It’s the second Tuesday of the month, and the final patch Tuesday before Pwn2Own Berlin. I know several contestants are sweating it out and hoping their entries are patched out. While they quiver with anticipation, take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for May 2025
For May, Adobe released an unlucky 13 bulletins addressing 40 CVEs in Adobe Cold Fusion, Lightroom, Dreamweaver, Connect, InDesign, Substance 3D Painter, Photoshop, Animate, Illustrator, Bridge, Dimension, Substance 3D Stager, and Substance 3D Modeler. One of these CVEs was submitted through the Trend ZDI program. If you need to prioritize, Cold Fusion is a great place to start. Not only does it address seven Critical and one Important bug, but Adobe lists it as priority 1 – even though there are no active attacks listed. Cold Fusion also received patches last month, so these CVEs could be a bypass of that patch.
The remaining updates are all listed as Priority 3. There are three Critical-rated bugs in Photoshop that could be triggered by opening a specially crafted file. The fix for Animate corrects five bugs, including some that result in code execution. There are six CVEs in the fix for Substance 3D Stager. However, there are only two CVEs in the patch for Substance 3D Modeler, and one in Substance 3D Painter. Despite being different products, it seems sensible to group those together. The patch for InDesign addresses three bugs, but only one of those is rated Critical. There are three CVEs in the fix for Bridge and all could lead to code execution. The patch for Adobe Connect fixes four cross-site scripting (XSS) bugs. The Adobe release for May wraps up with one Critical-rated code exec bug each for Lightroom, Dreamweaver, and Illustrator.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.
Microsoft Patches for May 2025
This month, Microsoft released a reasonable 75 new CVEs in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Azure, Nuance PowerScribe, Remote Desktop Gateway Service, and Microsoft Defender. Three of these bugs were reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 82 CVEs.
Of the patches released today, 12 are rated Critical, and the rest are rated Important in severity. This number of fixes isn’t unusual for May, but it does put Microsoft ahead of where they were at this point last year in regards to CVEs released. It’s also unusual to see so many Office-related bugs getting patched in a single month. Perhaps this is a harbinger of attacks we can expect to see later this year.
Microsoft lists five bugs as being under active attack at the time of release, with two others being publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the vulnerabilities currently being exploited in the wild:
- CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability
This bug allows a remote attacker to execute their code on an affected system if they can convince a user to click a specially crafted link. Since this is in the wild, clearly someone clicked that link. This bug is interesting in that it forces Edge into Internet Explorer mode, so the ghost of IE continues to haunt us all. Microsoft provides no information on how widespread these attacks are, but I would go ahead and test and deploy this fix quickly.
- CVE-2025-32701/CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
This Windows component has been through the ringer, as it was also exploited in the previous months by other groups. These bugs allow privilege escalation to SYSTEM and are usually paired with a code execution bug to take over a system. In the past, these types of bugs were used by ransomware gangs, so it’s likely these are as well. Test and deploy quickly.
- CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Speaking of reruns, we also saw this component exploited in the wild back in February of this year. When we see the same component exploited again and again, I begin to question the quality of the patches and wonder if they are being bypassed. Again, we have a privilege escalation bug here leading to SYSTEM privileges.
- CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability
This is the final in-the-wild bug getting patched this month, and although we saw it patched back in January, this is the first exploit we’ve seen in this component in some time. This is another privilege escalation bug that leads to executing code as SYSTEM. All of the EoP bugs are commonly used in phishing and ransomware, so don’t let their lower severity fool you. Definitely test and deploy these patches quickly.
Here’s the full list of CVEs released by Microsoft for May 2025:
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability | Important | 7.5 | No | Yes | RCE |
| CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability | Important | 6.5 | Yes | No | Spoofing |
| CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability | Important | 7.8 | Yes | No | RCE |
| CVE-2025-29827 | Azure Automation Elevation of Privilege Vulnerability | Critical | 9.9 | No | No | EoP |
| CVE-2025-29813 | Azure DevOps Elevation of Privilege Vulnerability | Critical | 10 | No | No | EoP |
| CVE-2025-29972 | Azure Storage Resource Provider Spoofing Vulnerability | Critical | 9.9 | No | No | Spoofing |
| CVE-2025-47732 | Microsoft Dataverse Remote Code Execution Vulnerability | Critical | 8.7 | No | No | RCE |
| CVE-2025-33072 | Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability | Critical | 8.1 | No | No | Info |
| CVE-2025-30377 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-30386 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-47733 | Microsoft Power Apps Information Disclosure Vulnerability | Critical | 9.1 | No | No | Info |
| CVE-2025-29833 | Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability | Critical | 7.1 | No | No | RCE |
| CVE-2025-29966 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2025-29967 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2025-26646 | .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability | Important | 8 | No | No | Spoofing |
| CVE-2025-29968 | Active Directory Certificate Services (AD CS) Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2025-30387 | Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability | Important | 9.8 | No | No | EoP |
| CVE-2025-24063 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-29973 † | Microsoft Azure File Sync Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-29970 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-29826 | Microsoft Dataverse Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2025-26684 | Microsoft Defender Elevation of Privilege Vulnerability | Important | 6.7 | No | No | EoP |
| CVE-2025-29977 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-29979 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30375 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30376 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30379 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30381 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30383 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30393 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-32704 | Microsoft Excel Remote Code Execution Vulnerability | Important | 8.4 | No | No | RCE |
| CVE-2025-32705 | Microsoft Outlook Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-29975 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-29978 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-29976 † | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-30378 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 7 | No | No | RCE |
| CVE-2025-30382 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-30384 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 7.4 | No | No | RCE |
| CVE-2025-27488 | Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability | Important | 6.7 | No | No | EoP |
| CVE-2025-29969 | MS-EVEN RPC Remote Code Execution Vulnerability | Important | 7.5 | No | No | EoP |
| CVE-2025-32707 | NTFS Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-29841 | Universal Print Management Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-29842 | UrlMon Security Feature Bypass Vulnerability | Important | 7.5 | No | No | SFB |
| CVE-2025-21264 | Visual Studio Code Security Feature Bypass Vulnerability | Important | 6.7 | No | No | SFB |
| CVE-2025-32703 | Visual Studio Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-29971 | Web Threat Defense (WTD.sys) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2025-30385 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-29957 | Windows Deployment Services Denial of Service Vulnerability | Important | 6.2 | No | No | DoS |
| CVE-2025-29838 | Windows ExecutionContext Driver Elevation of Privilege Vulnerability | Important | 7.4 | No | No | EoP |
| CVE-2025-30388 | Windows Graphics Component Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-29955 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.2 | No | No | DoS |
| CVE-2025-29837 | Windows Installer Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-29974 | Windows Kernel Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2025-27468 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-29954 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Important | 5.9 | No | No | DoS |
| CVE-2025-29840 | Windows Media Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-29962 | Windows Media Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-29963 | Windows Media Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-29964 | Windows Media Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-29839 | Windows Multiple UNC Provider Driver Information Disclosure Vulnerability | Important | 4 | No | No | Info |
| CVE-2025-29835 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-26677 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2025-30394 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important | 5.9 | No | No | DoS |
| CVE-2025-29831 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2025-29830 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29832 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29836 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29958 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29959 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29960 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29961 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-29956 | Windows SMB Information Disclosure Vulnerability | Important | 5.4 | No | No | Info |
| CVE-2025-29829 | Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2025-4096 * | Chromium: CVE-2025-4096 Heap buffer overflow in HTML | High | N/A | No | No | RCE |
| CVE-2025-4050 * | Chromium: CVE-2025-4050 Out of bounds memory access in DevTools | Medium | N/A | No | No | Info |
| CVE-2025-4051 * | Chromium: CVE-2025-4051 Insufficient data validation in DevTools | Medium | N/A | No | No | RCE |
| CVE-2025-4372 * | Chromium: CVE-2025-4372 Use after free in WebAudio | Medium | N/A | No | No | RCE |
| CVE-2025-4052 * | Chromium: CVE-2025-4052 Inappropriate implementation in DevTools | Low | N/A | No | No | RCE |
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Moving on to the Critical-rated patches, the two that jump out are the bug in Office that could lead to code execution. These types of bugs are usually open-and-own, but in this case the Preview Pane is listed as an attack vector. Unlike last month, there’s no user interaction required here, so simply receiving a specially crafted file in the Preview Pane would allow for code execution. There are some scary looking bugs in Azure, including a CVSS 10(!), but these bugs have already been mitigated by Microsoft, so there’s no further action to take. That’s also true of the Dataverse and Power Apps bugs. There’s a Critical-rated information disclosure bug in Nuance PowerScribe, which is an app for radiology reporting that could allow an attacker to gain PII. There are a couple of bugs in Remote Desktop Client, but they rely on a user connecting to a malicious RDP server. The bug in Virtual Machine Bus (VMBus) requires authentication.
Turning our attention to the other code execution bugs, we see a plethora of Office-related bugs, including nine for Excel alone. Fortunately, these are only the open-and-own variety, and the Preview Pane is not an attack vector. Beyond that, there’s a command injection bug in Visual Studio. Microsoft notes this bug is publicly known, but not under active attack. There’s a bug in Remote Desktop Services that at first glance sounds scary. An unauthenticated user can gain code execution by sending specially crafted packets. However, exploitation requires the admin to stop or restart the service. The final code execution bugs getting fixes this month all impact SharePoint. There are three deserialization bugs getting fixed. SharePoint is a popular target in Pwn2Own. We’ll see if these fixes knocked out any entries.
In addition to the two Critical-rated elevation of privilege (EoP) bugs already discussed, there are 16 others in this release. The majority of these simply either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. There are some notable exceptions. The bug in Document Intelligence Studio On-Prem clocks in at a CVSS 9.8 and allows an attacker to download the content of the parent folder of the mounted path. The bugs in Universal Print Management and Windows CLFS allow for a file deletion, which, as we’ve seen, could then be turned into a privilege escalation. Lastly, the bug in Azure File Sync will take some work to fully resolve. If you need to take extra actions, you should have been notified through Azure Service Health Alerts under TrackingID: 4K2C-9_Z. If you haven’t received this alert, you aren’t affected and don’t need to take action.
There are two security feature bypass (SFB) patches in this month’s release. The first addresses a bug in URLMon that could allow an attacker to bypass the Office Protected View. This result in someone opening a file in editing mode rather than protected mode – a handy thing to have if you want to spread ransomware through phishing. The other SFB is in Visual Studio and could allow the bypass of the Trusted Domain Service
Looking at the information disclosure bugs in the May release, there are a handful. However, all of them merely result in info leaks consisting of unspecified memory contents. This is useful info to have when exploiting components on a system, but otherwise not quite riveting.
The May release include two fixes for spoofing bugs. The first is in Defender for Identity and could be reached by an adjacent attacker. Microsoft doesn’t specify what type of spoofing occurs, but given the name of the component, one would think an attacker could spoof someone’s identity. Microsoft also notes this bug was publicly disclosed prior to the patch release. The other spoofing bug is in .NET and Visual Studio. Authentication is required for this to be exploited, but it could allow a standard user to place a malicious file on a system then wait for the privileged victim to run the calling command.
There are seven lucky Denial-of-Service (DoS) bugs getting patches this month. However, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network (or locally) to that component.
No new advisories are being released this month.
Looking Ahead
The next Patch Tuesday of 2025 will be on June 10. Assuming I survive the next few days, I’ll be back with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
