Getty Images
Microsoft tackles 5 Windows zero-days on May Patch Tuesday
The company addresses 72 unique CVEs this month, but several AI features bundled in a larger-than-usual update could bog down some networks.
While the five Windows zero-days for May Patch Tuesday will be easily remedied with the cumulative update, some organizations will have other challenges as Microsoft rolls out a hefty update file packed with AI features for newer Windows systems.
This month, Microsoft addressed 72 unique new CVEs, including five actively exploited zero-days in Windows and two publicly disclosed vulnerabilities. Six of the new CVEs were rated critical. The company also republished two security updates for more comprehensive fixes for a Windows Remote Desktop Services remote-code execution vulnerability (CVE-2024-49128) and a Microsoft Office remote-code execution vulnerability (CVE-2025-26629).
Five actively exploited Windows zero-days top patching list
All the zero-days in the May Patch Tuesday security updates reside in the Windows OS and have a rating of just important, despite confirmed reports of active attacks in the wild.
"The good news here is update your OS this month, then you've taken care of the majority of the risk," said Chris Goettl, vice president of product management for security products at Ivanti.
The first zero-day is a Windows Ancillary Function driver for Winsock elevation-of-privilege vulnerability (CVE-2025-32709) with a CVSS score of 7.8. This bug affects Windows Server 2012 and later OS versions on desktop and server systems.
The threat actor needs local access and low privileges to trigger the exploit, which can lead to administrator-level privileges on targeted devices.
The next two Windows zero-days are nearly identical Windows Common Log File System Driver elevation-of-privilege vulnerabilities (CVE-2025-32701 and CVE-2025-32706). Each flaw has the same 7.8 CVSS score and identical vulnerability metrics. The difference lies in the underlying vulnerability mechanism – a memory corruption flaw in CVE-2025-32701 and an improper input validation in CVE-2025-32706.
If either CVE is exploited, an authorized attacker can elevate privileges locally to take over the device and, depending on the level, perform a range of actions, including gaining access to folders and disabling security controls.
The fourth actively exploited Windows zero-day is a Microsoft Desktop Window Manager (DWM) Core Library elevation-of-privilege vulnerability (CVE-2025-30400) with a CVSS score of 7.8. The flaw affects Windows 10 and later on desktops and Windows Server 2016 and newer for the server OS.
A successful vulnerability exploit gives attackers system-level privileges, the highest possible in the Windows OS.
The last zero-day is a Scripting Engine memory-corruption vulnerability (CVE-2025-30397) with a CVSS score of 7.5.
After exploiting the flaw, unauthorized attackers can execute code over a network.
"So, if I'm on your network and I've got access to this scripting engine, then I could exploit code remotely across different machines in your environment. It’s a bit nasty in that regard," said Goettl.
He said this vulnerability could slip by some organizations that use Internet Explorer (IE) compatibility mode in the Microsoft Edge browser for certain circumstances, such as running legacy web applications. If customers use "security only" updates, they must also install the IE cumulative updates to protect vulnerable systems. Goettl said this is necessary because the scripting engine components reside in the Windows OS and IE engine.
Despite the active exploitation in the wild, none of the Windows zero-days has a CVSS score above 8 nor do any of them have a severity level above important. Goettl said that the problem with this ranking system is that it has yet to adapt to modern times.
"It's a static algorithm that doesn't take enough additional factors into account," he said. "The weighting that CVSS puts on if it's a known exploit isn't heavy enough and oftentimes misleads organizations into categorizing incorrectly."
Microsoft resolves two public disclosures
For May Patch Tuesday, Microsoft also corrected two publicly disclosed CVEs, meaning the details about each vulnerability were known to the public before the availability of a patch. Potential attackers could use this information to develop exploits before the fix gets deployed.
The first public disclosure is a Visual Studio remote-code execution vulnerability (CVE-2025-32702) with a CVSS score of 7.8, affecting Visual Studio 2019 and 2022. Microsoft said the vulnerability is limited to local code execution scenarios and requires user interaction.
The second public disclosure is a Microsoft Defender for Identity spoofing vulnerability (CVE-2025-26685) with a CVSS score of 6.5. The unauthorized attacker needs Local Area Network (LAN) access to exploit the vulnerability in the cloud-based security product. Goettl said most organizations would not require any action and would be protected due to automatic updates unless the customer uses the Microsoft Defender for Identity service in a disconnected environment.
Other security updates of note for May Patch Tuesday
Outside of the Windows fixes, admins will have to focus on many fixes in Microsoft Office. There were 17 CVEs, with the most in Microsoft Excel with nine.
The two Microsoft Office remote-code execution vulnerabilities rated critical are CVE-2025-30377 and CVE-2025-30386. The preview pane is an attack vector for both CVEs. The vulnerabilities are nearly identical, but CVE-2025-30386 has an exploitability assessment of "more likely" despite the same 8.4 CVSS scores.
Of the four SharePoint Server vulnerabilities – CVE-2025-29976, CVE-2025-30382, CVE-2025-30384 and CVE-2025-30378 – the first two are listed as "more likely" to be exploited.
CVE-2025-29976 is a Microsoft SharePoint Server elevation-of-privilege vulnerability with a CVSS score of 7.8 and affects all SharePoint versions. An attacker only needs local access and low-level privileges to exploit the flaw.
CVE-2025-30382 is a Microsoft SharePoint Server remote-code execution vulnerability with a CVSS score of 7.8 and also affects all SharePoint versions. The attacker needs user interaction for the exploit, such as convincing a user to download and open a malicious file, which can execute arbitrary code on the system.
Goettl said deploying SharePoint Server updates can be challenging due to the level of customization and how it integrates with business processes.
"It's definitely a little bit more painful than just updating your OS," he said.
Huge Windows update brings AI features
As part of May Patch Tuesday, Goettl said Microsoft released new AI features for Windows 11 and Windows Server 2025.
The updates will come at a cost for organizations with limited bandwidth. He said the update package weighs in at about 4 GB, which is significantly larger than the typical update of about 400 MB.
"With AI comes a lot of extra baggage," he said.
According to Goettl, the key AI features introduced include:
- Recall. A searchable timeline that tracks your activities to find and resume previous work. Microsoft claims this revamped version is more secure and respects user privacy.
- Click to Do. A feature that lets a user select images or text to perform certain actions -- similar to the Android "Circle to Search" feature -- without switching to another app, such as summarizing the highlighted text.
- Improved Windows search. Microsoft says advanced neural processing will speed up searches by letting users who can’t remember filenames describe what they want to find, and Windows will understand what they mean.
Tom Walat is the site editor for Informa TechTarget's Search Windows Server site.
