Source: Qualys Security Blog
Author: Diksha Ojha
URL: https://blog.qualys.com/vulnerabilities-threat-research/2025/05/13/microsoft-patch-tuesday-may-2025-security-update-review
Microsoft’s May 2025 Patch Tuesday Summary — Key Highlights & Recommendations:
Microsoft rolled out security updates addressing a total of 76 vulnerabilities for this month’s Patch Tuesday, including:
- 5 Critical vulnerabilities
- 66 Important vulnerabilities
- 6 actively exploited zero-day vulnerabilities
Key highlights from this month’s update include:
- Zero-day Vulnerabilities Patched:
Microsoft Defender for Identity Spoofing Vulnerability (CVE-2025-26685)
- Severity: Important (CVSS score: 6.5)
- Exploitation: An unauthenticated attacker with LAN access could spoof network identities.
Microsoft DWM Core Library Elevation of Privilege (CVE-2025-30400) – Actively exploited zero-day added to CISA KEV (Known Exploited Vulnerabilities) catalog, patch required by June 3, 2025
- Impact: Authenticated attackers may gain SYSTEM privileges via a use-after-free vulnerability.
Windows Common Log File System (CLFS) Driver Elevation of Privilege (CVE-2025-32701 & CVE-2025-32706) – Both in the KEV catalog, must patch by June 3, 2025
- Impact: Use-after-free and improper input validation vulnerabilities can grant SYSTEM privileges to attackers with local access.
Microsoft Scripting Engine Memory Corruption Vulnerability (CVE-2025-30397) – Added to KEV catalog
- Impact: An attacker can achieve remote code execution by convincing a user to interact with a malicious link.
Windows Ancillary Function Driver for WinSock Elevation of Privilege (CVE-2025-32709) – Added to KEV catalog
- Impact: Authenticated attackers with local access can escalate privileges via use-after-free vulnerability.
- Critical Remote Code Execution (RCE) Vulnerabilities:
Remote Desktop Client RCE vulnerabilities (CVE-2025-29966, CVE-2025-29967)
- Heap-based buffer overflow vulnerabilities enabling unauthenticated remote code execution attacks.
Microsoft Office RCE vulnerabilities (CVE-2025-30377, CVE-2025-30386)
- Use-after-free vulnerabilities enable remote code execution with no authentication.
Virtual Machine Bus (VMBus) RCE (CVE-2025-29833)
- Enabled by race-condition (TOCTOU), allows authenticated attackers executing remote code in virtualized environments.
- Additional Notable Vulnerabilities:
- Kernel Streaming Service Driver Elevation of Privilege (CVE-2025-24063)
- Windows Graphics Component Remote Code Execution (CVE-2025-30388)
- Universal Print Management Service Elevation of Privilege (CVE-2025-29841)
- Windows Common Log File System Disc Stability (CVE-2025-30385) causing system crashes
- Web Threat Defense Denial of Service (CVE-2025-29971)
- Microsoft SharePoint Vulnerabilities (CVE-2025-29976 & CVE-2025-30382)
Impacted Products and Components Include:
- Windows Core Components (Kernel, Drivers, DWM, NTFS, CLFS, SMB, Hyper-V, etc.)
- Microsoft Defender Solutions (Endpoint, Identity)
- Microsoft Office Suite (Office core apps, Excel, SharePoint, Outlook, PowerPoint)
- Virtualization and Enterprise Products (Azure, Remote Desktop Gateway, Hyper-V, Azure DevOps)
- Developer Tools (.NET, Visual Studio, Tools for Visual Studio)
- Web-based Solutions and Protocols (LDAP, UrlMon, Web Threat Defense, Azure Automation)
- Various Windows subsystems (Media, Installer, Routing, Virtual Machine Bus, Win32K Graphics, etc.)
Vendor-Recommended Mitigation & Policy Audit (Qualys):
Qualys has updated its Policy Audit Control IDs (CID: 10968, 2181) specifically for mitigating CVE-2025-26685 (Microsoft Defender for Identity):
- CID 10968: Network access control setting restricting remote calls to SAM
- CID 2181: Configuration identifying Groups and User Accounts with the “Access this computer from the network” right
Recommended Qualys Query Language (QQL) to perform posture assessment:
control.id: [10968, 2181]
Immediate Recommendations & Best Practices:
- Expedite patching all actively exploited zero-day vulnerabilities by June 3, 2025 per CISA recommendations.
- Prioritize Critical severity RCE vulnerabilities and widely deployed software (Office, Remote Desktop Client, Virtual Machine Bus).
- Deploy May 2025 security updates across all applicable Microsoft systems ASAP to protect against potential exploitation.
- Apply vendor-suggested mitigations where immediate patching is not feasible.
- Regularly revisit and verify compensatory controls with security audits such as Qualys Policy Audit.
Next steps and follow-up:
- Participate in vendor webinars and advisory sessions provided for Patch Tuesday by vendors such as Qualys to ensure comprehensive understanding, prioritization, and remediation guidance.
- Continuously monitor for vulnerability exploitation signs and unusual activity while deploying patches.
Next Patch Tuesday date is set for June 10, 2025. Stay proactive and secure.