May 2025 Patch Tuesday forecast: Panic, change, and hope
April was an event-filled month for cybersecurity. Patch Tuesday came to us quickly on April 8 – the earliest first Tuesday possible in a given month. We again saw large numbers of CVEs addressed with 84 in Windows 11 and 87 in Windows 10 and all their related servers. There was only one known-exploited exploited vulnerability, CVE-2025-29824, which allowed elevation of privilege but it was present in all operating systems. Overall, a pretty typical monthly event.
A bit of chaos ensued in the following weeks with the announcement that MITRE would no longer be supporting the CVE Program due to a contract expiration and funding cut. The CVE Program, managed by MITRE for 25 years under US government funding from CISA, is closely associated with The National Vulnerability Database (NVD) managed by NIST. After a day or two of uncertainty, the contract with MITRE was renewed for 11 months.
The CVE Program is an important element and data feed of the NVD, where NIST expands on each CVE with detailed information about how vulnerabilities work, which software they impact, and how to remediate them. The global importance of the CVE Program is without doubt, but who will own and operate it in the future is currently under discussion.
The Google Threat Intelligence Group (GTIG) released a report on 75 zero-day vulnerabilities they tracked in 2024. A GTIG zero-day vulnerability is defined as one that is exploited prior to a patch being available. The Executive Summary of this report contains some interesting findings. There is a continuing increase in targeting from consumer or user-based applications to network and enterprise infrastructure to include security appliances and VPNs. As stated in the article, this can “lead to extensive system and network compromises” over end-user technologies.
Threat actors, including government-backed organizations, conducting cyber espionage continue to lead the groups conducting the majority of exploitations. On the positive side, vendors focused on security are having an impact with decreases in zero-day exploitation of browsers and mobile devices.
Due to its large user base and popularity, the Windows operating system continues to be targeted with zero-day exploitation going from 16 vulnerabilities in 2023 to 22 in 2024. Like exploitation of the security infrastructure, the exploitation of this popular operating system also provides the opportunity for more extensive enterprise compromise.
There were several announcements of interest from Microsoft this month. Microsoft confirmed the April 2025 security updates are causing authentication issues on some Windows Server 2025 domain controllers. These issues are associated with a fix to high-severity vulnerability CVE-2025-26647. No official word if there is a fix coming next week. They’ve announced a fix for Windows 11 feature updates coming from WSUS. They are providing this fix through Known Issue Rollback (KIR) but be on the lookout for an announcement next week with the regular cumulative updates.
The hot patching preview program will be coming to an end June 30th, and customers enrolled for the preview under Azure Arc will be switched to a paid subscription. If you don’t want to be charged, you will need to unsubscribe before June 30th. And finally, Skype officially came to an end on May 5 after a 14-year run. Microsoft acquired it from eBay in 2011. Skype users are encouraged to download any data they want to retain and can switch to Teams for free.
May 2025 Patch Tuesday forecast
- Expect the usual set of updates from Microsoft next week. I had predicted a minimal set of security fixes last month and was way off. I’ll double down on the CVEs that are limited this month.
- Adobe has been aggressively updating vulnerabilities in their Creative Cloud suite set of products. Expect that to be more limited this month, but we may see an Acrobat and Reader update.
- April 16 saw the last set of Apple security updates including Sequoia 15.4.1. I would expect another round later this month but not next week.
- Google released Chrome for Desktop 137 to the Beta channel for Windows, Mac and Linux so expect the GA release next week.
- Mozilla Foundation released security updates on April 29th for Firefox and Thunderbird 138, Firefox ESR and Thunderbird ESR 128.10, and Firefox ESR 115.23 which were all rated High. There’s a small possibility of a minor update for these applications but don’t plan on it.
We had a full range of emotions throughout the month – panic with the CVE Program, change with the increasing shift to zero-day exploitation of enterprise and not browser applications, and let’s hope that we have an uneventful May Patch Tuesday.