Microsoft has issued fixes for a total of five new zero-day vulnerabilities out of a grand total of just over 70 addressable common vulnerabilities and exposures (CVEs) on the fifth Patch Tuesday of 2025 – over 80 when third-party issues are accounted for.
In numerical order, this month’s zero days are as follows:
- CVE-2025-30400, an elevation of privilege (EoP) vulnerability in Microsoft DWM Core Library;
- CVE-2025-30397, a memory corruption leading to remote code execution (RCE) vulnerability in Scripting Engine;
- CVE-2025-32701, an EoP vulnerability in Windows Common Log File System Driver (CLFS);
- CVE-2025-32706, a second EoP flaw in CLFS;
- CVE-2025-32709, an EoP issue in Windows Ancillary Function Driver for WinSock (AFD.sys).
All five of these CVEs are listed by Microsoft as being exploited in the wild, but have not yet been made public. They are all rated as being of Important severity, and all save the Scripting Engine flaw carry CVSS ratings of 7.8.
Mike Walters, president and co-founder of patch management specialist Action1, said that the two CLFS issues stood out as particularly dangerous given its importance in computing – the CLFS is a critical component that providers logging services to user- and kernel-mode applications, and is widely used by various system services and third-party applications.
“Attackers exploiting these vulnerabilities can escalate privileges to system level, granting them full control to run arbitrary code, install malware, modify data, or disable security protections,” said Walters.
“With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation [and] while no public exploit code is currently available, the presence of active attacks suggests that targeted campaigns, potentially involving advanced persistent threats (APTs), are already underway.
“Organisations should prioritise immediate assessment and remediation of these vulnerabilities to prevent potential compromise. Any organisation running Windows systems – across enterprise, government, education, or consumer sectors – could be exposed. Given Windows’ global footprint, millions of devices are likely at risk,” said Walters.
CVE-2025-30400 in DWM Core Library should also be high on security admins’ patching lists, observed Kev Breen, senior director of threat research at Immersive. He explained: “If exploited, it would allow attackers to gain system-level permission on the affected host. With this level of privilege, attackers would be able to gain full control over the host, including any security tools and user accounts, potentially allowing for domain-level access to be compromised.
“This CVE is marked as ‘Exploitation Detected’ by the Microsoft team, meaning patches should be applied immediately as threat groups, including ransomware affiliates, will be quick to leverage this once more details become public.”
Breen added that once this happens, cyber teams and threat hunters should work quickly to review their systems for indicators of compromise (IoCs) to ensure that they haven’t been hit in the window between the point at which threat actors began at-scale exploitation, and the patch was released.
Breen’s colleague, cyber threat intelligence researcher Ben Hopkins, ran the rule over the remaining exploited zero-days, CVE-20205-30397 in Scripting Engine and CVE-2025-32709 in AFD.sys
“A scripting engine memory corruption vulnerability occurs when the Microsoft scripting engine mishandles objects in memory, in this case leading to an elevation of privilege being performed by an attacker,” he explained.
“This specific vulnerability exists … involves access to a resource using (‘type confusion’) which allows attackers to execute code over a network. Type confusion in this context occurs when a program mistakenly treats a piece of data as a different type than it actually is, which leads to undefined and unpredictable behaviour, allowing the attacker to execute arbitrary code and elevate their privileges,” said Hopkins
For the layperson, this means that having attained system-level privileges, a threat actor could easily access sensitive data and look for opportunities to pivot to other, more valuable parts of the victim’s network.
Turning to the issue affecting AFD.sys, a core Windows kernel-mode driver that supports network socket operations by bridging from WinSock (Windows Sockets API) in user space, and lower-level network drivers in the kernel, Hopkins explained that an unauthorized attacker could exploit a condition in which memory that has been deallocated can still be accessed to inject controlled data into memory and influence how the program behaves, ultimately granting them the ability to elevate their privileges.
In both cases, what this means is that having attained system-level privileges, a threat actor could easily access sensitive data and look for opportunities to pivot to other, more valuable parts of the victim’s network.
Two additional zero-days have been publicly-disclosed today (13 May) but have not yet been reported as coming under attack at the time of writing. These are CVE-2025-26685, a spoofing vulnerability in Microsoft Defender for Identity, and CVE-2025-32702, an RCE vulnerability in Visual Studio. Both of these are rated of Important severity, carrying CVSS scores of 6.5 and 7.8 respectively.
Remote workers still a target
Finally, the May update brings a total of 11 critical flaws affecting Azure Automation, Azure DevOps, Azure Storage Resource, Microsoft Dataverse, Microsoft msagsfeedback.zurewebsites.net, Microsoft Office, Microsoft Power Apps, Microsoft Virtual Machine Bus and Remote Desktop Client (RDP). In their impact, these issues run the gamut from EoP to spoofing to information disclosure, and six of them lead to RCE, said Microsoft.
Of the critical issues, Walters’ co-CEO and co-founder at Action1, Alex Vovk, told Computer Weekly that the two RDP flaws stood out in particular. These are tracked as CVE-2025-29966 and CVE-2025-29967.
“Both vulnerabilities pose critical risks, including remote code execution, full system compromise, and data breaches,” remarked Vovk.
“Given the broad adoption of remote desktop services, many organizations are potentially exposed. CVE-2025-29966 and CVE-2025-29967 underscore the urgent need to secure both client and server components in remote access environments.”