Microsoft’s May 2025 Patch Tuesday update addresses 78 security flaws, including five zero-day vulnerabilities that are currently being exploited by attackers. One of these flaws, with a CVSS score of 10, affects Azure DevOps Server.
On May 13, 2025, Microsoft rolled out its latest security updates covering a wide range of products and services. In total, 78 vulnerabilities were patched—11 rated Critical, 66 Important, and one marked as Low severity. This update also follows eight previous fixes released for the Microsoft Edge browser based on Chromium.
Among the 78 flaws, 28 allow remote code execution (RCE), 21 involve privilege escalation, and 16 lead to information disclosure. The most alarming part of the release is the five zero-day vulnerabilities that have already been weaponized by attackers.
Five Zero-Day Vulnerabilities
These are the five zero-days confirmed to be under active attack:
CVE-2025-30397 (CVSS 7.5): Scripting Engine Memory Corruption Vulnerability
CVE-2025-30400 (CVSS 7.8): Privilege Escalation in Desktop Window Manager (DWM) Core Library
CVE-2025-32701 (CVSS 7.8): Privilege Escalation in Windows Common Log File System (CLFS) Driver
CVE-2025-32706 (CVSS 7.8): Another CLFS Driver Privilege Escalation Vulnerability
CVE-2025-32709 (CVSS 7.8): Privilege Escalation in Windows Ancillary Function Driver for WinSock
Microsoft’s internal threat intelligence team discovered the first three vulnerabilities. The fourth was reported by researchers at Google Threat Intelligence and CrowdStrike. The fifth was disclosed by an anonymous security researcher.
Zero-Day in Scripting Engine Raises Major Concerns
CVE-2025-30397 affects Microsoft’s Scripting Engine, used in Internet Explorer and IE mode in Edge. According to Alex Vovk, CEO of Action1, attackers can exploit this flaw by tricking users into visiting a malicious web page or executing a harmful script. This leads to memory corruption and remote code execution.
If an attacker successfully exploits this bug on a system where the user has administrative rights, they can take full control—leading to data theft, malware deployment, and internal network compromise.
Ongoing Exploits in Desktop Window Manager
The DWM Core Library, used in rendering visual effects in Windows, is once again a target. CVE-2025-30400 is the third DWM zero-day flaw exploited in the wild since 2023. Microsoft previously fixed similar bugs—CVE-2024-30051 and CVE-2023-36033.
As Tenable’s Satnam Narang pointed out, since 2022, Microsoft has patched 26 privilege escalation bugs in DWM, showing how persistent attackers have been in targeting this component.
CLFS and WinSock Also Under Fire
CVE-2025-32701 and CVE-2025-32706 are the seventh and eighth privilege escalation flaws found in the Windows Common Log File System (CLFS) driver. These bugs have been widely exploited in recent years.
Last month, Microsoft reported that CVE-2025-29824, another CLFS zero-day, was used in targeted attacks against organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Broadcom’s Symantec linked that activity to the Play ransomware group.
Meanwhile, CVE-2025-32709 is the third zero-day in the WinSock driver exploited in the last 12 months. A previous flaw, CVE-2024-38193, has been tied to the North Korea-based Lazarus Group, known for high-profile cyber-espionage and ransomware attacks.
CISA Adds All Five Zero-Days to Its KEV Catalog
Due to the active exploitation of these flaws, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added them to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the patches by June 3, 2025.
Other Noteworthy Fixes
One notable fix is CVE-2025-29813, a CVSS 10.0 severity bug in Azure DevOps Server, which allows unauthorized users to gain elevated privileges over a network. Microsoft confirmed that the cloud version of Azure DevOps is already secured, and no customer action is needed.
Another issue patched is CVE-2025-26684, a local privilege escalation bug in Microsoft Defender for Endpoint on Linux. Reported by Rich Mirch of Stratascale, the vulnerability stems from a Python script (grab_java_version()) that may execute a malicious Java binary with root privileges.
Also addressed is CVE-2025-26685, a spoofing vulnerability in Microsoft Defender for Identity. Attackers with access to the local network could potentially trigger NTLM fallback and capture hashed credentials of Directory Services accounts. This could lead to further lateral movement in corporate networks.
Security Updates from Other Vendors
In addition to Microsoft, several major vendors have released critical security patches this month, including:
Apple, Google (Android, Chrome, Pixel, Cloud, Wear OS), Adobe, Amazon, Intel, AMD
VMware (Broadcom), Cisco, Palo Alto Networks, Fortinet, F5, Dell, Lenovo, HP
Linux vendors (Red Hat, Ubuntu, Debian, SUSE, Oracle, Rocky Linux, Amazon Linux)
Mozilla (Firefox, Thunderbird), Zoom, SAP, Siemens, Qualcomm, and more
With five zero-days under active exploitation and a critical bug scoring a perfect CVSS 10.0, this month’s Patch Tuesday is a high-priority update. Organizations should apply the patches immediately, especially those related to privilege escalation and remote code execution.
For IT teams and security professionals, prioritizing updates across Azure DevOps, Defender for Linux, Scripting Engine, DWM, and CLFS is essential to protect systems from active threats and ransomware actors.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Two Critical Bugs in ASUS DriverHub Let Attackers Run Malware Remotely
Pingback: CVE-2025-32756: Fortinet Patches FortiVoice Remote Code Execution