes included: Ivanti SAP Intel Fortinet Apple
Analysis Summary
This summary focuses on the disclosed Microsoft vulnerabilities from the May 2025 Patch Tuesday mentioned in the context.
# Vulnerability: Microsoft May 2025 Patch Tuesday Summary (Including 5 Zero-Days)
## CVE Details
*Note: Specific severity scores and full details for all 5 Zero-Days are not explicitly provided, only those listed below.*
| CVE ID | Severity Score | Vulnerability Type |
| :--- | :--- | :--- |
| CVE-2025-30386 | 8.4 (High) | Remote Code Execution (RCE) |
| CVE-2025-24063 | 7.8 (High) | Elevation of Privilege (EoP) |
| CVE-2025-29976 | 7.8 (High) | Elevation of Privilege (EoP) |
| CVE-2025-30382 | 7.8 (High) | Remote Code Execution (RCE) |
| CVE-2025-30385 | 7.8 (High) | Elevation of Privilege (EoP) |
| CVE-2025-30388 | 7.8 (High) | Remote Code Execution (RCE) |
| CVE-2025-29971 | 7.5 (High) | Denial of Service (DoS) |
| CVE-2025-29841 | 7.0 (High) | Elevation of Privilege (EoP) |
- CWE: Varies (RCE, EoP, DoS).
## Affected Systems
- **Products:** Microsoft Office, Windows Kernel Streaming Service Driver, Microsoft SharePoint Server, Windows Common Log File System Driver, Windows Graphics Component, Web Threat Defense (WTD.sys), Universal Print Management Service.
- **Versions:** Not specified in detail, assumed to be prior to May 2025 security updates released by Microsoft.
- **Configurations:** Varies by CVE (e.g., specific drivers or components running).
## Vulnerability Description
The May 2025 Microsoft Patch Tuesday addresses 5 previously unknown (zero-day) vulnerabilities, alongside 8 other high-risk flaws. The reported issues span multiple product lines, including critical vulnerabilities in **Microsoft Office (RCE)**, **SharePoint Server (RCE and EoP)**, and various **Windows components** (Kernel Driver, Graphics Component) leading to EoP or RCE. A Denial of Service vulnerability was also identified in the **Web Threat Defense (WTD.sys)**.
## Exploitation
- **Status:** The context indicates **5 Zero Days** were patched, strongly suggesting these were being actively exploited or at high risk of activation. Status for specific CVEs is mixed, but the presence of zero-days implies real-world risk.
- **Complexity:** Cannot be determined with certainty, but RCE flaws often imply Medium to High complexity, while EoP flaws can sometimes be Low/Medium complexity if conditions are met.
- **Attack Vector:** Likely includes Network (for RCE flaws like CVE-2025-30386/30382) and Local (for EoP flaws).
## Impact
Impact levels are inferred from the vulnerability types:
- **Confidentiality:** Potentially High (due to RCE)
- **Integrity:** Potentially High (due to RCE and EoP)
- **Availability:** Medium/High (due to DoS and successful RCE/EoP leading to system compromise)
## Remediation
### Patches
- Microsoft May 2025 Security Updates must be applied to remediate these vulnerabilities. Specific patch versions are available via the Microsoft MSRC update guide corresponding to the listed CVEs.
### Workarounds
- No specific workarounds are detailed in the summary text. Attackers targeting zero-days often successfully exploit them before vendor guidance is published.
## Detection
- **Indicators of compromise:** Not specified in the source text. Look for unusual activity related to process creation originating from Office applications, SharePoint service activity, or kernel/driver manipulation.
- **Detection methods and tools:** Utilize Endpoint Detection and Response (EDR) tools configured to monitor for exploit primitives associated with RCE and EoP techniques specific to Microsoft products. Monitor event logs for signs of tampering with vulnerable drivers (e.g., `ks.sys`, WTDDriver).
## References
- Vendor Advisory: Microsoft MSRC (Updates released May 2025)
- Specific Links (Defanged):
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30386
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24063
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-29976
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30382
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30385
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30388
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-29971
- hxxps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-29841