May Patch Tuesday resolves five actively exploited and two publicly disclosed vulnerabilities. Spoiler alert: all five zero-days are resolved by deploying the Windows OS update. Also, this month Windows 11 and Server 2025 updates include some new AI features, but they carry a lot of baggage. Literally – they are around 4GB! New AI features include Recall, Click to Do and Improved Windows Search.

Microsoft has resolved a total of 72 new CVEs this month, six of which are rated Critical. The five zero-day vulnerabilities are rated Important, but using a risk-adjusted scoring model they would all be rated Critical.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-32709) that could allow an attacker to elevate privileges locally to gain administrator privileges. The vulnerability affects Windows Server 2012 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a pair of Elevation of Privilege vulnerabilities in Windows’ Common Log File System Drive (CVE-2025-32706 and CVE-2025-32701) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerabilities affect all Windows OS versions. The vulnerabilities are confirmed to be exploited in the wild. Microsoft’s severity rating for both CVEs is Important and CVSS 3.1 of 7.8. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft resolved an Elevation of Privilege vulnerability in Microsoft DWM Core Library (CVE-2025-30400) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerability affects Windows 10, Server 2016 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a Memory Corruption vulnerability in Microsoft Scripting Engine (CVE-2025-30397) that could allow an unauthorized attacker to execute code over a network. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved a Remote Code Execution vulnerability in Visual Studio (CVE-2025-30397) that could allow an unauthorized attacker to execute code locally. The vulnerability affects Visual Studio 2019 and 2022. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Microsoft resolved an Identity Spoofing vulnerability in Microsoft Defender (CVE-2025-26685) that could allow an unauthorized attacker to perform spoofing over an adjacent network. The vulnerability affects Microsoft Defender for Identity. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Third-party vulnerabilities

  • Adobe has released 13 updates this month resolving 39 CVEs, 33 of which are Critical. For more details, see Adobe’s Latest Product Security Updates.
  • Google Chrome is expected to release a weekly update shortly, so keep an eye out.

Ivanti security advisory

Ivanti has released four updates for May Patch Tuesday resolving a total of four CVEs and one CWE. The affected products include Ivanti Neurons for ITSM (on-prem only), Ivanti ICS, Ivanti Neurons for MDM and Ivanti EPMM.

The Ivanti EPMM update resolves a medium and a high CVE that when chained together, successful exploitation could lead to unauthenticated remote code execution. Ivanti is aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

For more details you can view the updates and information provided in the May Security Update on the Ivanti blog and EPMM Security Updated.

May update priorities

  • Windows OS is your top priority this month with five zero-day exploits reported (CVEs).
  • Ivanti EPMM customers should apply either of the mitigation options or update as soon as possible.