Microsoft has issued fixes for a total of five new zero-day vulnerabilites out of a grand total of just over 70 addressable Common Vulnerabilites and Exposures (Cves) on the fifth Patch Tuesday of 2025-Over 80 when third-party issues are Accounted for.
In Numerical Order, this month's zero days are as follows:
- Cve-2025-30400An Elevation of Privilege (EOP) Vulnerability in Microsoft DWM Core Library;
- Cve-2025-30397A Memory Corruption Leading to Remote Code Execution (RCE) Vulnerability in Scripting Engine;
- Cve-2025-32701An eop vulnerability in Windows Common Log File System Driver (CLFS);
- CVE-2025-32706, A second eop flaw in clfs;
- Cve-2025-32709An eop issue in Windows Ancillary Function Driver for Winsock (AFD.SYS).
All five of these cves are listed by microsoft as being exploited in the wild, but have not yet made made public. They are all rated as being of important severity, and all save the scripting engine flw carry Cvs ratings of 7.8.
Mike walters, president and co-founder of patch management specialist Action1Said That the two CLFS Issues Stood Out as Particularly Danger Given Its Importance in Computing- The CLFS is a Critical Component that Provides Logging Services to User- And Kernel-Mode Application, And is widely used by various system services and third-party applications.
“Attackers exploiting these vulnerabilityes can escalate privileges to system level, granting them full control to run arbitrary code, install malware, modify data, or disabledy Sacurity Protections, ”said walters.
“With low complexity and minimal privateges needed, these flws pose a serial risk, especially giving the confirmed in-to-wind [and] While no public exploit code is currently available available, the presence of active attacks sugges that targeted campaigns, potentially involved attendants (APTS) Underway.
“Organisations should prioritise immediative assessment and remedies of these vulnerabilites to prevent potential compromise. Or Consumer Sector – Could Be Exped.
Cve-2025-30400 in DWM Core Library Should also be high on Security Admins' Patching Lists, OBSERVED Kev Breen, Senior Director of Threat Research at ImmersiveHe explained: “If exploited, it would allow attackers to Gain system-level permission on the affected host. With this level of privilege, atackers would be Able to Gain Full CONTrols Including any security tools and user accounts, potentially allowing for domain-level access to be compromised.
“This cve is marked as 'exploitation detected' by the microsoft team, meaning patches should be applied immedianey as threat groups, include raansomware affiliates, will be quick to leverage Details Become Public. “
Breen added that once this happy, cyber teams and threat hunters should work quickly to review their systems for indicators of compromise (iOCS) to ensure that they have been found Point at which threat actors began at-scale exploitation, and the patch was released.
Breen's colleague, Cyber Threat Intelligence Researcher Ben Hopkins, Ran the Rule Over the Remining Explited Zero-DAYS, Cve-20205-30397 in Scripting Engine and Cve-2025-32709 in AFDSYS
“A scripting engine memory corruption vulnerability objects when the microsoft scripting engine mishandles objects in memory, in this case leading to an elevation of private Attacker, “He explained.
“This specific vulnerability exists… involves access to a Resource Using ('Type Confusion' which allows attackers to Execute code over a network. Types CONPE CONPE CONPE CONPE CONPE CONPE A Program Mistakenly Treats a Piece of Data as a different type than it is actually is, which leads to undeictable behavior, unpredictable behavior, oxacter to exacecutra to executrary due to execut Elevate their privateages, “said hopkins
For the Layperson, this means that having attained system-level privateges, a threat actor could easily access sensitive data and look for options to Pivot to PIVOT to other, more valuable parts of the victim 'Indian NETWORKTIM'
Turning to the issue affecting Afd.sys, a core windows kernel-mode driver that supports network socket operations by bridging from wind Lower-Level Network drivers in the kernel, hopkins explained that an unauthorized attacker could expert a condition in which memory that has been delocated can still be ACCESSEC Data Into Memory and Influence How the Program Behaves, Ultimately Granting them the ability to elevate their privileges.
In bot cases, what this means is that having attained system-level privateges, a threat actor could easily access sensitive data and look for options to pivot to other, more Valuable Parts of the VILUBLE Parts of the Victim Network.
Two Additional Zero-Days Have Been Publicly-Disclosed Today (13 May) but have not yet yet been reported as coming under attack at the time of writing. These are Cve-2025-26685A spoofing vulnerability in Microsoft Defender for Identity, and Cve-2025-32702An Rce Vulnerability in Visual Studio. Both of these are rated of important severity, carrying cvs scores of 6.5 and 7.8 respectively.
Remote Workers Still a Target
Finally, the may update brings a total of 11 critical flws affecting azure automation, azure devops, azure storage resource, microsoft data, microsoft msagsfeedback.zurevesitesitesitesitesites.Net, Microsoft Office, Microsoft Power Apps, Microsoft Virtual Machine Bus and Remote Desktop Client (RDP). In their impact, these issues run the gamut from eop to spoofing to information disclosure, and six of them lead to rce, said microsoft.
Of the critical issues, walters' Co-CEO and Co-Founder at Action1, Alex Vovk, Told Computer Weekly that the two rdp flws study up in particular. These are tracked as Cve-2025-29966 and Cve-2025-29967,
“Both vulnerabilites pose critical risk, including remote code execution, full system compromise, and data breaches,” Remarked Vovk.
“Given the broad adoption of remote desktop services, many organizations are potentially exposed. Components in Remote Access Environments. “