Report Name: Microsoft Patch Tuesday, May 2025
Generated: 2025-05-14 03:05:16

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9				1		1	Windows Kernel
Chromium	0.8			1	6		7	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Kernel Streaming Service Driver	0.8				1		1	The Kernel Streaming Service Driver is a Windows kernel-mode component that manages low-latency, real-time streaming of multimedia data between hardware devices and applications
Microsoft DWM Core Library	0.8		1				1	Windows component
Microsoft Defender	0.8				1		1	Anti-malware component of Microsoft Windows
Microsoft Edge	0.8			1	1		2	Web browser
Microsoft Office	0.8			2			2	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Windows Hardware Lab Kit (HLK)	0.8				1		1	Windows component
Windows Ancillary Function Driver for WinSock	0.8			1			1	Windows component
Windows Common Log File System Driver	0.8		2		1		3	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows Deployment Services	0.8				1		1	Windows component
Windows ExecutionContext Driver	0.8				1		1	Windows component
Windows Graphics Component	0.8			1			1	Windows component
Windows Installer	0.8				1		1	Windows component
Windows Kernel-Mode Driver	0.8				1		1	Windows component
Windows Lightweight Directory Access Protocol (LDAP)	0.8				1		1	Windows component
Windows Media	0.8			4			4	Windows component
Windows Multiple UNC Provider Driver	0.8				1		1	Windows component
Windows NTFS	0.8				1		1	The default file system of the Windows NT family
Windows Remote Access Connection Manager	0.8				1		1	Windows component
Windows Remote Desktop Client	0.8			2			2	Remote Desktop Protocol Client
Windows Remote Desktop Gateway (RD Gateway)	0.8				2		2	Windows component
Windows Remote Desktop Services	0.8			1			1	Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection
Windows Routing and Remote Access Service (RRAS)	0.8				7		7	Windows component
Windows SMB	0.8				1		1	Windows component
Windows Trusted Runtime Interface Driver	0.8				1		1	Windows component
Microsoft Excel	0.6				9		9	MS Office product
Microsoft Outlook	0.6				1		1	Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites
Microsoft PowerPoint	0.6				1		1	Microsoft PowerPoint
Windows Hyper-V	0.6				1		1	Hardware virtualization component of the client editions of Windows NT
.NET, Visual Studio, and Build Tools for Visual Studio	0.5				1		1	.NET, Visual Studio, and Build Tools for Visual Studio
Active Directory Certificate Services (AD CS)	0.5				1		1	Active Directory Certificate Services (AD CS)
Azure AI bot	0.5				1		1	Azure AI bot
Azure Automation	0.5			1			1	Azure Automation
Azure Bot Framework SDK	0.5			1			1	Azure Bot Framework SDK
Azure DevOps Server	0.5			1			1	Azure DevOps Server
Azure Functions	0.5			1			1	Azure Functions
Azure ML Compute	0.5				1		1	Azure ML Compute
Azure Storage Resource Provider	0.5				1		1	Azure Storage Resource Provider
Azure Virtual Desktop	0.5			1			1	Azure Virtual Desktop
Document Intelligence Studio On-Prem	0.5				1		1	Document Intelligence Studio On-Prem
MS-EVEN RPC	0.5				1		1	MS-EVEN RPC
Microsoft Azure File Sync	0.5				1		1	Microsoft Azure File Sync
Microsoft Brokering File System	0.5				1		1	Microsoft Brokering File System
Microsoft Defender for Identity	0.5				1		1	Microsoft Defender for Identity
Microsoft Dynamics	0.5				1		1	Microsoft Dynamics
Microsoft PC Manager	0.5				1		1	Microsoft PC Manager
Microsoft Power Apps	0.5				1		1	Microsoft Power Apps
Microsoft Power Automate Desktop	0.5				1		1	Microsoft Power Automate Desktop
Microsoft SharePoint Server	0.5				4		4	Microsoft SharePoint Server
Microsoft Virtual Machine Bus (VMBus)	0.5				1		1	Microsoft Virtual Machine Bus (VMBus)
Microsoft msagsfeedback.azurewebsites.net	0.5				1		1	Microsoft msagsfeedback.azurewebsites.net
Scripting Engine	0.5		1				1	Scripting Engine
Universal Print Management Service	0.5				1		1	Universal Print Management Service
UrlMon	0.5				1		1	UrlMon
Web Threat Defense (WTD.sys)	0.5				1		1	Web Threat Defense (WTD.sys)
Visual Studio	0.3				2		2	Integrated development environment
Visual Studio Code	0.3				1		1	Integrated development environment
Microsoft Dataverse	0.2				2		2	Microsoft Dataverse

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0			12	18		30
Authentication Bypass	0.98				1		1
Security Feature Bypass	0.9			1	2		3
Elevation of Privilege	0.85		3	5	16		24
Information Disclosure	0.83				18		18
Denial of Service	0.7				7		7
Memory Corruption	0.5		1		5		6
Spoofing	0.4				4		4

Source	U	C	H	M	L	A
MS PT Extended			7	15		22
Qualys		4	6	8		18
Tenable		4	1	3		8
Rapid7		4	1	2		7
ZDI		4	1			5

Urgent (0)

Critical (4)

1. Elevation of Privilege - Microsoft DWM Core Library (CVE-2025-30400) - Critical [716]

Description: Microsoft DWM Core Library Elevation of Privilege Vulnerability

Qualys: CVE-2025-30400: Microsoft DWM Core Library Elevation of Privilege Vulnerability The Microsoft Desktop Window Manager (DWM) Core Library is a crucial system component in Windows that manages the display of all visual elements on a computer screen. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-30400 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)

Tenable: CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability

Tenable: CVE-2025-30400 is an EoP vulnerability in the Windows Desktop Windows Manager (DWM) Core library. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft notes that it was exploited as a zero-day. Successful exploitation would allow an attacker to elevate their privileges by exploiting a use after free flaw.

Rapid7: If proof were needed that elevation of privilege to SYSTEM will never go out of style, today sees the publication of CVE-2025-30400, which is a zero-day vulnerability in the Windows Desktop Window Manager (DWM). As it happens, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day EoP vulnerability in DWM.

ZDI: CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability. This is the final in-the-wild bug getting patched this month, and although we saw it patched back in January, this is the first exploit we’ve seen in this component in some time. This is another privilege escalation bug that leads to executing code as SYSTEM. All of the EoP bugs are commonly used in phishing and ransomware, so don’t let their lower severity fool you. Definitely test and deploy these patches quickly.

2. Elevation of Privilege - Windows Common Log File System Driver (CVE-2025-32701) - Critical [716]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: CVE-2025-32701: Windows Common Log File System Driver Elevation of Privilege Vulnerability The Windows Common Log File System (CLFS) is a high-performance, general-purpose logging subsystem used by kernel and user-mode applications. It’s designed for building transactional logs and is frequently employed in applications like database systems, messaging systems, and online transactional processing (OLTP). The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-32701 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: Neither CVE-2025-32701 nor CVE-2025-32706 are the first zero-day vulnerabilities in the Windows Common Log File Driver System; indeed, they are the latest members of an ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM. Credit where credit is due: recent disclosures by Microsoft’s own Threat Intelligence Center (MSTIC), including this month’s CVE-2025-32701, demonstrate that Microsoft is putting serious effort into detecting and rooting out CLFS exploitation. Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.

ZDI: CVE-2025-32701/CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This Windows component has been through the ringer, as it was also exploited in the previous months by other groups. These bugs allow privilege escalation to SYSTEM and are usually paired with a code execution bug to take over a system. In the past, these types of bugs were used by ransomware gangs, so it’s likely these are as well. Test and deploy quickly.

3. Elevation of Privilege - Windows Common Log File System Driver (CVE-2025-32706) - Critical [716]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: CVE-2025-32706: Windows Common Log File System Driver Elevation of Privilege Vulnerability The improper input validation vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-32706 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: Neither CVE-2025-32701 nor CVE-2025-32706 are the first zero-day vulnerabilities in the Windows Common Log File Driver System; indeed, they are the latest members of an ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM. Credit where credit is due: recent disclosures by Microsoft’s own Threat Intelligence Center (MSTIC), including this month’s CVE-2025-32701, demonstrate that Microsoft is putting serious effort into detecting and rooting out CLFS exploitation. Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.

ZDI: CVE-2025-32701/CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This Windows component has been through the ringer, as it was also exploited in the previous months by other groups. These bugs allow privilege escalation to SYSTEM and are usually paired with a code execution bug to take over a system. In the past, these types of bugs were used by ransomware gangs, so it’s likely these are as well. Test and deploy quickly.

4. Memory Corruption - Scripting Engine (CVE-2025-30397) - Critical [603]

Description: Scripting Engine Memory Corruption Vulnerability

Qualys: CVE-2025-30397: Scripting Engine Memory Corruption Vulnerability A scripting engine is a software component that interprets and executes instructions written in a scripting language. It’s essentially a runtime environment that processes scripts, allowing them to interact with an application or system.  An attacker must convince an authenticated user to click a link to initiate remote code execution. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute code over a network. CISA added the CVE-2025-30397 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability

Tenable: CVE-2025-30397 is a memory corruption vulnerability in Microsoft Scripting Engine that can be exploited to achieve arbitrary code execution on a target machine. It was assigned a CVSSv3 score of 7.5 and is rated as Important. The attack complexity is rated as high, and Microsoft notes the target must first be running Microsoft Edge in Internet Explorer mode. Successful exploitation requires the user to click on a crafted URL. This vulnerability was reportedly exploited in the wild as a zero-day.

Rapid7: In the majority of cases, the CVSSv3 base score provides a solid sense of the severity of a vulnerability. Sometimes, however, even a correct CVSS assessment can disguise the potential impact of a specific vulnerability. This arguably the case with CVE-2025-30397, a zero-day RCE vulnerability in the Windows Scripting Engine with a healthy but unremarkable CVSSv3 base score of 7.5. Microsoft is aware of exploitation in the wild. It’s certainly not the worst of the worst — we save that level of alarm for pre-authentication RCE with no requirement for user interaction — and Microsoft assesses attack complexity as high, which is arguably correct. And yet…. The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode, and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the “Allow sites to be reloaded in Internet Explorer” option is enabled. Users who are most likely to require Internet Explorer compatibility mode in 2025 are surely users at enterprise organizations, where critical business workflows still depend on applications from the dinosaur days when Internet Explorer ruled the roost. No doubt the concept of a plan for migration of all of these applications exists, buried several layers deep in a dusty backlog, but Microsoft would hardly be offering IE compatibility mode until at least 2029 if it didn’t know that a huge swathe of its customer base demands it.

ZDI: CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability. This bug allows a remote attacker to execute their code on an affected system if they can convince a user to click a specially crafted link. Since this is in the wild, clearly someone clicked that link. This bug is interesting in that it forces Edge into Internet Explorer mode, so the ghost of IE continues to haunt us all. Microsoft provides no information on how widespread these attacks are, but I would go ahead and test and deploy this fix quickly.

High (18)

5. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2025-32709) - High [594]

Description: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Qualys: CVE-2025-32709: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability  The Windows Ancillary Function Driver (AFD) is a kernel-mode driver that serves as the entry point for the Windows Sockets (Winsock) API. It handles the low-level details of network communication, acting as a bridge between applications using the Winsock API and the network stack. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-32709 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Tenable: CVE-2025-32709 is a EoP vulnerability in the Windows Ancillary Function Driver for WinSock. It was assigned a CVSSv3 score of 7.8 and rated as Important. An authenticated attacker can leverage this vulnerability to elevate their privileges to administrator by exploiting a user after free condition. Microsoft notes that this vulnerability was exploited in the wild as a zero-day, the second to be exploited in 2025, preceded by CVE-2025-21418 which was addressed in February’s Patch Tuesday release.

Rapid7: Regular Patch Tuesday watchers will recognize the Ancillary Function Driver for Winsock, which is the site of CVE-2025-32709, an elevation of privilege vulnerability for which Microsoft is aware of exploitation. In something of a break with tradition for Patch Tuesday zero-day EoP vulnerabilities, exploitation only leads to administrator privileges rather than all the way to SYSTEM, but no attacker is going to waste too many cycles feeling sad about that.

ZDI: CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Speaking of reruns, we also saw this component exploited in the wild back in February of this year. When we see the same component exploited again and again, I begin to question the quality of the patches and wonder if they are being bypassed. Again, we have a privilege escalation bug here leading to SYSTEM privileges.

6. Elevation of Privilege - Azure Automation (CVE-2025-29827) - High [458]

Description: Azure Automation Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-29827 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

7. Elevation of Privilege - Azure DevOps Server (CVE-2025-29813) - High [458]

Description: Azure DevOps Server Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-29813 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

8. Elevation of Privilege - Azure Bot Framework SDK (CVE-2025-30389) - High [447]

Description: Azure Bot Framework SDK Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-30389 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

9. Remote Code Execution - Azure Functions (CVE-2025-33074) - High [438]

Description: Azure Functions Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-33074 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

10. Elevation of Privilege - Azure Virtual Desktop (CVE-2025-21416) - High [435]

Description: Azure Virtual Desktop Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-21416 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

11. Remote Code Execution - Microsoft Edge (CVE-2025-29834) - High [430]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-29834 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

12. Security Feature Bypass - Chromium (CVE-2025-4052) - High [425]

Description: Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2025-4052 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

13. Remote Code Execution - Windows Media (CVE-2025-29840) - High [419]

Description: Windows Media Remote Code Execution Vulnerability

14. Remote Code Execution - Windows Media (CVE-2025-29962) - High [419]

Description: Windows Media Remote Code Execution Vulnerability

15. Remote Code Execution - Windows Media (CVE-2025-29963) - High [419]

Description: Windows Media Remote Code Execution Vulnerability

16. Remote Code Execution - Windows Media (CVE-2025-29964) - High [419]

Description: Windows Media Remote Code Execution Vulnerability

17. Remote Code Execution - Windows Remote Desktop Client (CVE-2025-29966) - High [419]

Description: Remote Desktop Client Remote Code Execution Vulnerability

Qualys: CVE-2025-29966 & CVE-2025-29967: Remote Desktop Client Remote Code Execution Vulnerability A Remote Desktop Protocol client is a software application that allows users to connect to and control a remote computer or server, using a secure network connection. It essentially enables users to operate a remote machine as if they were physically sitting in front of it. The heap-based buffer overflow vulnerability may allow an unauthenticated attacker to execute code remotely.

18. Remote Code Execution - Windows Remote Desktop Client (CVE-2025-29967) - High [419]

Description: Remote Desktop Client Remote Code Execution Vulnerability

Qualys: CVE-2025-29966 & CVE-2025-29967: Remote Desktop Client Remote Code Execution Vulnerability A Remote Desktop Protocol client is a software application that allows users to connect to and control a remote computer or server, using a secure network connection. It essentially enables users to operate a remote machine as if they were physically sitting in front of it. The heap-based buffer overflow vulnerability may allow an unauthenticated attacker to execute code remotely.

19. Remote Code Execution - Microsoft Office (CVE-2025-30377) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-30377 & CVE-2025-30386: Microsoft Office Remote Code Execution Vulnerability The use-after-free vulnerability could allow an unauthenticated attacker to achieve remote code execution.

20. Remote Code Execution - Microsoft Office (CVE-2025-30386) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

Qualys: CVE-2025-30377 & CVE-2025-30386: Microsoft Office Remote Code Execution Vulnerability The use-after-free vulnerability could allow an unauthenticated attacker to achieve remote code execution.

21. Remote Code Execution - Windows Graphics Component (CVE-2025-30388) - High [407]

Description: Windows Graphics Component Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

22. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-29831) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Medium (71)

23. Authentication Bypass - Chromium (CVE-2025-4051) - Medium [391]

Description: Insufficient data validation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-4051 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

24. Elevation of Privilege - Azure AI bot (CVE-2025-30392) - Medium [389]

Description: Azure AI bot Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-30392 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

25. Elevation of Privilege - Kernel Streaming Service Driver (CVE-2025-24063) - Medium [380]

Description: Kernel Streaming Service Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

26. Elevation of Privilege - Windows Common Log File System Driver (CVE-2025-30385) - Medium [380]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

27. Elevation of Privilege - Windows NTFS (CVE-2025-32707) - Medium [380]

Description: NTFS Elevation of Privilege Vulnerability

28. Remote Code Execution - Microsoft Dataverse (CVE-2025-47732) - Medium [378]

Description: Microsoft Dataverse Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-47732 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

29. Spoofing - Azure Storage Resource Provider (CVE-2025-29972) - Medium [378]

Description: Azure Storage Resource Provider Spoofing Vulnerability

MS PT Extended: CVE-2025-29972 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

30. Elevation of Privilege - Azure ML Compute (CVE-2025-30390) - Medium [377]

Description: Azure ML Compute Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-30390 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

31. Memory Corruption - Chromium (CVE-2025-3619) - Medium [377]

Description: Chromium: CVE-2025-3619 Heap buffer overflow in Codecs

MS PT Extended: CVE-2025-3619 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

32. Remote Code Execution - Microsoft Excel (CVE-2025-29977) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

33. Remote Code Execution - Microsoft Excel (CVE-2025-29979) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

34. Remote Code Execution - Microsoft Excel (CVE-2025-30375) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

35. Remote Code Execution - Microsoft Excel (CVE-2025-30376) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

36. Remote Code Execution - Microsoft Excel (CVE-2025-30379) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

37. Remote Code Execution - Microsoft Excel (CVE-2025-30381) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

38. Remote Code Execution - Microsoft Excel (CVE-2025-30383) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

39. Remote Code Execution - Microsoft Excel (CVE-2025-30393) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

40. Remote Code Execution - Microsoft Excel (CVE-2025-32704) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

41. Remote Code Execution - Microsoft Outlook (CVE-2025-32705) - Medium [373]

Description: Microsoft Outlook Remote Code Execution Vulnerability

42. Remote Code Execution - Microsoft PowerPoint (CVE-2025-29978) - Medium [373]

Description: Microsoft PowerPoint Remote Code Execution Vulnerability

43. Information Disclosure - Windows Kernel (CVE-2025-29974) - Medium [369]

Description: Windows Kernel Information Disclosure Vulnerability

44. Elevation of Privilege - Microsoft Defender (CVE-2025-26684) - Medium [368]

Description: Microsoft Defender Elevation of Privilege Vulnerability

45. Elevation of Privilege - Microsoft Windows Hardware Lab Kit (HLK) (CVE-2025-27488) - Medium [368]

Description: Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability

46. Elevation of Privilege - Windows ExecutionContext Driver (CVE-2025-29838) - Medium [368]

Description: Windows ExecutionContext Driver Elevation of Privilege Vulnerability

47. Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2025-27468) - Medium [368]

Description: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

48. Memory Corruption - Chromium (CVE-2025-3620) - Medium [365]

Description: Chromium: CVE-2025-3620 Use after free in USB

MS PT Extended: CVE-2025-3620 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

49. Information Disclosure - Windows Remote Access Connection Manager (CVE-2025-29835) - Medium [364]

Description: Windows Remote Access Connection Manager Information Disclosure Vulnerability

50. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29830) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

51. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29832) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

52. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29836) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

53. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29958) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

54. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29959) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

55. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29960) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

56. Information Disclosure - Windows Routing and Remote Access Service (RRAS) (CVE-2025-29961) - Medium [364]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability

57. Information Disclosure - Microsoft Dynamics (CVE-2025-30391) - Medium [362]

Description: Microsoft Dynamics Information Disclosure Vulnerability

MS PT Extended: CVE-2025-30391 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

58. Information Disclosure - Microsoft Power Apps (CVE-2025-47733) - Medium [362]

Description: Microsoft Power Apps Information Disclosure Vulnerability

MS PT Extended: CVE-2025-47733 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

59. Remote Code Execution - MS-EVEN RPC (CVE-2025-29969) - Medium [357]

Description: MS-EVEN RPC Remote Code Execution Vulnerability

60. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-30382) - Medium [357]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

61. Elevation of Privilege - Document Intelligence Studio On-Prem (CVE-2025-30387) - Medium [354]

Description: Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability

62. Denial of Service - Windows Remote Desktop Gateway (RD Gateway) (CVE-2025-26677) - Medium [353]

Description: Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability

63. Memory Corruption - Chromium (CVE-2025-4050) - Medium [353]

Description: Chromium: CVE-2025-4050 Out of bounds memory access in DevTools

MS PT Extended: CVE-2025-4050 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

64. Memory Corruption - Chromium (CVE-2025-4096) - Medium [353]

Description: Chromium: CVE-2025-4096 Heap buffer overflow in HTML

MS PT Extended: CVE-2025-4096 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

65. Information Disclosure - Windows Installer (CVE-2025-29837) - Medium [352]

Description: Windows Installer Information Disclosure Vulnerability

66. Information Disclosure - Windows Trusted Runtime Interface Driver (CVE-2025-29829) - Medium [352]

Description: Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability

67. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-30378) - Medium [345]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

68. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-30384) - Medium [345]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

69. Remote Code Execution - Microsoft Virtual Machine Bus (VMBus) (CVE-2025-29833) - Medium [345]

Description: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

Qualys: CVE-2025-29833: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability The Microsoft Virtual Machine Bus (VMBus) is a virtual communication channel used within the Microsoft Hyper-V virtualization environment. It facilitates communication and data transfer between the parent (host) and child (guest) partitions, enabling virtual machines (VMs) to access and interact with resources on the host system. Time-of-check time-of-use (toctou) race condition in Windows Virtual Machine Bus could allow an authenticated attacker to achieve remote code execution.

70. Information Disclosure - Windows SMB (CVE-2025-29956) - Medium [341]

Description: Windows SMB Information Disclosure Vulnerability

71. Memory Corruption - Chromium (CVE-2025-4372) - Medium [341]

Description: Chromium: CVE-2025-4372 Use after free in WebAudio

MS PT Extended: CVE-2025-4372 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

72. Security Feature Bypass - UrlMon (CVE-2025-29842) - Medium [339]

Description: UrlMon Security Feature Bypass Vulnerability

73. Information Disclosure - Microsoft msagsfeedback.azurewebsites.net (CVE-2025-33072) - Medium [338]

Description: Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability

MS PT Extended: CVE-2025-33072 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

74. Elevation of Privilege - Microsoft Brokering File System (CVE-2025-29970) - Medium [330]

Description: Microsoft Brokering File System Elevation of Privilege Vulnerability

75. Elevation of Privilege - Microsoft PC Manager (CVE-2025-29975) - Medium [330]

Description: Microsoft PC Manager Elevation of Privilege Vulnerability

76. Elevation of Privilege - Microsoft SharePoint Server (CVE-2025-29976) - Medium [330]

Description: Microsoft SharePoint Server Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

77. Denial of Service - Windows Deployment Services (CVE-2025-29957) - Medium [329]

Description: Windows Deployment Services Denial of Service Vulnerability

78. Denial of Service - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2025-29954) - Medium [329]

Description: Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

79. Denial of Service - Windows Remote Desktop Gateway (RD Gateway) (CVE-2025-30394) - Medium [329]

Description: Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability

80. Information Disclosure - Windows Multiple UNC Provider Driver (CVE-2025-29839) - Medium [329]

Description: Windows Multiple UNC Provider Driver Information Disclosure Vulnerability

81. Information Disclosure - Microsoft Power Automate Desktop (CVE-2025-29817) - Medium [326]

Description: Microsoft Power Automate Desktop Information Disclosure Vulnerability

MS PT Extended: CVE-2025-29817 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

82. Remote Code Execution - Visual Studio (CVE-2025-32702) - Medium [323]

Description: Visual Studio Remote Code Execution Vulnerability

Tenable: CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability

Tenable: CVE-2025-32702 is a RCE vulnerability in Visual Studio. It was assigned a CVSSv3 score of 7.8 and rated as Important. Microsoft notes that the attack vector for this vulnerability is local, and that an unauthenticated attacker could exploit this flaw in order to execute code. This is the third RCE vulnerability in Visual Studio that was patched in 2025.

Rapid7: Today, all current versions of Visual Studio 2022 and 2019 receive patches for CVE-2025-32702, a zero-day RCE where exploitation requires the user to download and open a malicious file. There is nothing obviously remarkable about this, although Microsoft is aware of public disclosure. As usual for a malicious file/link vuln, the word Remote here refers to the location of the attacker, even though exploitation is set in motion by local user action.

83. Elevation of Privilege - Microsoft Azure File Sync (CVE-2025-29973) - Medium [318]

Description: Microsoft Azure File Sync Elevation of Privilege Vulnerability

84. Elevation of Privilege - Universal Print Management Service (CVE-2025-29841) - Medium [318]

Description: Universal Print Management Service Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

85. Spoofing - Microsoft Edge (CVE-2025-29825) - Medium [311]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2025-29825 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

86. Denial of Service - Web Threat Defense (WTD.sys) (CVE-2025-29971) - Medium [303]

Description: Web Threat Defense (WTD.sys) Denial of Service Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

87. Denial of Service - Windows Hyper-V (CVE-2025-29955) - Medium [296]

Description: Windows Hyper-V Denial of Service Vulnerability

88. Security Feature Bypass - Visual Studio Code (CVE-2025-21264) - Medium [294]

Description: Visual Studio Code Security Feature Bypass Vulnerability

89. Denial of Service - Active Directory Certificate Services (AD CS) (CVE-2025-29968) - Medium [291]

Description: Active Directory Certificate Services (AD CS) Denial of Service Vulnerability

90. Information Disclosure - Visual Studio (CVE-2025-32703) - Medium [269]

Description: Visual Studio Information Disclosure Vulnerability

91. Elevation of Privilege - Microsoft Dataverse (CVE-2025-29826) - Medium [268]

Description: Microsoft Dataverse Elevation of Privilege Vulnerability

92. Spoofing - .NET, Visual Studio, and Build Tools for Visual Studio (CVE-2025-26646) - Medium [250]

Description: .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability

93. Spoofing - Microsoft Defender for Identity (CVE-2025-26685) - Medium [238]

Description: Microsoft Defender for Identity Spoofing Vulnerability

Qualys: CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability Microsoft Defender for Identity is a cloud-based security solution that helps organizations monitor and secure their identities across hybrid environments. It enhances security by providing an identity-centric approach to threat detection, leveraging data from on-premises Active Directory and cloud-based identities. The improper authentication vulnerability could allow an unauthenticated attacker with LAN access to perform spoofing over an adjacent network.

Qualys: CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability This vulnerability has a CVSS:  3.1 6.5 / 5.7 Policy Audit Control IDs (CIDs): 10968 Network access: Restrict clients allowed to make remote calls to SAM 2181  Current list of Groups and User Accounts granted the ‘Access this computer from the network’ right The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [10968, 2181] The next Patch Tuesday is June 10, and we will be back with details and patch analysis then. Until then, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.

Tenable: CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability

Tenable: CVE-2025-26685 is a spoofing vulnerability in Microsoft Defender for Identity. It was assigned a CVSSv3 score of 6.5 and is rated as Important. This vulnerability allows an unauthenticated attacker with Local Area Network (LAN) access to perform a spoofing attack. According to Microsoft, this vulnerability was disclosed prior to patches being made available.

Rapid7: Today sees the publication of CVE-2025-26685, a zero-day spoofing vulnerability in Microsoft Defender for Identity. The advisory provides puzzle pieces which don’t by themselves add up to anything like a full explanation of the vulnerability; no action is required for remediation, but you can render yourself vulnerable if you insist by opening a case with Microsoft Support to re-enable the legacy NTLM authentication method.

Low (0)

Exploitation in the wild detected (5)

Elevation of Privilege (4)

• Microsoft DWM Core Library (CVE-2025-30400)

Qualys: CVE-2025-30400: Microsoft DWM Core Library Elevation of Privilege Vulnerability The Microsoft Desktop Window Manager (DWM) Core Library is a crucial system component in Windows that manages the display of all visual elements on a computer screen. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-30400 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)

Tenable: CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability

Tenable: CVE-2025-30400 is an EoP vulnerability in the Windows Desktop Windows Manager (DWM) Core library. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft notes that it was exploited as a zero-day. Successful exploitation would allow an attacker to elevate their privileges by exploiting a use after free flaw.

Rapid7: If proof were needed that elevation of privilege to SYSTEM will never go out of style, today sees the publication of CVE-2025-30400, which is a zero-day vulnerability in the Windows Desktop Window Manager (DWM). As it happens, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day EoP vulnerability in DWM.

ZDI: CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability. This is the final in-the-wild bug getting patched this month, and although we saw it patched back in January, this is the first exploit we’ve seen in this component in some time. This is another privilege escalation bug that leads to executing code as SYSTEM. All of the EoP bugs are commonly used in phishing and ransomware, so don’t let their lower severity fool you. Definitely test and deploy these patches quickly.

• Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706)

Qualys: CVE-2025-32701: Windows Common Log File System Driver Elevation of Privilege Vulnerability The Windows Common Log File System (CLFS) is a high-performance, general-purpose logging subsystem used by kernel and user-mode applications. It’s designed for building transactional logs and is frequently employed in applications like database systems, messaging systems, and online transactional processing (OLTP). The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-32701 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Qualys: CVE-2025-32706: Windows Common Log File System Driver Elevation of Privilege Vulnerability The improper input validation vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-32706 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: Neither CVE-2025-32701 nor CVE-2025-32706 are the first zero-day vulnerabilities in the Windows Common Log File Driver System; indeed, they are the latest members of an ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM. Credit where credit is due: recent disclosures by Microsoft’s own Threat Intelligence Center (MSTIC), including this month’s CVE-2025-32701, demonstrate that Microsoft is putting serious effort into detecting and rooting out CLFS exploitation. Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.

ZDI: CVE-2025-32701/CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This Windows component has been through the ringer, as it was also exploited in the previous months by other groups. These bugs allow privilege escalation to SYSTEM and are usually paired with a code execution bug to take over a system. In the past, these types of bugs were used by ransomware gangs, so it’s likely these are as well. Test and deploy quickly.

• Windows Ancillary Function Driver for WinSock (CVE-2025-32709)

Qualys: CVE-2025-32709: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability  The Windows Ancillary Function Driver (AFD) is a kernel-mode driver that serves as the entry point for the Windows Sockets (Winsock) API. It handles the low-level details of network communication, acting as a bridge between applications using the Winsock API and the network stack. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CISA added the CVE-2025-32709 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Tenable: CVE-2025-32709 is a EoP vulnerability in the Windows Ancillary Function Driver for WinSock. It was assigned a CVSSv3 score of 7.8 and rated as Important. An authenticated attacker can leverage this vulnerability to elevate their privileges to administrator by exploiting a user after free condition. Microsoft notes that this vulnerability was exploited in the wild as a zero-day, the second to be exploited in 2025, preceded by CVE-2025-21418 which was addressed in February’s Patch Tuesday release.

Rapid7: Regular Patch Tuesday watchers will recognize the Ancillary Function Driver for Winsock, which is the site of CVE-2025-32709, an elevation of privilege vulnerability for which Microsoft is aware of exploitation. In something of a break with tradition for Patch Tuesday zero-day EoP vulnerabilities, exploitation only leads to administrator privileges rather than all the way to SYSTEM, but no attacker is going to waste too many cycles feeling sad about that.

ZDI: CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Speaking of reruns, we also saw this component exploited in the wild back in February of this year. When we see the same component exploited again and again, I begin to question the quality of the patches and wonder if they are being bypassed. Again, we have a privilege escalation bug here leading to SYSTEM privileges.

Memory Corruption (1)

• Scripting Engine (CVE-2025-30397)

Qualys: CVE-2025-30397: Scripting Engine Memory Corruption Vulnerability A scripting engine is a software component that interprets and executes instructions written in a scripting language. It’s essentially a runtime environment that processes scripts, allowing them to interact with an application or system.  An attacker must convince an authenticated user to click a link to initiate remote code execution. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute code over a network. CISA added the CVE-2025-30397 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before June 3, 2025.

Tenable: CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability

Tenable: CVE-2025-30397 is a memory corruption vulnerability in Microsoft Scripting Engine that can be exploited to achieve arbitrary code execution on a target machine. It was assigned a CVSSv3 score of 7.5 and is rated as Important. The attack complexity is rated as high, and Microsoft notes the target must first be running Microsoft Edge in Internet Explorer mode. Successful exploitation requires the user to click on a crafted URL. This vulnerability was reportedly exploited in the wild as a zero-day.

Rapid7: In the majority of cases, the CVSSv3 base score provides a solid sense of the severity of a vulnerability. Sometimes, however, even a correct CVSS assessment can disguise the potential impact of a specific vulnerability. This arguably the case with CVE-2025-30397, a zero-day RCE vulnerability in the Windows Scripting Engine with a healthy but unremarkable CVSSv3 base score of 7.5. Microsoft is aware of exploitation in the wild. It’s certainly not the worst of the worst — we save that level of alarm for pre-authentication RCE with no requirement for user interaction — and Microsoft assesses attack complexity as high, which is arguably correct. And yet…. The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode, and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the “Allow sites to be reloaded in Internet Explorer” option is enabled. Users who are most likely to require Internet Explorer compatibility mode in 2025 are surely users at enterprise organizations, where critical business workflows still depend on applications from the dinosaur days when Internet Explorer ruled the roost. No doubt the concept of a plan for migration of all of these applications exists, buried several layers deep in a dusty backlog, but Microsoft would hardly be offering IE compatibility mode until at least 2029 if it didn’t know that a huge swathe of its customer base demands it.

ZDI: CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability. This bug allows a remote attacker to execute their code on an affected system if they can convince a user to click a specially crafted link. Since this is in the wild, clearly someone clicked that link. This bug is interesting in that it forces Edge into Internet Explorer mode, so the ghost of IE continues to haunt us all. Microsoft provides no information on how widespread these attacks are, but I would go ahead and test and deploy this fix quickly.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (88)

Elevation of Privilege (20)

• Azure Automation (CVE-2025-29827)

MS PT Extended: CVE-2025-29827 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Azure DevOps Server (CVE-2025-29813)

MS PT Extended: CVE-2025-29813 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Azure Bot Framework SDK (CVE-2025-30389)

MS PT Extended: CVE-2025-30389 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Azure Virtual Desktop (CVE-2025-21416)

MS PT Extended: CVE-2025-21416 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Azure AI bot (CVE-2025-30392)

MS PT Extended: CVE-2025-30392 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Kernel Streaming Service Driver (CVE-2025-24063)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

• Windows Common Log File System Driver (CVE-2025-30385)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

• Windows NTFS (CVE-2025-32707)
• Azure ML Compute (CVE-2025-30390)

MS PT Extended: CVE-2025-30390 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Microsoft Defender (CVE-2025-26684)
• Microsoft Windows Hardware Lab Kit (HLK) (CVE-2025-27488)
• Windows ExecutionContext Driver (CVE-2025-29838)
• Windows Kernel-Mode Driver (CVE-2025-27468)
• Document Intelligence Studio On-Prem (CVE-2025-30387)
• Microsoft Brokering File System (CVE-2025-29970)
• Microsoft PC Manager (CVE-2025-29975)
• Microsoft SharePoint Server (CVE-2025-29976)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

• Microsoft Azure File Sync (CVE-2025-29973)
• Universal Print Management Service (CVE-2025-29841)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

• Microsoft Dataverse (CVE-2025-29826)

Remote Code Execution (30)

• Azure Functions (CVE-2025-33074)

MS PT Extended: CVE-2025-33074 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Microsoft Edge (CVE-2025-29834)

MS PT Extended: CVE-2025-29834 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Windows Media (CVE-2025-29840, CVE-2025-29962, CVE-2025-29963, CVE-2025-29964)
• Windows Remote Desktop Client (CVE-2025-29966, CVE-2025-29967)

Qualys: CVE-2025-29966 & CVE-2025-29967: Remote Desktop Client Remote Code Execution Vulnerability A Remote Desktop Protocol client is a software application that allows users to connect to and control a remote computer or server, using a secure network connection. It essentially enables users to operate a remote machine as if they were physically sitting in front of it. The heap-based buffer overflow vulnerability may allow an unauthenticated attacker to execute code remotely.

• Microsoft Office (CVE-2025-30377, CVE-2025-30386)

Qualys: CVE-2025-30377 & CVE-2025-30386: Microsoft Office Remote Code Execution Vulnerability The use-after-free vulnerability could allow an unauthenticated attacker to achieve remote code execution.

• Windows Graphics Component (CVE-2025-30388)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

• Windows Remote Desktop Services (CVE-2025-29831)
• Microsoft Dataverse (CVE-2025-47732)

MS PT Extended: CVE-2025-47732 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Microsoft Excel (CVE-2025-29977, CVE-2025-29979, CVE-2025-30375, CVE-2025-30376, CVE-2025-30379, CVE-2025-30381, CVE-2025-30383, CVE-2025-30393, CVE-2025-32704)
• Microsoft Outlook (CVE-2025-32705)
• Microsoft PowerPoint (CVE-2025-29978)
• MS-EVEN RPC (CVE-2025-29969)
• Microsoft SharePoint Server (CVE-2025-30378, CVE-2025-30382, CVE-2025-30384)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

• Microsoft Virtual Machine Bus (VMBus) (CVE-2025-29833)

Qualys: CVE-2025-29833: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability The Microsoft Virtual Machine Bus (VMBus) is a virtual communication channel used within the Microsoft Hyper-V virtualization environment. It facilitates communication and data transfer between the parent (host) and child (guest) partitions, enabling virtual machines (VMs) to access and interact with resources on the host system. Time-of-check time-of-use (toctou) race condition in Windows Virtual Machine Bus could allow an authenticated attacker to achieve remote code execution.

• Visual Studio (CVE-2025-32702)

Tenable: CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability

Tenable: CVE-2025-32702 is a RCE vulnerability in Visual Studio. It was assigned a CVSSv3 score of 7.8 and rated as Important. Microsoft notes that the attack vector for this vulnerability is local, and that an unauthenticated attacker could exploit this flaw in order to execute code. This is the third RCE vulnerability in Visual Studio that was patched in 2025.

Rapid7: Today, all current versions of Visual Studio 2022 and 2019 receive patches for CVE-2025-32702, a zero-day RCE where exploitation requires the user to download and open a malicious file. There is nothing obviously remarkable about this, although Microsoft is aware of public disclosure. As usual for a malicious file/link vuln, the word Remote here refers to the location of the attacker, even though exploitation is set in motion by local user action.

Security Feature Bypass (3)

• Chromium (CVE-2025-4052)

MS PT Extended: CVE-2025-4052 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• UrlMon (CVE-2025-29842)
• Visual Studio Code (CVE-2025-21264)

Authentication Bypass (1)

• Chromium (CVE-2025-4051)

MS PT Extended: CVE-2025-4051 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

Spoofing (4)

• Azure Storage Resource Provider (CVE-2025-29972)

MS PT Extended: CVE-2025-29972 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Microsoft Edge (CVE-2025-29825)

MS PT Extended: CVE-2025-29825 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• .NET, Visual Studio, and Build Tools for Visual Studio (CVE-2025-26646)
• Microsoft Defender for Identity (CVE-2025-26685)

Qualys: CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability Microsoft Defender for Identity is a cloud-based security solution that helps organizations monitor and secure their identities across hybrid environments. It enhances security by providing an identity-centric approach to threat detection, leveraging data from on-premises Active Directory and cloud-based identities. The improper authentication vulnerability could allow an unauthenticated attacker with LAN access to perform spoofing over an adjacent network.

Qualys: CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability This vulnerability has a CVSS:  3.1 6.5 / 5.7 Policy Audit Control IDs (CIDs): 10968 Network access: Restrict clients allowed to make remote calls to SAM 2181  Current list of Groups and User Accounts granted the ‘Access this computer from the network’ right The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [10968, 2181] The next Patch Tuesday is June 10, and we will be back with details and patch analysis then. Until then, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.

Tenable: CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability

Tenable: CVE-2025-26685 is a spoofing vulnerability in Microsoft Defender for Identity. It was assigned a CVSSv3 score of 6.5 and is rated as Important. This vulnerability allows an unauthenticated attacker with Local Area Network (LAN) access to perform a spoofing attack. According to Microsoft, this vulnerability was disclosed prior to patches being made available.

Rapid7: Today sees the publication of CVE-2025-26685, a zero-day spoofing vulnerability in Microsoft Defender for Identity. The advisory provides puzzle pieces which don’t by themselves add up to anything like a full explanation of the vulnerability; no action is required for remediation, but you can render yourself vulnerable if you insist by opening a case with Microsoft Support to re-enable the legacy NTLM authentication method.

Memory Corruption (5)

• Chromium (CVE-2025-3619, CVE-2025-3620, CVE-2025-4050, CVE-2025-4096, CVE-2025-4372)

MS PT Extended: CVE-2025-3619 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

MS PT Extended: CVE-2025-4050 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

MS PT Extended: CVE-2025-4372 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

MS PT Extended: CVE-2025-3620 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

MS PT Extended: CVE-2025-4096 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

Information Disclosure (18)

• Windows Kernel (CVE-2025-29974)
• Windows Remote Access Connection Manager (CVE-2025-29835)
• Windows Routing and Remote Access Service (RRAS) (CVE-2025-29830, CVE-2025-29832, CVE-2025-29836, CVE-2025-29958, CVE-2025-29959, CVE-2025-29960, CVE-2025-29961)
• Microsoft Dynamics (CVE-2025-30391)

MS PT Extended: CVE-2025-30391 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Microsoft Power Apps (CVE-2025-47733)

MS PT Extended: CVE-2025-47733 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Windows Installer (CVE-2025-29837)
• Windows Trusted Runtime Interface Driver (CVE-2025-29829)
• Windows SMB (CVE-2025-29956)
• Microsoft msagsfeedback.azurewebsites.net (CVE-2025-33072)

MS PT Extended: CVE-2025-33072 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Windows Multiple UNC Provider Driver (CVE-2025-29839)
• Microsoft Power Automate Desktop (CVE-2025-29817)

MS PT Extended: CVE-2025-29817 was published before May 2025 Patch Tuesday from 2025-04-09 to 2025-05-12

• Visual Studio (CVE-2025-32703)

Denial of Service (7)

• Windows Remote Desktop Gateway (RD Gateway) (CVE-2025-26677, CVE-2025-30394)
• Windows Deployment Services (CVE-2025-29957)
• Windows Lightweight Directory Access Protocol (LDAP) (CVE-2025-29954)
• Web Threat Defense (WTD.sys) (CVE-2025-29971)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24063 is an elevation privilege vulnerability in the Kernel Streaming Service Driver. The heap-based buffer overflow vulnerability could allow an authenticated attacker to gain SYSTEM privileges. CVE-2025-30388 is a remote code execution vulnerability in Windows Graphics Component. The heap-based buffer overflow vulnerability could allow an unauthenticated attacker to achieve remote code execution. CVE-2025-30385 is an elevation privilege vulnerability in the Windows Common Log File System Driver. Upon successful exploitation, an authenticated attacker could potentially gain the ability to crash the system. CVE-2025-29841 is an elevation privilege vulnerability in the Universal Print Management Service. Successful exploitation of the vulnerability requires an attacker to win a race condition. Upon successful exploitation of the vulnerability, an authenticated attacker could elevate privileges locally. CVE-2025-29971 is a denial of service vulnerability in Web Threat Defense (WTD.sys). Successful exploitation of the vulnerability could allow an unauthenticated attacker to deny service over a network. CVE-2025-29976 is an elevation of privilege vulnerability in Microsoft SharePoint Server. An improper privilege management flaw could allow an authenticated attacker to elevate privileges locally. CVE-2025-30382 is a remote code execution vulnerability in Microsoft SharePoint Server. The deserialization of untrusted data could allow an unauthenticated attacker to achieve remote code execution.

• Windows Hyper-V (CVE-2025-29955)
• Active Directory Certificate Services (AD CS) (CVE-2025-29968)