Microsoft May 2025 Patch Tuesday: Addresses 5 Actively Exploited Critical Zero-Days

This month’s Microsoft Patch Tuesday is particularly significant, addressing 83 vulnerabilities across the company’s product ecosystem – and most importantly, patching five actively exploited zero-day vulnerabilities that put businesses at immediate risk. With threat actors already leveraging these flaws in real-world attacks, organizations need to act quickly to protect their systems.

 The Severity Picture

Microsoft’s May 2025 Patch Tuesday includes fixes for 83 vulnerabilities, with a breakdown showing the severity of the situation:

• 11 Critical vulnerabilities
• 72 Important vulnerabilities
• 5 actively exploited zero-day vulnerabilities
• 2 publicly disclosed but not yet exploited vulnerabilities

This substantial security update affects numerous Microsoft products including Windows, Office, Azure, Visual Studio, and more. The most concerning issues are the five zero-days already being weaponized by attackers.

 Understanding the Zero-Day Vulnerabilities

Let’s examine each of the actively exploited vulnerabilities in detail:

1. CVE-2025-30400 – Windows DWM Core Library Elevation of Privilege

This zero-day affects the Windows Desktop Window Manager (DWM) Core Library, allowing attackers with initial access to elevate their privileges to SYSTEM level – the highest possible access on Windows systems. The vulnerability stems from a “use-after-free” memory corruption issue, which occurs when a program continues to use memory after it has been freed, potentially allowing malicious code execution.

Attackers exploiting this vulnerability can bypass standard security boundaries, potentially installing malware, modifying system settings, or accessing sensitive data without detection. Microsoft’s Threat Intelligence Center discovered this flaw being actively exploited before a patch was available.

2 & 3. CVE-2025-32701 & CVE-2025-32706 – Windows Common Log File System Driver Vulnerabilities

These two related vulnerabilities affect the Windows Common Log File System (CLFS) driver, a critical component that has become an increasingly popular target for attackers. Both allow authorized attackers to elevate their privileges to SYSTEM level.

CVE-2025-32701 is a use-after-free vulnerability, while CVE-2025-32706 stems from improper input validation in the CLFS driver. The CLFS component has been a frequent target, with 32 such vulnerabilities patched since 2022, averaging 10 per year.

These vulnerabilities are particularly concerning as they’ve been previously linked to ransomware operations. Threat actors typically gain initial access to a system, then use these CLFS vulnerabilities to elevate privileges before deploying ransomware or other malicious payloads.

4. CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege

This actively exploited zero-day affects the Windows Ancillary Function Driver for WinSock (afd.sys), a critical kernel-mode driver responsible for TCP/IP network protocol implementation. The “use-after-free” vulnerability allows attackers to elevate privileges and gain administrator access to compromised systems.

The WinSock driver is essential for network connectivity – it’s located in the Windows System32/drivers directory, and its absence would prevent the DHCP Client from starting and block all network connections. This makes it a particularly valuable target for attackers.

5. CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability

This critical memory corruption vulnerability in Microsoft’s Scripting Engine allows unauthorized attackers to execute code remotely over a network. The flaw is classified under CWE-843 (Type Confusion) and arises from the Scripting Engine’s improper access of resources using incompatible types.

To exploit this vulnerability, an attacker must trick a user into clicking on a specially crafted URL while using Microsoft Edge in Internet Explorer Mode. Despite requiring these specific conditions, successful exploitation could result in complete system compromise.

 Who Is Behind These Attacks?

While Microsoft hasn’t shared comprehensive details about all threat actors exploiting these vulnerabilities, we do have some information:

• Microsoft’s Threat Intelligence Center (MSTIC) discovered several of these flaws being exploited in the wild
• Google’s Threat Intelligence Group and CrowdStrike’s Advanced Research Team collaborated to identify CVE-2025-32706
• Previous similar CLFS exploits have been linked to ransomware operations, targeting organizations in multiple sectors including IT, real estate, finance, and retail across the U.S., Venezuela, Spain, and Saudi Arabia

This suggests a mix of sophisticated threat actors, including possible nation-state actors and ransomware groups, are actively leveraging these vulnerabilities.

 Who Is At Risk?

Organizations of all sizes running Microsoft Windows systems are at risk, but particularly:

• Enterprises with delayed patch management processes
• Organizations with legacy systems or applications dependent on older Windows components
• Businesses without robust privilege management and network segmentation
• Any organization that hasn’t implemented the principle of least privilege

These vulnerabilities affect all supported Windows desktop and server systems, making the impact widespread. The elevation of privilege flaws are especially dangerous as they’re increasingly favored by ransomware operators – accounting for over half of all zero-days exploited in 2025 so far.

 Remediation Steps

To protect your organization from these critical vulnerabilities, take the following steps immediately:

1. Apply patches immediately: Prioritize the installation of Microsoft’s May 2025 security updates across all systems. Focus first on internet-facing servers and workstations used by administrators.
2. Implement privilege management: Restrict administrative privileges and ensure the principle of least privilege is enforced throughout your network.
3. Enable enhanced monitoring: Monitor for suspicious activities, particularly attempts to escalate privileges or unusual network connections.
4. Review browser configurations: Consider disabling Internet Explorer Mode in Edge where possible to reduce exposure to the Scripting Engine vulnerability.
5. Segment networks: Implement network segmentation to limit the potential spread of attacks if a system is compromised.
6. Maintain backups: Ensure your backup strategy includes offline or immutable backups to mitigate potential ransomware impacts.
7. Conduct security awareness training: Educate users about the risks of clicking on unknown links, particularly those received through email or messaging platforms.

 How CinchOps Can Help Secure Your Business

Staying on top of critical vulnerabilities like these requires constant vigilance and expertise. CinchOps provides comprehensive managed IT security services to ensure your business remains protected from evolving threats:

• Rapid Patch Management: Our team implements critical security updates quickly and efficiently, minimizing your exposure to zero-day vulnerabilities.
• Proactive Security Monitoring: We detect suspicious activities before they lead to breaches, with 24/7 monitoring of your network and systems.
• Comprehensive Vulnerability Assessments: Regular scans and assessments identify potential security gaps before attackers can exploit them.
• Security Awareness Training: We help educate your team on recognizing and avoiding potential threats like phishing attacks that could exploit these vulnerabilities.
• Business Continuity Planning: Our backup and disaster recovery solutions ensure you can recover quickly in the event of a ransomware attack.

Don’t let your business become the next victim of these actively exploited vulnerabilities. Contact CinchOps today to learn how our managed IT security services can protect your organization from these and other emerging threats.

Remember: In today’s threat environment, rapid patching and proactive security management aren’t just best practices—they’re essential business safeguards.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Microsoft AI Now Generates 20-30% of Internal Code: What This Means for Business Technology
For Additional Information on this topic: Microsoft May 2025 Patch Tuesday Fixes 83 Vulnerabilities

FREE CYBERSECURITY ASSESSMENT