Microsoft has released patches to fix a total of 78 security vulnerabilities in its software products. These include five zero-day vulnerabilities that are being actively exploited in the wild.
Out of the 78 vulnerabilities addressed, 11 are rated as Critical, 66 as Important, and one as Low severity. Among them, 28 can lead to remote code execution, 21 are privilege escalation bugs, and 16 are information disclosure flaws.
In addition to these fixes, Microsoft has also patched eight security vulnerabilities in its Chromium-based Edge browser since the last Patch Tuesday update.
The five zero-day vulnerabilities being actively exploited are:
- CVE-2025-30397 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
- CVE-2025-30400 (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability
- CVE-2025-32701 (CVSS score: 7.8) – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability
- CVE-2025-32706 (CVSS score: 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2025-32709 (CVSS score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
The first three vulnerabilities were discovered by Microsoft’s own threat intelligence team, while the fourth was found by Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team. An anonymous researcher reported the fifth vulnerability.
“A new zero-day vulnerability has been identified in the Microsoft Scripting Engine, which is used by Internet Explorer and Internet Explorer mode in Microsoft Edge,” said Alex Vovk, CEO and co-founder of Action1, commenting on CVE-2025-30397.
“Attackers can exploit this flaw through a malicious web page or script that tricks the scripting engine into misinterpreting object types, leading to memory corruption and arbitrary code execution in the current user’s context. If the user has admin rights, attackers could gain full system control, allowing for data theft, malware installation, and lateral movement within networks.”
CVE-2025-30400 is the third privilege escalation vulnerability in the DWM Core Library to be exploited in the wild since 2023. In May 2024, Microsoft patched CVE-2024-30051, which was used in attacks distributing QakBot malware.
“Since 2022, Patch Tuesday has addressed 26 elevation of privilege vulnerabilities in DWM,” said Satnam Narang, senior staff research engineer at Tenable.
“In fact, the April 2025 release included fixes for five DWM Core Library elevation of privilege vulnerabilities. Prior to CVE-2025-30400, only two DWM elevation of privilege bugs were exploited as zero days – CVE-2024-30051 in 2024 and CVE-2023-36033 in 2023.”
CVE-2025-32701 and CVE-2025-32706 are the seventh and eighth privilege escalation vulnerabilities discovered in the CLFS component and have been exploited in real-world attacks since 2022. Last month, Microsoft disclosed that CVE-2025-29824 was used in limited attacks targeting companies in the U.S., Venezuela, Spain, and Saudi Arabia.
CVE-2025-29824 was also exploited as a zero-day by threat actors associated with the Play ransomware family in an attack against an unnamed U.S. organization, as revealed by Symantec.
CVE-2025-32709 is the third privilege escalation flaw in the Ancillary Function Driver for WinSock component to be abused within a year, following CVE-2024-38193 and CVE-2025-21418. The exploitation of CVE-2024-38193 has been linked to the North Korea-based Lazarus Group.
These discoveries have led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add all five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the patches by June 3, 2025.
Microsoft’s Patch Tuesday update also fixes a privilege escalation bug in Microsoft Defender for Endpoint for Linux (CVE-2025-26684, CVSS score: 6.7) that could allow an authorized attacker to elevate privileges locally.
Rich Mirch, a researcher at Stratascale, who reported the vulnerability, explained that the issue arises from a Python helper script containing a function (“grab_java_version()”) used to determine the Java Runtime Environment version.
“The function locates the Java binary on disk by checking the /proc/<PID>/exe symbolic link and then runs the java -version command,” Mirch clarified. “The problem is that the Java binary could be running from an untrusted location. A malicious local unprivileged user can create a process named java or javaw, which will be executed with root privileges to determine the JRE version.”
Another significant vulnerability is a spoofing flaw affecting Microsoft Defender for Identity (CVE-2025-26685, CVSS score: 6.5), allowing an attacker with LAN access to perform spoofing over an adjacent network.
“The lateral movement path detection feature can potentially be exploited by an adversary to obtain an NTLM hash,” said Adam Barnett, lead software engineer at Rapid7. “The compromised credentials in this scenario would be those of the Directory Services account, and the exploitation relies on falling back from Kerberos to NTLM.”
The most severe vulnerability is CVE-2025-29813 (CVSS score: 10.0), a privilege escalation flaw in Azure DevOps Server that allows an unauthorized attacker to escalate privileges over a network. Microsoft has already deployed a fix for this vulnerability in the cloud, requiring no action from customers.
Software Patches from Other Vendors
Aside from Microsoft, other vendors have also released security updates in recent weeks to address various vulnerabilities.
