Microsoft’s May Patch Tuesday security update addressed 78 flaws, including five actively exploited zero-day flaws. Two additional zero-day vulnerabilities were publicly disclosed before patches became available.
Five flaws have been exploited in the wild
Microsoft has detected exploitation of five flaws:
- CVE-2025-30397, an exploit in Microsoft Edge’s Internet Explorer mode.
- CVE-2025-30400, an elevation of privilege bug in the Desktop Window Manager (DWM) Core Library for Windows.
- CVE-2025-32701
- CVE-2-25-32706
- CVE-2025-32709, an elevation of privilege flaw in afd.sys.
Two of these, CVE-2025-32701 and CVE-2025-32706, stem from two bugs in the Windows Common Log File System (CLFS) driver. The driver is a component for logging services and is used in all supported versions of Windows 10 and 11, including server versions.
“These specific vulnerabilities are a Privilege Escalation vulnerability, meaning that an attacker must already have initial access to a compromised host, typically through a phishing attack or by using stolen credentials,” said Kev Breen, senior director of threat research at Immersive.
Microsoft, Google, and CrowdStrike have all warned about these two flaws while not providing indicators of compromise.
“With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation,” said Mike Walters, president and co-founder of Action1, in an email to TechRepublic. “While no public exploit code is currently available, the presence of active attacks suggests that targeted campaigns, potentially involving advanced persistent threats (APTs), are already underway.”
Flaws in Internet Explorer still haunt legacy compatibility
CVE-2025-30397 can enable full system control if exploited, pointed out Alex Vovk, chief executive officer and co-founder of Action1, in an email to TechRepublic. CVE-2025-30397 provided an opportunity for memory corruption and arbitrary code execution in the Microsoft Scripting Engine in Internet Explorer.
While Microsoft Edge and its Internet Explorer mode hold only 5% browser market share, this mode remains critical for organizations reliant on legacy compatibility.
“The widespread reliance on Internet Explorer mode for legacy compatibility further increases exposure due to outdated components still in use,” Vovk said.
SEE: What is Patch Tuesday? Microsoft’s Monthly Update Explained
Satnam Narang, senior staff research engineer at Tenable, said this exploit is not likely to pose a major threat because it requires authentication on the client side and the user to click a link while using one of those 5% of browsers.
“Despite clear exploitation in the wild, we’re not likely to see broad exploitation of this bug due to the number of pre-requisites,” Narang said in an email. “We haven’t seen very many scripting engine flaws over the last three years.”
Another scripting engine memory corruption zero-day was exploited in the wild by researchers and the National Cyber Security Center (NCSC) of South Korea, Narang said.
However, “It’s unclear if this is related to follow-on attacks,” Narang said.
Other patches include a malicious attachment that could infect a device even through the Preview Pane
Two flaws patched in May, CVE-2025-30386 and CVE-2025-30377, could allow for remote code execution in Microsoft Office.
The former can be activated by opening a malicious attachment, but even previewing the attachment might enable it to infect the device.
“The CVSS lists a local attack vector with no user interaction, but the real-world impact more closely resembles a remote attack,” said Walters. “This highlights the need to interpret vulnerability context beyond scoring metrics. The ability to trigger exploitation via the Preview Pane further elevates the risk, as users may not even need to open the attachment explicitly.”
SharePoint servers were targeted
Breen highlighted CVE-2025-29976 and CVE-2025-30382, patches for the Microsoft SharePoint servers that should be of particular interest to network administrators running SharePoint services.
“SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made,” noted Breen.
Patch Tuesday is a reminder to apply updates frequently
Organizations running Windows systems are urged to apply the latest security patches immediately. Some admins may choose to wait to deploy updates until they are tested and known to be benign. “A defense-in-depth approach combining timely updates with layered security controls is essential to mitigate the risk of compromise,” Vovk said.
Windows 11 and Server 2025 May updates come bundled with Recall, a controversial AI feature that captures screenshots of user activity, raising privacy concerns.
