Patch Tuesday: Microsoft fixes 5 actively exploited zero-days

On May 2025 Patch Tuesday, Microsoft has released security fixes for 70+ vulnerabilities, among them five actively exploited zero-days and two publicly disclosed (but not exploited) vulnerabilities.

The zero-days and the publicly disclosed flaws

Among the zero-days patched is a memory corruption vulnerability in the Windows scripting engine (CVE-2025-30397) that is being exploited to remotely execute malicious code.

“The user would have to click on a specially crafted URL to be compromised by the attacker,” Microsoft explained.

“The potential target needs to be using Microsoft Edge in Internet Explorer mode in order for exploitation to be successful – a tall order considering Edge has 5% market share. In addition, authentication on the client side is required and the potential target would need to click on a specially crafted link from the attacker,” noted Satnam Narang, senior staff research engineer at Tenable.

“Despite clear exploitation in the wild, we’re not likely to see broad exploitation of this bug due to the number of pre-requisites,” he opined.

CVE-2025-32701 and CVE-2025-32706 are two vulnerabilities in the Windows Common Log File System Driver that allow an authorized attacker to elevate privileges to SYSTEM once they’ve achieved initial access by other means.

They have been spotted being exploited by Microsoft, Google and Crowdstrike threat analysts, but the details about the attacks are currently unavailable.

“In the past, these types of bugs were used by ransomware gangs, so it’s likely these are as well,” says Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, and advised admins to test the patches and deploy them quickly.

CVE-2025-32709 in Windows Ancillary Function Driver for WinSock and CVE-2025-30400 in Microsoft DWM Core Library have also been exploited by attackers to escalate their privileges on vulnerable machines and should be remediated quickly.

The two publicly disclosed vulnerabilities are a remote code execution vulnerability in Visual Studio (CVE-2025-32702) and a spoofing vulnerability in Microsoft Defender (CVE-2025-26685), which are “less likely” and “unlikely” to be exploited, according to Microsoft.

Other vulnerabilities of note

Microsoft has fixed four vulnerabilities in Sharepoint, two of which are considered to be “more likely” to be exploited. The reason for this assessment are unknown, but if you’re using Microsoft SharePoint Server, get the updates.

“SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made,” said Kev Breen, Senior Director Threat Research at Immersive.

“A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!