Do Son 
Microsoft has released its May Patch Tuesday security update, addressing 72 vulnerabilities across its product ecosystem—including five that have been actively exploited in the wild and two previously disclosed zero-day flaws. Among the resolved issues are 28 remote code execution (RCE) vulnerabilities, 17 privilege escalation bugs, 15 information disclosure flaws, seven denial-of-service (DoS) issues, two security feature bypasses, and two instances of data spoofing. This tally excludes vulnerabilities previously mitigated in Azure, Microsoft Edge, and other offerings.
The most critical vulnerability, actively leveraged by attackers, is tracked as CVE-2025-30400. It affects the DWM Core library in Windows and enables a local user with sufficient privileges to escalate to SYSTEM-level access via a use-after-free flaw. The issue was identified by the Microsoft Threat Intelligence Center.
A similar flaw, CVE-2025-32701, resides in the Windows Common Log File System driver and also permits SYSTEM-level escalation. Microsoft attributes its discovery to an internal security team. Another vulnerability within the same component—CVE-2025-32706—was discovered by researchers from Google’s Threat Intelligence Group and CrowdStrike.
Microsoft also addressed CVE-2025-32709, a use-after-free vulnerability in the Ancillary Function Driver for WinSock, which can be exploited locally. The identity of the reporting researcher remains undisclosed.
The fifth actively exploited flaw, CVE-2025-30397, affects the Microsoft Scripting Engine and can be triggered through browsers such as Edge or Internet Explorer. It stems from a common resource access error, allowing a remote attacker to execute arbitrary code if a user follows a specially crafted link.
Among the zero-day vulnerabilities disclosed prior to the update, CVE-2025-26685 is particularly noteworthy. Found in Microsoft Defender for Identity, it allows an attacker with local network access to spoof user accounts. The issue was reported by a researcher from NetSPI.
The second publicly known zero-day, CVE-2025-32702, affects Visual Studio and involves a command injection flaw, enabling unauthorized local code execution by an unauthenticated attacker.
In tandem with the May rollout, Microsoft published detailed disclosures for dozens of additional vulnerabilities spanning Visual Studio, Office, Azure, SharePoint, Windows Media, Hyper-V, and numerous other components within its ecosystem. The complete list of CVEs and affected products is available at the following link.
Donate