Microsoft Releases May 2025 Security Updates
Scheduled updates for Microsoft products, including security updates for 72 vulnerabilities, of which five have been reported as being actively exploited.
Summary
Scheduled updates for Microsoft products, including security updates for 72 vulnerabilities, of which five have been reported as being actively exploited.
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
- .NET, Visual Studio, and Build Tools for Visual Studio
- Active Directory Certificate Services (AD CS)
- Azure
- Azure Automation
- Azure DevOps
- Azure File Sync
- Azure Storage Resource Provider
- Microsoft Brokering File System
- Microsoft Dataverse
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Edge (Chromium-based)
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office PowerPoint
- Microsoft Office SharePoint
- Microsoft PC Manager
- Microsoft Power Apps
- Microsoft Scripting Engine
- Remote Desktop Gateway Service
- Windows Hyper-V
- UrlMon
- Visual Studio
- Visual Studio Code
- Web Threat Defense
- Windows Ancillary Function Driver for WinSock
- Windows Common Log File System Driver
- Windows Deployment Services
- Windows Drivers
- Windows DWM
- Windows File Server
- Windows Fundamentals
- Windows Hardware Lab Kit
- Windows Installer
- Windows Kernel
- Windows LDAP
- Windows Media
- Windows NTFS
- Windows Remote Desktop
- Windows Routing and Remote Access Service (RRAS)
- Windows Secure Kernel Mode
- Windows SMB
- Windows Trusted Runtime Interface Driver
- Windows Virtual Machine Bus
- Windows Win32K - GRFX
Threat details
Windows 10 Approaching End-of-Support
Microsoft has announced plans to discontinue support for Windows 10 after 14 October 2025, after which no security updates will be received. The NHS England National CSOC strongly encourages organisations to ensure they implement a plan to upgrade to a supported platform before this date to continue receiving security updates.
Vulnerabilities Under Active Exploitation
Microsoft has reported that the following vulnerabilities are under active exploitation:
- CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2025-32701 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability
The NHS England National CSOC assesses further exploitation as likely.
Introduction
Microsoft has released security updates to address 72 vulnerabilities in Microsoft products. Nine vulnerabilities are highlighted below, of which five are known to be actively exploited.
Vulnerability details
- CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability
CVE-2025-30400 is a 'Use-After-Free' vulnerability in Windows DWM with a CVSSv3 score of 7.8. Successful exploitation could allow an attacker to escalate privileges locally and gain SYSTEM privileges. Microsoft reports that this vulnerability is under exploitation.
- CVE-2025-32701 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2025-32701 is a 'Use-After-Free' vulnerability in Windows Remote Desktop Services with a CVSSv3 score of 7.8. Successful exploitation could allow an authorised attacker to elevate privileges locally. Microsoft reports that this vulnerability is under exploitation.
- CVE-2025-32706 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2025-32706 is an 'Improper Input Validation' vulnerability in Windows Remote Desktop Services with a CVSSv3 score of 7.8. Successful exploitation could allow an authorised attacker to elevate privileges locally. Microsoft reports that this vulnerability is under exploitation.
- CVE-2025-32709 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-32709 is an 'Use-After-Free' vulnerability in Windows Ancillary Function Driver for WinSock with a CVSSv3 score of 7.8. Successful exploitation could allow an authorised attacker to elevate privileges locally. Microsoft reports that this vulnerability is under exploitation.
- CVE-2025-30397 - Scripting Engine Memory Corruption Vulnerability
CVE-2025-30397 is an 'Access of Resource Using Incompatible Type' vulnerability in Windows LDAP with a CVSSv3 score of 8.1. Successful exploitation could allow an unauthorised attacker to execute code over a network. Microsoft reports that this vulnerability is under exploitation.
- CVE-2025-29966 - Remote Desktop Client Remote Code Execution Vulnerability
CVE-2025-29966 is a 'Heap-based Buffer Overflow' vulnerability in Windows Remote Desktop with a CVSSv3 score of 8.8. Successful exploitation could allow an unauthorised attacker to execute code over a network.
- CVE-2025-29967 - Remote Desktop Client Remote Code Execution Vulnerability
CVE-2025-29967 is a 'Heap-based Buffer Overflow' vulnerability in Remote Desktop Gateway Service with a CVSSv3 score of 8.8. Successful exploitation could allow an unauthorised attacker to execute code over a network.
- CVE-2025-30386 - Microsoft Office Remote Code Execution Vulnerability
CVE-2025-30386 is a 'Heap-based Buffer Overflow' vulnerability in Microsoft Office with a CVSSv3 score of 8.4. Successful exploitation could allow an unauthorised attacker to to execute code locally.
- CVE-2025-30377 - Microsoft Office Remote Code Execution Vulnerability
CVE-2025-30377 is a 'Use After Free' vulnerability in Microsoft Office with a CVSSv3 score of 8.4. Successful exploitation could allow an unauthorised attacker to to execute code locally.
Remediation advice
Affected organisations are encouraged to review Microsoft's May 2025 Security Updates and apply the relevant updates as soon as practicable.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 14 May 2025 3:29 pm