Today is May 2025 Patch Tuesday, and as on every second Tuesday of the month, Microsoft has released its batch of security updates. This time it comes with a significant number of fixes: 72 vulnerabilities were addressed, including five that were already being actively exploited and two zero-day vulnerabilities that had already been publicly disclosed.
Among the fixes, six vulnerabilities stand out as classified “critical”—five of which allow remote code execution (one of the most severe types) and one related to the exposure of sensitive information. Here’s a breakdown of the patched issues by type:
17 elevation of privilege
2 security feature bypass
28 remote code execution
15 information disclosure
7 denial of service
2 spoofing
Important: This list does not include previously addressed issues this month in Azure, Dataverse, Mariner, or Microsoft Edge, which were resolved in earlier updates.
In summary, if you use Microsoft products—especially Windows—don’t skip this round of updates. It's one of the most significant of the year so far
In the May 2025 Patch Tuesday, Microsoft addressed five security flaws that were already being exploited by attackers. These are known as zero-day vulnerabilities—bugs that were either publicly known or being actively abused before a fix was available. This is significant because it means cybercriminals were leveraging these flaws to target systems before an official patch existed.
This vulnerability affects the DWM (Desktop Window Manager) library, a core component of Windows' graphical system. It allowed an attacker with limited access to elevate privileges and gain full control of the system (SYSTEM-level access).
The flaw is tied to a classic technique: a use-after-free condition. In simple terms, Windows attempted to use a resource after it had already been freed, creating an opportunity for malicious exploitation. This vulnerability was discovered by the Microsoft Threat Intelligence Center.
Microsoft fixed a serious vulnerability that was being actively exploited, allowing attackers with limited access to achieve full SYSTEM-level control.
According to Microsoft, the issue lay in the Windows Common Log File System (CLFS) driver and involved the same use-after-free bug. Windows tried to access a memory resource that had already been released, making the system vulnerable. This vulnerability was also discovered by Microsoft’s Threat Intelligence Center.
The CLFS has been a repeated source of trouble. This time, the vulnerability stemmed from poor input validation—seemingly minor, but with severe consequences.
It allowed an authorized attacker to locally escalate privileges and compromise the entire system. The discovery is credited to Benoit Sevens from Google’s Threat Intelligence Group and the advanced research team at CrowdStrike.
This vulnerability affected the driver associated with WinSock, a network interface in Windows. Like the previous ones, it enabled local privilege escalation through a use-after-free bug.
Although the individual who reported this issue chose to remain anonymous, Microsoft confirmed and fixed the vulnerability.
This is the only vulnerability in the list that wasn’t about privilege escalation but rather remote code execution (RCE). It affects Microsoft’s Scripting Engine, used in both Edge and Internet Explorer.
The flaw results from a type confusion error, where the system accesses resources using an incorrect data type. An attacker could exploit this by tricking a user into clicking a malicious link. While user interaction is required, the threat remains serious. This issue was also identified by the Microsoft Threat Intelligence team.
In addition to the vulnerabilities that were actively exploited, Microsoft also addressed two zero-day flaws that had already been publicly disclosed. This means that anyone with the technical know-how could have potentially exploited these issues before an official patch was released.
This vulnerability affects Microsoft Defender for Identity and allows an unauthenticated attacker to impersonate another user on a local network. The flaw stems from improper authentication handling, which makes such attacks feasible when the attacker is on the same network (for example, within a corporate environment).
Microsoft explained that a malicious actor within the network could exploit this flaw to impersonate other users and gain access to restricted resources. This issue was identified by Joshua Murrell from cybersecurity firm NetSPI.
A critical vulnerability in Visual Studio, Microsoft’s development environment, was also fixed. It allowed an unauthenticated attacker to remotely execute malicious code on a victim’s machine.
The root cause was command injection due to poor validation of special elements within the commands used in Visual Studio. In simple terms, if an attacker got you to run a specific malicious file or action, they could take control of your system without needing prior permissions. Microsoft did not disclose the name of the researcher who reported this issue.
This Patch Tuesday brought fixes for dozens of vulnerabilities (many of them critical and others quite significant) affecting both well-known products and cloud services, development tools, and office applications.
Below is a general summary of the issues addressed. There’s a bit of everything: from flaws that allowed malicious code execution or privilege escalation, to problems involving information leakage or impacting services like Azure, Defender, Visual Studio, and more.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET, Visual Studio, and Build Tools for Visual Studio | CVE-2025-26646 | .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability | Important |
| Active Directory Certificate Services (AD CS) | CVE-2025-29968 | Active Directory Certificate Services (AD CS) Denial of Service Vulnerability | Important |
| Azure | CVE-2025-33072 | Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability | Critical |
| Azure | CVE-2025-30387 | Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability | Important |
| Azure Automation | CVE-2025-29827 | Azure Automation Elevation of Privilege Vulnerability | Critical |
| Azure DevOps | CVE-2025-29813 | Azure DevOps Server Elevation of Privilege Vulnerability | Critical |
| Azure File Sync | CVE-2025-29973 | Microsoft Azure File Sync Elevation of Privilege Vulnerability | Important |
| Azure Storage Resource Provider | CVE-2025-29972 | Azure Storage Resource Provider Spoofing Vulnerability | Critical |
| Microsoft Brokering File System | CVE-2025-29970 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Microsoft Dataverse | CVE-2025-47732 | Microsoft Dataverse Remote Code Execution Vulnerability | Critical |
| Microsoft Dataverse | CVE-2025-29826 | Microsoft Dataverse Elevation of Privilege Vulnerability | Important |
| Microsoft Defender for Endpoint | CVE-2025-26684 | Microsoft Defender Elevation of Privilege Vulnerability | Important |
| Microsoft Defender for Identity | CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-4050 | Chromium: CVE-2025-4050 Out of bounds memory access in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-4096 | Chromium: CVE-2025-4096 Heap buffer overflow in HTML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-29825 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2025-4052 | Chromium: CVE-2025-4052 Inappropriate implementation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-4051 | Chromium: CVE-2025-4051 Insufficient data validation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-4372 | Chromium: CVE-2025-4372 Use after free in WebAudio | Unknown |
| Microsoft Office | CVE-2025-30377 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2025-30386 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2025-29977 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30383 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-29979 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30376 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30393 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-32704 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30375 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30379 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-30381 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2025-32705 | Microsoft Outlook Remote Code Execution Vulnerability | Important |
| Microsoft Office PowerPoint | CVE-2025-29978 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-30378 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-30382 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-30384 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-29976 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important |
| Microsoft PC Manager | CVE-2025-29975 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important |
| Microsoft Power Apps | CVE-2025-47733 | Microsoft Power Apps Information Disclosure Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability | Important |
| Remote Desktop Gateway Service | CVE-2025-26677 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important |
| Remote Desktop Gateway Service | CVE-2025-29967 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Remote Desktop Gateway Service | CVE-2025-29831 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Important |
| Remote Desktop Gateway Service | CVE-2025-30394 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2025-29955 | Windows Hyper-V Denial of Service Vulnerability | Important |
| Universal Print Management Service | CVE-2025-29841 | Universal Print Management Service Elevation of Privilege Vulnerability | Important |
| UrlMon | CVE-2025-29842 | UrlMon Security Feature Bypass Vulnerability | Important |
| Visual Studio | CVE-2025-32703 | Visual Studio Information Disclosure Vulnerability | Important |
| Visual Studio | CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability | Important |
| Visual Studio Code | CVE-2025-21264 | Visual Studio Code Security Feature Bypass Vulnerability | Important |
| Web Threat Defense (WTD.sys) | CVE-2025-29971 | Web Threat Defense (WTD.sys) Denial of Service Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-30385 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Deployment Services | CVE-2025-29957 | Windows Deployment Services Denial of Service Vulnerability | Important |
| Windows Drivers | CVE-2025-29838 | Windows ExecutionContext Driver Elevation of Privilege Vulnerability | Important |
| Windows DWM | CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows File Server | CVE-2025-29839 | Windows Multiple UNC Provider Driver Information Disclosure Vulnerability | Important |
| Windows Fundamentals | CVE-2025-29969 | MS-EVEN RPC Remote Code Execution Vulnerability | Important |
| Windows Hardware Lab Kit | CVE-2025-27488 | Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2025-29837 | Windows Installer Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2025-24063 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2025-29974 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows LDAP - Lightweight Directory Access Protocol | CVE-2025-29954 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Important |
| Windows Media | CVE-2025-29962 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows Media | CVE-2025-29963 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows Media | CVE-2025-29964 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows Media | CVE-2025-29840 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2025-32707 | NTFS Elevation of Privilege Vulnerability | Important |
| Windows Remote Desktop | CVE-2025-29966 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29836 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29959 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29835 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29960 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29832 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29830 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29961 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-29958 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important |
| Windows Secure Kernel Mode | CVE-2025-27468 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important |
| Windows SMB | CVE-2025-29956 | Windows SMB Information Disclosure Vulnerability | Important |
| Windows Trusted Runtime Interface Driver | CVE-2025-29829 | Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability | Important |
| Windows Virtual Machine Bus | CVE-2025-29833 | Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability | Critical |
| Windows Win32K - GRFX | CVE-2025-30388 | Windows Graphics Component Remote Code Execution Vulnerability | Important |
Update as soon as possible. Whether you're using Windows at home, working as a developer, or managing enterprise infrastructure, these updates should be applied without delay. This is especially critical if you use tools like Visual Studio, Microsoft 365 products, Azure services, or if you have users operating within a networked environment.