Patch Tuesday It’s that time of the month again, and Microsoft has made it extra spicy by revealing five flaws it says are under active exploitation – but rates as important rather than critical fixes.
Microsoft’s 78-fix bundle for this Patch Tuesday wasn’t unusually large, but the five problems under attack right now all have CVSS severity scores of 7.5 or 7.8 out of 10, and hit Windows 10 and 11 devices, and Windows Server releases since 2019. They look like strong candidates to be top of your patching list in your next change window.
The five exploited flaws are:
- CVE-2025-30397 allows attackers to bamboozle Microsoft’s Scripting Engine with a type confusion attack. In this case an unauthorized user on the network can get full code execution on an unpatched system.
- CVE-2025-30400 is an elevation of privilege attack that lets someone with basic network rights hit Windows Desktop Window Manager with a use after free attack. Unlike the others, Windows Server 2025 is also vulnerable to this one.
- CVE-2025-32701 has similar problems with keeping privileges from getting elevated after a use after free attack against the Windows Common Log File System Driver system, allowing miscreants to get SYSTEM privileges.
- CVE-2025-32706 also affects the Windows Common Log File System Driver system, this time if someone uses improper input validation to gain the same SYSTEM capability on the network.
- CVE-2025-32709 allows attackers to elevate themselves to full admin access by attacking the Windows Ancillary Function Driver for WinSock with a use after free attack.
After you deal with the above, the next three Microsoft patches of interest are Azure problems – especially the 10/10 rated CVE-2025-29813, an authentication bypass attack on the cloud platform’s DevOps platform.
CVE-2025-29827 allows elevation of privilege attacks against Azure Automation, and CVE-2025-29972 is a spoofing attack against Azure Storage.
Crucially, Microsoft has already fixed all three in production, and says it added the CVE information to the patch bundle to “provide further transparency.”
You can see the rest of the critical fixes and patches-of-interest in May’s batch below, a summary courtesy of Trend Micro’s Zero Day Initiative.
| CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability | Important | 7.5 | No | Yes | RCE |
| CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability | Important | 6.5 | Yes | No | Spoofing |
| CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability | Important | 7.8 | Yes | No | RCE |
| CVE-2025-29827 | Azure Automation Elevation of Privilege Vulnerability | Critical | 9.9 | No | No | EoP |
| CVE-2025-29813 | Azure DevOps Elevation of Privilege Vulnerability | Critical | 10 | No | No | EoP |
| CVE-2025-29972 | Azure Storage Resource Provider Spoofing Vulnerability | Critical | 9.9 | No | No | Spoofing |
| CVE-2025-47732 | Microsoft Dataverse Remote Code Execution Vulnerability | Critical | 8.7 | No | No | RCE |
| CVE-2025-33072 | Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability | Critical | 8.1 | No | No | Info |
| CVE-2025-30377 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-30386 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-47733 | Microsoft Power Apps Information Disclosure Vulnerability | Critical | 9.1 | No | No | Info |
| CVE-2025-29833 | Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability | Critical | 7.1 | No | No | RCE |
| CVE-2025-29966 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2025-29967 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
“There are seven lucky Denial-of-Service (DoS) bugs getting patches this month,” commented Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. However, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network (or locally) to that component.
Adobe et al
Adobe released its patches a little late on Tuesday, leading some to speculate that its recent shift in patching information sharing had gone awry. But the San Jose stalwart didn’t let the side down.
Photoshop picked has three critical flaws, all allowing arbitrary code execution, and all found by bug hunter yjdfy, who has made Adobe their specialty. The same person spotted a critical flaw in Illustrator and three of the five flaws found in Adobe Animate.
ColdFusion was Adobe’s buggiest package this month, with eight flaws fixed, followed by six for Substance 3D Stager – five of them critical. Connect has four fixes, including one critical flaw.
You’ll need to cross three fixes off your list for Bridge and InDesign, and deal with a couple in Dimension.
Substance 3D Painter and Lightroom get one apiece – both critical.
Apple released a host of fixes the day before Patch Tuesday, and only one of them is being exploited in “an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1.” The flaw is in the CoreAudio API in watchOS 11.5 and is one of 21 fixes for that code. That sounds like a flaw used by government-level spyware or similar.
Cupertino served up 31 fixes for iOS/iPadOS 18.5 (with some of them code removals rather than patches), another 29 for iOS/iPadOS 17.77, and eight for Safari 18.5 – all of which are WebKit woes.
On the desktop, Apple found 46 fixes for macOS Sequoia 15.5, 31 for macOS Sonoma 14.7.6, and 29 for Ventura 13.7.6.
tvOS users may get square eyes implementing 22 fixes.
Apple’s headset operating system visionOS 2.5 has 23 flaws – dare we speculate that could be one for each regular user?
Notably, independent flaw finders found many of Apple’s mistakes this month. Perhaps Apple’s enhanced bug bounty scheme is working as intended.
But wait, there’s more … from SAP and Ivanti
SAP, which has had a bad month of it on the security front, released 18 fixes. These include a rerelease of the CVSS 10 issue that struck down NetWeaver at the end of April. SAP also fixed a second critical flaw fixed and a medium severity patch for NetWeaver.
Ivanti, a relatively recent addition to the Patch Tuesday mob, has issued three patches. There’s a CVSS 9.8 critical fix for Ivanti Neurons for ITSM that would allow anyone to get admin rights if they have physical access to a machine running the code. Another fix addresses a 7.8 rated privilege escalation issue in its Cloud Services Application. The company also addressed a minor 5.4 issue in Neurons for MDM. ®
