Microsoft has just pushed its May 2025 Patch Tuesday update, repairing 78 vulnerabilities in products ranging from Windows to SharePoint and Exchange. Of these vulnerabilities, five were under active exploit, including a critical zero-day flaw attributed to the Play ransomware family. Takeaway Microsoft is genuinely starting to move beyond the 95% approach and understands the need to improve the security posture for its users. They highlight the need for proactive, timely patching to defend against new and emerging threats.
According to the official advisory, this update addresses multiple vulnerabilities, with the highest severity rated as critical and others important. In particular, CVE-2025-30397, a Scripting Engine Memory Corruption Vulnerability, has a CVSS score of 7.5. Worth noting are a half-dozen other elevation of privilege vulnerabilities: CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709, all with a CVSS score of 7.8. These vulnerabilities in tandem might allow attackers to obtain elevated privileges on affected systems.
Details of the Vulnerabilities
The total CVEs was significantly higher this month, as the May update focused on 11 Critical and 66 Important vulnerabilities. Of these, 56 vulnerabilities are susceptible to remote code execution, and 42 are privilege escalation bugs. Additionally, 16 of these vulnerabilities are rated as information disclosure vulnerabilities.
CVE-2025-30397 was found internally by Microsoft’s cybersecurity threat intelligence team. According to Alex Vovk, “Attackers can exploit the flaw via a malicious web page or script that causes the scripting engine to misinterpret object types, resulting in memory corruption and arbitrary code execution in the context of the current user.” This may result in data exfiltration or installation of malware if the user has admin rights.
CVE-2025-30400 is the third privilege escalation vulnerability discovered in the Desktop Window Manager Core Library. This vulnerability, in addition to CVE-2025-30397, already has been weaponized since 2023. As noted by Satnam Narang, “Since 2022, Patch Tuesday has addressed 26 elevation of privilege vulnerabilities in DWM.” These repeated vulnerabilities are yet more examples of how privilege escalation remains an ongoing danger within Microsoft’s ecosystem.
Zero-Day Exploits and CISA Actions
This minor update closes a good number of vulnerabilities, but CVE-2025-29824 is notable. Threat actors associated with the Play ransomware family exploited this vulnerability in the wild prior to the issuance of the patch. The revelation of this zero-day vulnerability sent shockwaves through the cybersecurity community. Consequently, it was included in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The timeline for these agencies to deploy mitigations for these CVEs is by June 3, 2025.
Benoit Sevens of the Google Threat Intelligence Group discovered CVE-2025-32706. The CrowdStrike Advanced Research Team played a key role in this important discovery. CVE-2025-32709 was reported independently and anonymously in a widely distributed manner by such a researcher. Together, these contributions underscore the importance of a cooperative cybersecurity effort and the need to remain vigilant against new threats.
Ongoing Security Challenges
The recent news is a shining example of how hard Microsoft continues to struggle when it comes to enforcing security across its platforms. With so many more vulnerabilities being discovered and weaponized, Microsoft has never been more vocal on the need for effective and timely updates.
Rich Mirch pointed out that vulnerabilities related to untrusted locations can lead to significant security risks: “The problem is the Java binary could be running from an untrusted location. A malicious local unprivileged user can create a process with the name java or javaw, which will eventually be executed with root privileges to determine the version of the JRE.” These kinds of use cases have increased the importance of users being proactive and doing what it takes to keep their systems current.