Full Report
The company has addressed zero-day vulnerabilities for eight consecutive months without deeming any of them critical at the time of disclosure. The post Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Microsoft May 2025 Patch Tuesday Summary (Zero-Days and High Severity Flaws)
## CVE Details
- **CVE IDs (Zero-Days Actively Exploited):**
- CVE-2025-30397
- CVE-2025-30400
- CVE-2025-32701
- CVE-2025-32706
- CVE-2025-32709
- **Severity Scores (Zero-Days):** All range between 7.5 and 7.8 (High).
- **Other Notable High/Critical CVEs Mentioned:** CVE-2025-29813, CVE-2025-29827, CVE-2025-29972, CVE-2025-30387 (Critical based on initial scores).
- **CWE:** Specific CWEs were not detailed, though classifications include:
- Use-After-Free (CVE-2025-30400 - DWM)
- Memory Corruption (CVE-2025-30397 - Scripting Engine)
## Affected Systems
- **Products:** Windows Components (including CLFS, DWM, WinSock, Scripting Engine), Microsoft Office (18 vulnerabilities), Microsoft SharePoint Server.
- **Versions:** Specific vulnerable versions are not detailed; reference required to Microsoft's Security Response Center update guide.
- **Configurations:**
- Exploitation of CVE-2025-30397 requires user interaction.
- Exploitation of CLFS defects (CVE-2025-32701, CVE-2025-32706) leads to Elevation of Privilege to SYSTEM.
## Vulnerability Description
Microsoft addressed 72 vulnerabilities, including five zero-days actively exploited in the wild. Two of the most critical zero-days are defects in the **Windows Common Log File Driver System (CLFS)** (CVE-2025-32701, CVE-2025-32706), which allow for **Elevation of Privilege to SYSTEM**. Another zero-day, **CVE-2025-30400**, is a Use-After-Free vulnerability in the **Windows Desktop Window Manager (DWM)**, also linked to an Elevation of Privilege (EoP). **CVE-2025-30397** is a memory corruption flaw in the **Microsoft Scripting Engine** leading to Remote Code Execution (RCE) under complex conditions. SharePoint Server vulnerabilities (CVE-2025-29976, CVE-2025-30382) allow for privilege escalation and RCE, respectively.
## Exploitation
- **Status:** **Five Zero-Days Exploited in the Wild.** CISA has added all five zero-days to its KEV catalog.
- **Complexity:**
- CLFS EoP (CVE-2025-32701, CVE-2025-32706): Low complexity, minimal privileges needed.
- Scripting Engine RCE (CVE-2025-30397): High complexity, requires user interaction.
- **Attack Vector:** Primarily Local (for CLFS EoP) and potentially Network (for RCE/Scripting Engine if delivered via web content).
## Impact
- **Confidentiality:** High (due to potential for RCE and system compromise).
- **Integrity:** High (especially with EoP to SYSTEM, allowing data modification).
- **Availability:** High (exploitation can lead to malware/ransomware deployment or system disabling).
## Remediation
### Patches
- Patches are available via Microsoft's May 2025 Security Update. Affected products include Windows components and Microsoft Office.
- **Specific High-Profile Patches:**
- Patches addressing CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709.
- Patches eliminating three "more likely" to be exploited Office vulnerabilities (CVE-2025-29792, CVE-2025-29793, CVE-2025-29794).
### Workarounds
- Workarounds were not explicitly detailed in the summary, but due to active exploitation and EoP potential, immediate patching is prioritized over temporary mitigations.
## Detection
- **Indicators of Compromise:** Confirmation of exploitation suggests focused threat monitoring, particularly for post-compromise activity involving unauthorized SYSTEM-level privileges or deployment of ransomware/malware.
- **Detection Methods and Tools:** Utilize Microsoft Endpoint Detection and Response (EDR) tools and updated signature databases capable of detecting access or modification attempts targeting the **Windows Common Log File Driver System (CLFS)** and **DWM**.
## References
- Vendor Advisories: [msrc.microsoft.com/update-guide/releaseNote/2025-May]
- CISA KEV: [cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=]
- Related Historical CLFS Exploit: [cyberscoop.com/microsoft-patch-tuesday-april-2025/]