May 2025 Patch Tuesday: Five Zero-Days and Five Critical Vulnerabilities Among 72 CVEs

Microsoft has addressed 72 vulnerabilities in its May 2025 security update release. This month's patches include fixes for five actively exploited zero-day vulnerabilities, including a zero-day vulnerability identified and disclosed by the CrowdStrike Counter Adversary Operations team. Microsoft patched a total of five Critical vulnerabilities and 62 additional vulnerabilities of varying severity levels.

May 2025 Risk Analysis

This month’s leading risk types by exploitation technique are remote code execution (RCE) with 29 patches (40%), elevation of privilege with 18 patches (25%), and information disclosure with 14 (19%). 

Actively Exploited Zero-Day Vulnerabilities in Windows Common Log File System

CVE-2025-32706 is an Important elevation of privilege vulnerability affecting the Windows Common Log File System and has a CVSS score of 7.8. This flaw allows a local authenticated attacker to execute code with elevated system privileges due to improper input validation. 

This zero-day vulnerability was discovered in late April 2025 by CrowdStrike Counter Adversary Operations, which responsibly disclosed the vulnerability to Microsoft through private channels. Microsoft subsequently validated the issue and released a patch to address it today (May 13, 2025).

CVE-2025-32701 is an Important elevation of privilege vulnerability affecting the Windows Common Log File System and has a CVSS score of 7.8. This is a use-after-free vulnerability which, if successfully exploited, could allow an attacker to escalate privileges on the affected system.

While this vulnerability proof-of-concept has not been disclosed, Microsoft confirmed it has been actively exploited in the wild. Windows Common Log File System vulnerabilities have been addressed many times in previous Patch Tuesday rollouts (April 2023, November 2023, December 2024, April 2025).

Actively Exploited Zero-Day Vulnerability in Windows Ancillary Function Driver for WinSock

CVE-2025-32709 is an Important elevation of privilege vulnerability affecting the Windows Ancillary Function Driver for WinSock and has a CVSS score of 7.8. An attacker could exploit this vulnerability by persuading a user to open a specifically crafted file or malicious website, potentially allowing the attacker to execute code with the user’s permissions. A public proof-of-concept has not been released, but Microsoft has verified this vulnerability is being actively exploited in the wild.

Actively Exploited Zero-Day Vulnerability in Microsoft DWM Core Library

CVE-2025-30400 is an Important elevation of privilege vulnerability affecting the Microsoft Desktop Windows Manager (DWM) Core Library and has a CVSS score of 7.8. An attacker can exploit this vulnerability by convincing a user to open a specially crafted file or website, enabling the attacker to run arbitrary code with the user’s privileges. Although a public proof-of-concept has not been released, Microsoft has confirmed this vulnerability is currently being exploited in the wild.

Actively Exploited Zero-Day Vulnerability in Microsoft Scripting Engine

CVE-2025-30397 is an Important memory corruption vulnerability affecting the Microsoft Scripting Engine and has a CVSS score of 7.5. This could allow a remote attacker to execute code if a user clicks a malicious link while using Microsoft Edge Internet Explorer mode. The attack requires user interaction and has a high attack complexity. While this vulnerability proof-of-concept has not been disclosed, Microsoft confirmed it has been actively exploited in the wild.

Critical Vulnerabilities in Windows Remote Desktop Services

CVE-2025-29966 and CVE-2025-29967 are Critical remote code execution (RCE) vulnerabilities affecting the Microsoft Windows Remote Desktop Services, and both have a CVSS score of 8.8. A heap-based buffer overflow vulnerability has been discovered in Windows Remote Desktop. It could allow remote attackers with control of a Remote Desktop Server to trigger remote code execution on a RDP Client machine that connects to the malicious server. This is a client-side vulnerability that does not require authentication or interaction, potentially leading to complete system takeover.

Critical Vulnerabilities in Microsoft Office Products

CVE-2025-30377 and CVE-2025-30386 are Critical RCE vulnerabilities affecting Microsoft Office, and both have a CVSS score of 8.4. These are use-after-free vulnerabilities that require an attacker to convince a victim to open a specially crafted file, with the Preview Pane serving as an additional attack vector. Preview Pane has been seen many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025).

Critical Vulnerability in Windows Virtual Machine Bus 

CVE-2025-29833 is a Critical RCE vulnerability affecting Windows Virtual Machine Bus and has a CVSS score of 7.1. A time-of-check time-of-use (TOCTOU) race condition vulnerability exists in Windows Virtual Machine Bus that allows attackers to execute arbitrary code over a network. TOCTOU is a specific type of race condition vulnerability that occurs when there's a time gap between checking a resource's state and using that resource.

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.

Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
• Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.