May 2025 Patch Tuesday forecast: Panic, change, and hope

April was an event-filled month for cybersecurity. Patch Tuesday came to us quickly on April 8 – the earliest first Tuesday possible in a given month. We again saw large numbers of CVEs addressed with 84 in Windows 11 and 87 in Windows 10 and all their related servers. There was only one known-exploited exploited vulnerability, CVE-2025-29824, which allowed elevation of privilege but it was present in all operating systems. Overall, a pretty typical monthly event.

May 2025 Patch Tuesday forecast

A bit of chaos ensued in the following weeks with the announcement that MITRE would no longer be supporting the CVE Program due to a contract expiration and funding cut. The CVE Program, managed by MITRE for 25 years under US government funding from CISA, is closely associated with The National Vulnerability Database (NVD) managed by NIST. After a day or two of uncertainty, the contract with MITRE was renewed for 11 months.

The CVE Program is an important element and data feed of the NVD, where NIST expands on each CVE with detailed information about how vulnerabilities work, which software they impact, and how to remediate them. The global importance of the CVE Program is without doubt, but who will own and operate it in the future is currently under discussion.

The Google Threat Intelligence Group (GTIG) released a report on 75 zero-day vulnerabilities they tracked in 2024. A GTIG zero-day vulnerability is defined as one that is exploited prior to a patch being available. The Executive Summary of this report contains some interesting findings. There is a continuing increase in targeting from consumer or user-based applications to network and enterprise infrastructure to include security appliances and VPNs. As stated in the article, this can “lead to extensive system and network compromises” over end-user technologies.

Threat actors, including government-backed organizations, conducting cyber espionage continue to lead the groups conducting the majority of exploitations. On the positive side, vendors focused on security are having an impact with decreases in zero-day exploitation of browsers and mobile devices.

Due to its large user base and popularity, the Windows operating system continues to be targeted with zero-day exploitation going from 16 vulnerabilities in 2023 to 22 in 2024. Like exploitation of the security infrastructure, the exploitation of this popular operating system also provides the opportunity for more extensive enterprise compromise.

There were several announcements of interest from Microsoft this month. Microsoft confirmed the April 2025 security updates are causing authentication issues on some Windows Server 2025 domain controllers. These issues are associated with a fix to high-severity vulnerability CVE-2025-26647. No official word if there is a fix coming next week. They’ve announced a fix for Windows 11 feature updates coming from WSUS. They are providing this fix through Known Issue Rollback (KIR) but be on the lookout for an announcement next week with the regular cumulative updates.

The hot patching preview program will be coming to an end June 30th, and customers enrolled for the preview under Azure Arc will be switched to a paid subscription. If you don’t want to be charged, you will need to unsubscribe before June 30th. And finally, Skype officially came to an end on May 5 after a 14-year run. Microsoft acquired it from eBay in 2011. Skype users are encouraged to download any data they want to retain and can switch to Teams for free.