On Tuesday, Microsoft shipped fixes to address a total of 78 security flaws across its lineup of software, including a set of five zero-days that are undergoing aggressive exploitation in the wild.
Of the 78 defects resolved by the tech giants, 11 are rated as important, 66 are rated as important, and one is rated as low severity. 28 of these vulnerabilities lead to remote code execution, of which 21 are privilege escalation bugs and 16 are classified as defects in disclosure.
The update adds to eight security flaws patched by the company in the Chromium-based Edge browser since the release of the update last month’s patch Tuesday.
Below are five vulnerabilities under aggressive exploitation in the wild –
CVE-2025-30397 (CVSS score: 7.5) – Engine memory corruption vulnerability CVE-2025-30400 (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) Core Library Privileged Vulnerability CVE-2025-32701 Vulnerability CVE-2025-32706 (CVSS score: 7.8) – Windows Common Log File System Driver Driver Vulnerability CVE-2025-32709 (CVSS score: 7.8) – Winsock Ancillary Feature Driver
The first three flaws are credited to Microsoft’s own threat intelligence team, but Google Threat Intelligence Group’s Benoit Sevens and Crowdstrike Advanced Research team have been recognized for the discovery of CVE-2025-32706. The anonymous researcher is acknowledged to have reported CVE-2025-32709.
“Another zero-day vulnerability has been identified in Microsoft Scripting Engine, a critical component used by Microsoft Explorer and Microsoft Edge’s Internet Explorer Mode,” says Alex Vovk, CEO and co-founder of Action1, about CVE-2025-30397.
“Attackers exploit the flaws via malicious web pages or scripts that misinterpret object types, resulting in memory corruption and arbitrary code execution in the context of the current user. If the user has administrative privileges, the attackers can gain full system control, allowing data theft, malware installation, and lateral movement across the network.
CVE-2025-30400 is the third privilege escalation flaw in the DWM core library weaponized in Wild since 2023. In May 2024, Microsoft issued a patch for CVE-2024-30051.
“Since 2022, Patch Tuesday has addressed the promotion of 26 privilege vulnerabilities in DWM,” said Satnam Narang, Senior Staff Research Engineer at Tenable, in a statement shared with Hacker News.
“In fact, the April 2025 release included fixes for the high privilege vulnerability of five DWM core libraries. Before CVE-2025-30400, only two DWM rises were exploited as zero days and zero days in CVE-2024-30051 and CVE-2023-36033 in 2023.”
CVE-2025-32701 and CVE-2025-32706 are the seventh and eighth privilege escalation flaws discovered in the CLFS components, which have been exploited in real attacks since 2022. Saudi Arabia.
CVE-2025-29824 is also said to have been exploited as zero-day by threat actors associated with the Play Ransomware family as part of an attack targeting an unnamed US organization.
Similarly, CVE-2025-32709 is a flaw in the third privilege escalation of the auxiliary feature driver as Winsock components were abused within a year after CVE-2024-38193 and CVE-2025-21418. It is noteworthy that the exploitation of CVE-2024-38193 is attributed to the North Korean-related Lazarus group.
This development will prompt the US Cybersecurity and Infrastructure Security Agency (CISA) to add all five vulnerabilities to its known Exploited Vulnerabilities (KEV) catalog, and require the fix to federal agencies by June 3, 2025.
Microsoft patch Tuesday update also addresses a privilege escalation bug in Microsoft Defender for endpoints on Linux (CVE-2025-26684, CVSS score: 6.7).
One of the two researchers, Stratascale researcher Rich Mirch, has been admitted to reporting the vulnerability, saying the issue is rooted in a Python helper script that contains a function (“grab_java_version()”) and determines the Java Runtime Environment (JRE) version.
“This function determines the location of the Java binaries on disk by checking the /proc//exe symbolic link and running the Java -version command,” explained Mirch. “The problem is that Java binaries can run from untrusted locations. Malicious local, non-implemented users can create processes with the name Java or Javaw.
Another notable flaw is the spoofing vulnerability affecting the Microsoft Defender (CVE-2025-26685, CVSS score: 6.5) of the ID.
“The lateral movement path detection feature itself could potentially be exploited by the enemy,” Adam Barnett, lead software engineer at Rapid7, said in a statement. “The compromised credentials in this case are the credentials of the directory service account, and exploitation depends on achieving a fallback from Kerberos to NTLM.”
The maximum vulnerability is CVE-2025-29813 (CVSS score: 10.0). This is a privilege escalation flaw in Azure DevOps servers, allowing rogue attackers to increase privileges on the network. Microsoft said this drawback is already deployed in the cloud and there is no need for action on the part of the customer.
Software patches from other vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks, rectifying some vulnerabilities.
Source link
