Cybersecurity

Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days

The company has addressed zero-day vulnerabilities for eight consecutive months without deeming any of them critical at the time of disclosure.

By Matt Kapko

May 13, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Microsoft logo at a Microsoft store in New York. (John Smith/VIEWpress)

Microsoft addressed 72 vulnerabilities affecting its core products and underlying systems, including five actively exploited zero-days across various Windows components, the company said in its latest security update Tuesday.

“This is now the eight consecutive Patch Tuesday on which Microsoft has published zero-day vulnerabilities without evaluating any of them as critical severity at time of publication,” Adam Barnett, lead software engineer at Rapid7, said in an email.

The zero-days — CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706 and CVE-2025-32709 — all score in the range of 7.5 to 7.8 on the CVSS scale. Two of the zero-days, CVE-2025-32701 and CVE-2025-32706, are defects in the Windows Common Log File Driver System (CLFS), adding to an “ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM,” Barnett said.

The Cybersecurity and Infrastructure Security Agency (CISA) added all five to its Known Exploited Vulnerabilities (KEV) list on Tuesday.

Mike Walters, president and co-founder of Action1, said attackers can exploit a pair of the new zero-days in CLFS to gain “full control to run arbitrary code, install malware, modify data or disable security protections. With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation.”

Barnett credited Microsoft’s Threat Intelligence Center for putting more effort into detecting and rooting out CLFS exploitation. “Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.”

Zero-day exploits of CVE-2025-32701 and CVE-2025-32706 were likely part of post-compromise activity that was either targeted espionage or financially motivated activities, such as ransomware deployment, according to Satnam Narang, senior staff research engineer at Tenable.

In April, Microsoft said a ransomware group it tracks as Storm-2460 exploited a zero-day in the CLFS, CVE-2025-29824, against organizations in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company and the retail sector in Saudi Arabia.

One of the new zero-days, a use-after-free defect affecting Windows Desktop Window Manager (DWM), CVE-2025-30400, marks a slow and steady uptick in zero-day attacks targeting elevation of privilege vulnerabilities in the DWM Core Library for Windows, according to Narang.

“Prior to CVE-2025-30400, only two DWM elevation of privilege bugs were exploited as zero days — CVE-2024-30051 in 2024 and CVE-2023-36033 in 2023,” Narang said in an email.

The remaining zero-days in this month’s security update include: an elevation of privilege flaw in the Windows Ancillary Function Driver for Windows Sockets API (WinSock), CVE-2025-32709; and a scripting memory corruption defect in Microsoft Scripting Engine, CVE-2025-30397.

Although CVE-2025-30397 is a zero-day remote code execution vulnerability, broad exploitation is unlikely because the pre-requisites for exploitation are complicated, researchers said.

“While the attack requires user interaction and carries high complexity, it remains a viable avenue for advanced attackers, including nation-state actors, who are capable of developing reliable exploits,” said Alex Vovk, CEO and co-founder of Action1. “Active exploitation has already been observed in the wild, highlighting the urgency of a response.”

The batch of CVE disclosures and patches in Microsoft’s monthly security update include five critical vulnerabilities and 50 high-severity defects. The four most-critical software defects, according to initial CVSS scores, include CVE-2025-29813, CVE-2025-29827, CVE-2025-29972 and CVE-2025-30387.

Eighteen of the vulnerabilities in this month’s security update affect Microsoft Office and standalone Office products. All of the software defects affecting Microsoft Office are high-severity, and Microsoft designated three of those vulnerabilities — CVE-2025-29792, CVE-2025-29793 and CVE-2025-29794 — as “more likely” to be exploited.

Overall, Microsoft said eight of the vulnerabilities it patched this month are “more likely” to be exploited. This set of more concerning flaws includes a pair of high-severity software defects — CVE-2025-29976 and CVE-2025-30382 — that could allow for privilege escalation and remote code execution, respectively, in Microsoft SharePoint Server.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.