Microsoft Addresses Seven Critical Zero-Day Vulnerabilities in May Patch Release

Microsoft has issued critical security updates addressing seven zero-day vulnerabilities, five of which are currently under active exploitation.

This month, the tech giant’s Patch Tuesday brought fixes for over 70 vulnerabilities, including the five actively exploited zero-days detailed below:

– CVE-2025-32701: Elevation of privilege vulnerability in Windows Common Log File System Driver.
– CVE-2025-32709: Elevation of privilege flaw in Windows Ancillary Function Driver for WinSock.
– CVE-2025-30397: Remote code execution vulnerability in Microsoft Scripting Engine.
– CVE-2025-32706: Another elevation of privilege flaw in Windows Common Log File System Driver.
– CVE-2025-30400: Elevation of privilege vulnerability in Microsoft DWM Core Library.

There is currently no detailed information available from Microsoft regarding the specific methods of exploitation for these zero-days.

Experts emphasize the urgency of patching these vulnerabilities, given that the average time from public disclosure to widespread exploitation is less than five days. Kev Breen, Senior Director of Threat Research at Immersive, warns that ransomware affiliates are likely to target elevation of privilege vulnerabilities.

He explains, “Privilege escalation indicates that an attacker has already gained initial access to a compromised host, typically through methods like phishing or using stolen credentials. Once in, attackers will pursue higher levels of access, which can result in full system control, allowing them to disable security measures or even obtain domain administrative permissions using credential harvesting tools.”

In addition to the active exploitation cases, Microsoft also identified two vulnerabilities that have been publicly disclosed but not yet exploited:

– CVE-2025-32702: A remote code execution vulnerability in Visual Studio, deemed a significant risk for developer systems as it could potentially compromise software supply chains. Mat Lee, Senior Security Engineer at Automox, noted the potential danger of this vulnerability, especially in environments where developers often possess broader permissions than standard users. “Combined with other known vulnerabilities, this could lead to fast, privileged access with minimal interaction,” he cautioned.

– CVE-2025-26685: An identity spoofing vulnerability in Microsoft Defender which potentially allows unauthorized attackers to perform spoofing attacks over adjacent networks.

In related news, SAP has released a security update to address a zero-day vulnerability (CVE-2025-42999) that is currently being exploited in attacks against NetWeaver customers, alongside another active exploitation case represented by CVE-2025-31324.

Organizations are strongly encouraged to prioritize the application of these updates to mitigate the risk posed by these vulnerabilities swiftly.