News
7 Zero-Day Flaws Addressed in Microsoft's May Security Patch
Microsoft's May security update arrived on Tuesday, featuring flaw fixes for five zero-day vulnerabilities and a total patch load of 71 bulletins.
Five of the seven zero-day items are currently being used by attackers in malicious campaigns today, so it's recommended they are handled first. Two of the most severe zero-days this month are tied to the Windows Common Log File System (CLFS) driver -- CVE-2025-32701 and CVE-2025-32706 -- which security researchers say are being exploited to elevate privileges on fully supported versions of Windows 10, 11, and Server. The CLFS is a widely used Windows component that handles logging for both system processes and third-party applications.
"Attackers exploiting these vulnerabilities can escalate privileges to SYSTEM level, granting them full control to run arbitrary code, install malware, modify data or disable security protections, said Mike Walters, cofounder and president of security firm Action1. "With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation. "
The other zero-day flaws patched were:
- CVE-2025-32709: A zero-day vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys) that lets attackers elevate privileges.
- CVE-2025-30400: An elevation of privilege flaw in the Desktop Window Manager (DWM), echoing last year's zero-day in the same component.
- CVE-2025-30397: A remote code execution vulnerability in the Microsoft Scripting Engine, affecting IE and IE mode in Edge.
- CVE-2025-26685: A spoofing vulnerability in Microsoft Defender for Identity that has public proof-of-concept exploit code. (Information is publicly available, but no active attacks have been seen.)
- CVE-2025-32702: A remote code execution vulnerability in Visual Studio, also with public exploit code. (Information is publicly available, but no active attacks have been seen.)
Microsoft shared no technical details or indicators of compromise for any of the zero-days, urging organizations to apply the updates immediately.
Critical Vulnerabilities Patched
In addition to the zero-day flaws, Microsoft also addressed several critical vulnerabilities this month:
- CVE-2025-29813: A maximum severity elevation of privilege bug in Azure DevOps (CVSS 10.0).
- CVE-2025-29827: A privilege escalation flaw in Azure Automation (CVSS 9.9).
- CVE-2025-29972: A spoofing vulnerability in Azure Storage Resource Provider that could allow impersonation attacks (CVSS 9.9).
- CVE-2025-47733: A high-severity information disclosure vulnerability in Microsoft Power Apps (CVSS 9.1).
- CVE-2025-29966 and CVE-2025-29967: Twin RCE bugs in the Remote Desktop Client rated CVSS 8.8.
- CVE-2025-47732: An RCE vulnerability in Microsoft Dataverse that could allow code execution via malicious input (CVSS 8.7).
- CVE-2025-30377 and CVE-2025-30386: RCE flaws in Microsoft Office that could be triggered via crafted documents (CVSS 8.4).
- CVE-2025-33072: An information disclosure issue in msagsfeedback.azurewebsites.net (CVSS 8.1).
- CVE-2025-29833: An RCE vulnerability in the Virtual Machine Bus (VMBus) component (CVSS 7.1).
As always, Microsoft urges administrators to back up systems and test patches before deployment in production environments. Full details and individual advisories are available through the Microsoft Security Update Guide.