- I prefer this budget wireless iPhone charger over Apple's MagSafe devices - here's why
- One of my favorite Bluetooth speakers is from Sony and it's on sale for the first time ever
- Want to upgrade your home's tech? First, assess your energy maturity - here's how
- Can you build a billion-dollar business with only AI agents (yet)? This author thinks so
- I replaced my OnePlus with this $700 Motorola flip phone, and it's spoiled me big time
May 2025 Patch Tuesday Analysis
Today’s Patch Tuesday Alert addresses Microsoft’s May 2025 Security Updates. We are actively working on coverage for these vulnerabilities and expect to ship ASPL-1156 as soon as coverage is completed.
In-The-Wild & Disclosed CVEs
A vulnerability in the Windows Common Log File System (CLFS) Driver could allow a malicious actor to elevate their privileges to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Windows Common Log File System (CLFS) Driver could allow a malicious actor to elevate their privileges to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Microsoft DWM Core Library could allow a malicious actor to elevate their privileges to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock could allow a malicious actor to elevate their privileges to Administrator. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Scripting Engine could allow a malicious actor to trick a user running Edge in Internet Explorer mode into clicking a malicious link that would execute code. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in Visual Studio could allow a malicious actor to convince a user to download a malicious file, which will cause code execution on the local system due to command injection. Microsoft has reported this vulnerability as Exploitation Less Likely.
A vulnerability in Microsoft Defender for Identity Spoofing could be exploited by an attacker with access to the local network. Microsoft has stated that no action is required to remediate this vulnerability but suggests if you have disabled NTLM completely in your environment and would like to keep using this feature, you should open a support case. Microsoft has reported this vulnerability as Exploitation Unlikely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted.
| Tag | CVE Count | CVEs |
| Microsoft Edge (Chromium-based) | 6 | CVE-2025-4050, CVE-2025-4096, CVE-2025-29825, CVE-2025-4372, CVE-2025-4051, CVE-2025-4052 |
| .NET, Visual Studio, and Build Tools for Visual Studio | 1 | CVE-2025-26646 |
| Microsoft Defender for Endpoint | 1 | CVE-2025-26684 |
| Windows Routing and Remote Access Service (RRAS) | 8 | CVE-2025-29959, CVE-2025-29960, CVE-2025-29830, CVE-2025-29832, CVE-2025-29835, CVE-2025-29836, CVE-2025-29958, CVE-2025-29961 |
| Windows Media | 4 | CVE-2025-29964, CVE-2025-29840, CVE-2025-29962, CVE-2025-29963 |
| Windows Remote Desktop | 1 | CVE-2025-29966 |
| Remote Desktop Gateway Service | 4 | CVE-2025-29967, CVE-2025-30394, CVE-2025-26677, CVE-2025-29831 |
| Active Directory Certificate Services (AD CS) | 1 | CVE-2025-29968 |
| Windows Fundamentals | 1 | CVE-2025-29969 |
| Microsoft Brokering File System | 1 | CVE-2025-29970 |
| Web Threat Defense (WTD.sys) | 1 | CVE-2025-29971 |
| Azure File Sync | 1 | CVE-2025-29973 |
| Microsoft PC Manager | 1 | CVE-2025-29975 |
| Microsoft Office SharePoint | 4 | CVE-2025-29976, CVE-2025-30378, CVE-2025-30382, CVE-2025-30384 |
| Microsoft Office Excel | 9 | CVE-2025-29977, CVE-2025-29979, CVE-2025-30375, CVE-2025-30376, CVE-2025-30379, CVE-2025-30381, CVE-2025-30383, CVE-2025-30393, CVE-2025-32704 |
| Microsoft Office PowerPoint | 1 | CVE-2025-29978 |
| Microsoft Office | 2 | CVE-2025-30377, CVE-2025-30386 |
| Azure | 2 | CVE-2025-30387, CVE-2025-33072 |
| Windows Secure Kernel Mode | 1 | CVE-2025-27468 |
| Microsoft Dataverse | 2 | CVE-2025-29826, CVE-2025-47732 |
| Windows DWM | 1 | CVE-2025-30400 |
| Windows Common Log File System Driver | 3 | CVE-2025-32701, CVE-2025-32706, CVE-2025-30385 |
| Visual Studio | 2 | CVE-2025-32703, CVE-2025-32702 |
| Visual Studio Code | 1 | CVE-2025-21264 |
| Windows Ancillary Function Driver for WinSock | 1 | CVE-2025-32709 |
| Windows Hardware Lab Kit | 1 | CVE-2025-27488 |
| Microsoft Defender for Identity | 1 | CVE-2025-26685 |
| Windows Trusted Runtime Interface Driver | 1 | CVE-2025-29829 |
| Windows Virtual Machine Bus | 1 | CVE-2025-29833 |
| Windows Installer | 1 | CVE-2025-29837 |
| Windows Drivers | 1 | CVE-2025-29838 |
| Windows File Server | 1 | CVE-2025-29839 |
| Universal Print Management Service | 1 | CVE-2025-29841 |
| UrlMon | 1 | CVE-2025-29842 |
| Windows LDAP – Lightweight Directory Access Protocol | 1 | CVE-2025-29954 |
| Role: Windows Hyper-V | 1 | CVE-2025-29955 |
| Windows SMB | 1 | CVE-2025-29956 |
| Windows Deployment Services | 1 | CVE-2025-29957 |
| Windows Kernel | 2 | CVE-2025-29974, CVE-2025-24063 |
| Windows Win32K – GRFX | 1 | CVE-2025-30388 |
| Microsoft Scripting Engine | 1 | CVE-2025-30397 |
| Microsoft Office Outlook | 1 | CVE-2025-32705 |
| Windows NTFS | 1 | CVE-2025-32707 |
| Azure Storage Resource Provider | 1 | CVE-2025-29972 |
| Azure Automation | 1 | CVE-2025-29827 |
| Azure DevOps | 1 | CVE-2025-29813 |
| Microsoft Power Apps | 1 | CVE-2025-47733 |
Other Information
At the time of publication, there were no new advisories included with the May Security Guidance.
