Headline
Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”.
Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2025-30397 is a remote code
Tuesday, May 13, 2025 16:38
Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”.
Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2025-30397 is a remote code execution vulnerability in the Microsoft Scripting Engine. There were also four elevation of privilege vulnerabilities being actively exploited, CVE-2025-32709, CVE-2025-30400, CVE-2025-32701 and CVE-2025-32706 affecting the Ancillary Function Driver for WinSock, the DWM Core Library and the Windows Common Log File System Driver.
The eleven "critical” entries consist of five remote code execution (RCE) vulnerabilities, four elevation of privilege vulnerabilities, one information disclosure vulnerability and one spoofing vulnerability. Three of the critical vulnerabilities have been marked as "Exploitation more likely": CVE-2025-30386 --a Microsoft Office RCE vulnerability, CVE-2025-30390 --an Azure ML Compute elevation of privilege vulnerability, and CVE-2025-30398 – a Nuance PowerScribe 360 information disclosure vulnerability.
The most notable of the “critical” vulnerabilities listed affect Microsoft Office. CVE-2025-30386 is a RCE vulnerability with base CVSS 3.1 score of 8.3. To successfully exploit CVE-2025-30386, an attacker could send a victim an email, and without the victim clicking the link, viewing or interacting with the email, trigger a use-after-free scenario, allowing arbitrary code to be executed. Microsoft has assessed that the attack complexity is “Low”, and exploitation is “More likely”. Another RCE vulnerability affecting Microsoft Office, CVE-2025-30377, has a CVSS 3.1 base score of 8.4, and has been assessed an attack complexity of “Low”, but exploitation is considered “Less Likely”.
Two RCE vulnerabilities affect the Remote Desktop Client. CVE-2025-29966 and CVE-2025-29967 are both Heap-cased Buffer Overflow vulnerabilities with CVSS 3.1 base scores of 8.8 with “Low” attack complexity and exploitation “Less Likely”. An attacker controlling a Remote Desktop Server could trigger the buffer overflow in a vulnerable when a vulnerable Remote Desktop Client connects to the server.
CVE-2025-29833 is a RCE affecting the Virtual Machine Bus. This is a Time-of-check Time-of-use (TOCTOU) Race Condition which has been assessed an attack complexity of “High” and exploitation is “Less Likely”.
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that exploitation is "More likely":
- CVE-2025-24063 - Kernel Streaming Service Driver Elevation of Privilege Vulnerability
- CVE-2025-29841 - Universal Print Management Service Elevation of Privilege Vulnerability
- CVE-2025-29971 - Web Threat Defense (WTD.sys) Denial of Service Vulnerability
- CVE-2025-29976 - Microsoft SharePoint Server Elevation of Privilege Vulnerability
- CVE-2025-30382 - Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2025-30385 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2025-30388 - Windows Graphics Component Remote Code Execution Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64848-64867. There are also these Snort 3 rules: 64852-64853, 301192-301200, and 301203
Related news
June 2025 Patch Tuesday fixes 66 bugs, including a zero-day in WebDAV. Update Windows, Office, and more now to block active threats.
About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities. When Microsoft disclosed these vulnerabilities in the May Patch Tuesday, attackers were already exploiting them in the wild. The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. […]
About Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400) vulnerability. The vulnerability, patched as part of May Microsoft Patch Tuesday, affects the Desktop Window Manager component. This is a compositing window manager that has been part of Windows since Windows Vista. Successful exploitation could grant an attacker SYSTEM-level privileges. At the time the vulnerability […]
Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month's patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available.
May Microsoft Patch Tuesday. A total of 93 vulnerabilities – about 1.5 times fewer than in April. Of these, 22 were added between the April and May MSPT. There are 5 vulnerabilities show signs of in-the-wild exploitation: 🔻 EoP – Microsoft DWM Core Library (CVE-2025-30400)🔻 EoP – Windows CLFS Driver (CVE-2025-32701, CVE-2025-32706)🔻 EoP – Windows […]