Microsoft patched 71 CVEs in its May 2025 Patch Tuesday release, with five rated critical and 66 rated as important. Remote code execution (RCE) vulnerabilities accounted for 39.4% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.4%.
“For May 2025, Microsoft patched seven zero-day vulnerabilities, five exploited in the wild, and two that were publicly disclosed prior to patches being available. Four of the seven zero-days were elevation of privilege flaws, while two were remote code execution bugs, and the other was a spoofing flaw.
“CVE-2025-30397, a scripting engine memory corruption bug, has a pre-requisite that their potential target needs to be using Microsoft Edge in Internet Explorer mode in order for exploitation to be successful – a tall order considering Edge has 5% market share. Internet Explorer mode is used to provide legacy compatibility to organizations that require it. In addition, authentication on the client side is required and the potential target would need to click on a specially crafted link from the attacker. Despite clear exploitation in the wild, we’re not likely to see broad exploitation of this bug due to the number of pre-requisites. We haven’t seen very many scripting engine flaws over the last three years. However, in August 2024, another scripting engine memory corruption zero-day, CVE-2024-38178, was reported as exploited in the wild by researchers as well as the National Cyber Security Center (NCSC), Republic of Korea. It’s unclear if this is related to follow-on attacks.
“CVE-2025-30400 is one of the four elevation of privilege bugs patched this month. It resides in the Desktop Window Manager (DWM) Core Library for Windows. Since 2022, Patch Tuesday has addressed 26 elevation of privilege vulnerabilities in DWM. In fact, the April 2025 release included fixes for five DWM Core Library elevation of privilege vulnerabilities. Prior to CVE-2025-30400, only two DWM elevation of privilege bugs were exploited as zero days – CVE-2024-30051 in 2024 and CVE-2023-36033 in 2023.
“CVE-2025-32701 and CVE-2025-32706 are both elevation of privilege flaws in the Windows Common Log File System (CLFS) Driver for Windows.
“This is the second month in a row that a CLFS elevation of privilege flaw was exploited in the wild as a zero day. CVE-2025-29824, which was patched in April 2025, was exploited by a threat actor known as Storm-2460 that used the PipeMagic malware to deploy ransomware in compromised environments. While we don’t know the specific in the wild method of exploitation for CVE-2025-32701 and CVE-2025-32706, we can be sure that they were part of post-compromise activity that was either targeted espionage or financially motivated activities, such as ransomware deployment. Since 2022, there have been 33 CLFS Driver flaws, of which 28 were elevation of privilege vulnerabilities. Six of those vulnerabilities were exploited in the wild as zero-days (CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, CVE-2024-49138, CVE-2025-29824).
“CVE-2025-32709 is an elevation of privilege flaw in afd.sys, the Windows Ancillary Function Driver that interfaces with the Windows Sockets API (or WinSock) to enable Windows applications to connect to the internet. Since 2022, Patch Tuesday has addressed 10 elevation of privilege flaws in afd.sys. The last afd.sys flaw was disclosed in the February 2025 Patch Tuesday release, and it, too, was exploited as a zero day. As with the other elevation of privilege flaws disclosed, these are typically utilized as part of post-compromise activity.” – Satnam Narang, sr. staff research engineer, Tenable