Could Patch Tuesday brings 5 exploited zero-days to repair

Microsoft has issued fixes for a complete of 5 new zero-day vulnerabilities out of a grand complete of simply over 70 addressable widespread vulnerabilities and exposures (CVEs) on the fifth Patch Tuesday of 2025 – over 80 when third-party points are accounted for.

In numerical order, this month’s zero days are as follows:

• CVE-2025-30400, an elevation of privilege (EoP) vulnerability in Microsoft DWM Core Library;
• CVE-2025-30397, a reminiscence corruption resulting in distant code execution (RCE) vulnerability in Scripting Engine;
• CVE-2025-32701, an EoP vulnerability in Home windows Frequent Log File System Driver (CLFS);
• CVE-2025-32706, a second EoP flaw in CLFS;
• CVE-2025-32709, an EoP challenge in Home windows Ancillary Perform Driver for WinSock (AFD.sys).

All 5 of those CVEs are listed by Microsoft as being exploited within the wild, however haven’t but been made public. They’re all rated as being of Necessary severity, and all save the Scripting Engine flaw carry CVSS scores of seven.8.

Mike Walters, president and co-founder of patch administration specialist Action1, stated that the 2 CLFS points stood out as notably harmful given its significance in computing – the CLFS is a important element that suppliers logging providers to user- and kernel-mode functions, and is extensively utilized by numerous system providers and third-party functions.

“Attackers exploiting these vulnerabilities can escalate privileges to system degree, granting them full management to run arbitrary code, set up malware, modify information, or disable safety protections,” stated Walters.

“With low complexity and minimal privileges wanted, these flaws pose a critical threat, particularly given the confirmed in-the-wild exploitation [and] whereas no public exploit code is at the moment out there, the presence of lively assaults means that focused campaigns, probably involving superior persistent threats (APTs), are already underway.

“Organisations ought to prioritise fast evaluation and remediation of those vulnerabilities to stop potential compromise. Any organisation operating Home windows programs – throughout enterprise, authorities, training, or shopper sectors – might be uncovered. Given Home windows’ international footprint, tens of millions of gadgets are probably in danger,” stated Walters.

CVE-2025-30400 in DWM Core Library also needs to be excessive on safety admins’ patching lists, noticed Kev Breen, senior director of menace analysis at Immersive. He defined: “If exploited, it could permit attackers to achieve system-level permission on the affected host. With this degree of privilege, attackers would have the ability to achieve full management over the host, together with any safety instruments and person accounts, probably permitting for domain-level entry to be compromised.

“This CVE is marked as ‘Exploitation Detected’ by the Microsoft crew, that means patches must be utilized instantly as menace teams, together with ransomware associates, will probably be fast to leverage this as soon as extra particulars turn out to be public.”

Breen added that after this occurs, cyber groups and menace hunters ought to work rapidly to overview their programs for indicators of compromise (IoCs) to make sure that they haven’t been hit within the window between the purpose at which menace actors started at-scale exploitation, and the patch was launched.

Breen’s colleague, cyber menace intelligence researcher Ben Hopkins, ran the rule over the remaining exploited zero-days, CVE-20205-30397 in Scripting Engine and CVE-2025-32709 in AFD.sys

“A scripting engine reminiscence corruption vulnerability happens when the Microsoft scripting engine mishandles objects in reminiscence, on this case resulting in an elevation of privilege being carried out by an attacker,” he defined.

“This particular vulnerability exists … entails entry to a useful resource utilizing (‘sort confusion’) which permits attackers to execute code over a community. Sort confusion on this context happens when a program mistakenly treats a bit of knowledge as a unique sort than it truly is, which ends up in undefined and unpredictable behaviour, permitting the attacker to execute arbitrary code and elevate their privileges,” stated Hopkins

For the layperson, because of this having attained system-level privileges, a menace actor may simply entry delicate information and search for alternatives to pivot to different, extra precious components of the sufferer’s community.

Turning to the problem affecting AFD.sys, a core Home windows kernel-mode driver that helps community socket operations by bridging from WinSock (Home windows Sockets API) in person area, and lower-level community drivers within the kernel, Hopkins defined that an unauthorized attacker may exploit a situation through which reminiscence that has been deallocated can nonetheless be accessed to inject managed information into reminiscence and affect how this system behaves, finally granting them the flexibility to raise their privileges.

In each instances, what this implies is that having attained system-level privileges, a menace actor may simply entry delicate information and search for alternatives to pivot to different, extra precious components of the sufferer’s community.

Two further zero-days have been publicly-disclosed immediately (13 Could) however haven’t but been reported as coming underneath assault on the time of writing. These are CVE-2025-26685, a spoofing vulnerability in Microsoft Defender for Id, and CVE-2025-32702, an RCE vulnerability in Visible Studio. Each of those are rated of Necessary severity, carrying CVSS scores of 6.5 and seven.8 respectively.

Distant staff nonetheless a goal

Lastly, the Could replace brings a complete of 11 important flaws affecting Azure Automation, Azure DevOps, Azure Storage Useful resource, Microsoft Dataverse, Microsoft msagsfeedback.zurewebsites.web, Microsoft Workplace, Microsoft Energy Apps, Microsoft Digital Machine Bus and Distant Desktop Shopper (RDP). Of their affect, these points run the gamut from EoP to spoofing to info disclosure, and 6 of them result in RCE, stated Microsoft.

Of the important points, Walters’ co-CEO and co-founder at Action1, Alex Vovk, informed Pc Weekly that the 2 RDP flaws stood out specifically. These are tracked as CVE-2025-29966 and CVE-2025-29967.

“Each vulnerabilities pose important dangers, together with distant code execution, full system compromise, and information breaches,” remarked Vovk.

“Given the broad adoption of distant desktop providers, many organizations are probably uncovered. CVE-2025-29966 and CVE-2025-29967 underscore the pressing have to safe each shopper and server elements in distant entry environments.”