- These are my top 15 favorite Memorial Day lawn and outdoor deals right now
- My favorite Memorial Day TV deals 2025: Save up to $5,000 on big-screen TVs
- I'm a laptop expert, and these are the Memorial Day laptop deals I'd grab this weekend
- I'm an audio expert and these are the Memorial Day headphone deals I'd recommend to my friends and family
- I prefer this budget wireless iPhone charger over Apple's MagSafe devices - here's why
May 2025 Patch Tuesday Analysis
Today’s Patch Tuesday Alert addresses Microsoft’s May 2025 Security Updates. We are actively working on coverage for these vulnerabilities and expect to ship ASPL-1156 as soon as coverage is completed.
In-The-Wild & Disclosed CVEs
A vulnerability in the Windows Common Log File System (CLFS) Driver could allow a malicious actor to elevate their privileges to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Windows Common Log File System (CLFS) Driver could allow a malicious actor to elevate their privileges to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Microsoft DWM Core Library could allow a malicious actor to elevate their privileges to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock could allow a malicious actor to elevate their privileges to Administrator. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Scripting Engine could allow a malicious actor to trick a user running Edge in Internet Explorer mode into clicking a malicious link that would execute code. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in Visual Studio could allow a malicious actor to convince a user to download a malicious file, which will cause code execution on the local system due to command injection. Microsoft has reported this vulnerability as Exploitation Less Likely.
A vulnerability in Microsoft Defender for Identity Spoofing could be exploited by an attacker with access to the local network. Microsoft has stated that no action is required to remediate this vulnerability but suggests if you have disabled NTLM completely in your environment and would like to keep using this feature, you should open a support case. Microsoft has reported this vulnerability as Exploitation Unlikely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted.
| Tag | CVE Count | CVEs |
| Microsoft Edge (Chromium-based) | 6 | CVE-2025-4050, CVE-2025-4096, CVE-2025-29825, CVE-2025-4372, CVE-2025-4051, CVE-2025-4052 |
| .NET, Visual Studio, and Build Tools for Visual Studio | 1 | CVE-2025-26646 |
| Microsoft Defender for Endpoint | 1 | CVE-2025-26684 |
| Windows Routing and Remote Access Service (RRAS) | 8 | CVE-2025-29959, CVE-2025-29960, CVE-2025-29830, CVE-2025-29832, CVE-2025-29835, CVE-2025-29836, CVE-2025-29958, CVE-2025-29961 |
| Windows Media | 4 | CVE-2025-29964, CVE-2025-29840, CVE-2025-29962, CVE-2025-29963 |
| Windows Remote Desktop | 1 | CVE-2025-29966 |
| Remote Desktop Gateway Service | 4 | CVE-2025-29967, CVE-2025-30394, CVE-2025-26677, CVE-2025-29831 |
| Active Directory Certificate Services (AD CS) | 1 | CVE-2025-29968 |
| Windows Fundamentals | 1 | CVE-2025-29969 |
| Microsoft Brokering File System | 1 | CVE-2025-29970 |
| Web Threat Defense (WTD.sys) | 1 | CVE-2025-29971 |
| Azure File Sync | 1 | CVE-2025-29973 |
| Microsoft PC Manager | 1 | CVE-2025-29975 |
| Microsoft Office SharePoint | 4 | CVE-2025-29976, CVE-2025-30378, CVE-2025-30382, CVE-2025-30384 |
| Microsoft Office Excel | 9 | CVE-2025-29977, CVE-2025-29979, CVE-2025-30375, CVE-2025-30376, CVE-2025-30379, CVE-2025-30381, CVE-2025-30383, CVE-2025-30393, CVE-2025-32704 |
| Microsoft Office PowerPoint | 1 | CVE-2025-29978 |
| Microsoft Office | 2 | CVE-2025-30377, CVE-2025-30386 |
| Azure | 2 | CVE-2025-30387, CVE-2025-33072 |
| Windows Secure Kernel Mode | 1 | CVE-2025-27468 |
| Microsoft Dataverse | 2 | CVE-2025-29826, CVE-2025-47732 |
| Windows DWM | 1 | CVE-2025-30400 |
| Windows Common Log File System Driver | 3 | CVE-2025-32701, CVE-2025-32706, CVE-2025-30385 |
| Visual Studio | 2 | CVE-2025-32703, CVE-2025-32702 |
| Visual Studio Code | 1 | CVE-2025-21264 |
| Windows Ancillary Function Driver for WinSock | 1 | CVE-2025-32709 |
| Windows Hardware Lab Kit | 1 | CVE-2025-27488 |
| Microsoft Defender for Identity | 1 | CVE-2025-26685 |
| Windows Trusted Runtime Interface Driver | 1 | CVE-2025-29829 |
| Windows Virtual Machine Bus | 1 | CVE-2025-29833 |
| Windows Installer | 1 | CVE-2025-29837 |
| Windows Drivers | 1 | CVE-2025-29838 |
| Windows File Server | 1 | CVE-2025-29839 |
| Universal Print Management Service | 1 | CVE-2025-29841 |
| UrlMon | 1 | CVE-2025-29842 |
| Windows LDAP – Lightweight Directory Access Protocol | 1 | CVE-2025-29954 |
| Role: Windows Hyper-V | 1 | CVE-2025-29955 |
| Windows SMB | 1 | CVE-2025-29956 |
| Windows Deployment Services | 1 | CVE-2025-29957 |
| Windows Kernel | 2 | CVE-2025-29974, CVE-2025-24063 |
| Windows Win32K – GRFX | 1 | CVE-2025-30388 |
| Microsoft Scripting Engine | 1 | CVE-2025-30397 |
| Microsoft Office Outlook | 1 | CVE-2025-32705 |
| Windows NTFS | 1 | CVE-2025-32707 |
| Azure Storage Resource Provider | 1 | CVE-2025-29972 |
| Azure Automation | 1 | CVE-2025-29827 |
| Azure DevOps | 1 | CVE-2025-29813 |
| Microsoft Power Apps | 1 | CVE-2025-47733 |
Other Information
At the time of publication, there were no new advisories included with the May Security Guidance.
