Microsoft’s May 2025 Patch Tuesday: 78 Fixes, 5 Zero-Days, and a Whole Lot of “Oh No”

Another month, another Patch Tuesday—because nothing says “fun” like spending your evening installing updates while silently questioning your life choices. This time, Microsoft dropped 78 fixes, including 5 zero-days that hackers have been actively exploiting (because why wait for a patch when you can exploit now, right?).

The Breakdown (Because Numbers Are Fun)

  • Critical: 11 (aka “Patch this yesterday”)

  • Important: 66 (aka “You should probably care”)

  • Low severity: 1 (aka “Microsoft’s way of saying ‘relax, it’s fine’”)

By type:

  • 28 RCEs (Remote Code Execution) – because who doesn’t love unauthorized remote parties?

  • 21 EoPs (Elevation of Privilege) – for when hackers want to feel important.

  • 16 Info Disclosures – because secrets are overrated.

The Zero-Day Club (AKA “We’ve Been Hacked Again”)

1. CVE-2025-30397 (CVSS: 7.5) – Scripting Engine Memory Corruption

  • What’s the deal? Hackers can trick you into visiting a malicious webpage (classic), leading to RCE (because why not?).

  • Worst-case scenario: If you’re an admin, congrats—hackers now own your PC.

  • Fun fact: This is like déjà vu from every IE/Edge vulnerability ever.

2. CVE-2025-30400 (CVSS: 7.8) – Desktop Window Manager (DWM) EoP

  • Third DWM zero-day since 2023—because Microsoft loves consistency.

  • Previously used to spread QakBot (thanks, Kaspersky).

  • Prediction: Next year, we’ll get CVE-2026-whatever in the same component.

3. & 4. CVE-2025-32701 & CVE-2025-32706 (CVSS: 7.8) – Common Log File System (CLFS) EoP

  • The 7th and 8th CLFS zero-days since 2022—because why fix the root cause when you can patch endlessly?

  • Last month, CVE-2025-29824 was used by Play ransomware against US, Venezuela, Spain, and Saudi Arabia.

  • At this rate, CLFS should just get its own Hall of Shame.

5. CVE-2025-32709 (CVSS: 7.8) – WinSock Driver EoP

  • Third WinSock zero-day in a year—because Lazarus Group and friends just can’t resist.

  • Previously exploited in CVE-2024-38193 and CVE-2025-21418.

  • Moral of the story: If you’re a Windows driver, you’re a target.

Other “Fun” Vulnerabilities

1. CVE-2025-26684 (CVSS: 6.7) – Microsoft Defender for Linux EoP

  • Yes, even Linux isn’t safe from Microsoft’s buggy code.

  • Discovered by Stratascale, who probably sighed deeply.

2. CVE-2025-26685 (CVSS: 6.5) – Defender for Identity Spoofing

  • Allows network shenanigans—because who needs authentication anyway?

3. CVE-2025-29813 (CVSS: 10.0) – Azure DevOps Server EoP

  • Perfect 10/10 CVSS score—because when you fail, fail spectacularly.

  • Unauthenticated attacker? Check. Network-based? Check. Full system takeover? Check.

  • Good news: Microsoft auto-patched it. Bad news: It existed in the first place.

Final Thoughts (Because Someone Has to Say It)

  • Patch immediately—unless you enjoy being part of a botnet.

  • Watch out for CLFS/DWM/WinSock—they’re basically hacker VIP lounges.

  • Linux admins: Don’t relax just because you’re not on Windows. Defender has jokes too.

Bottom line: Microsoft’s code is like a leaky boat—they keep patching holes, but the ocean (aka hackers) just keeps coming.

Happy updating! 

RGDS,

Alex