Microsoft May 2025 Patch Tuesday — 72 CVEs, Five Exploited Zero-Days, and Critical RCE Exposure

1. Executive Summary

Microsoft’s May 2025 Patch Tuesday shipped fixes for ~72 vulnerabilities across Windows and multiple Microsoft product families, with reporting variance depending on whether certain platforms (e.g., Edge/Azure service-side fixes) are counted. According to Microsoft-focused CTI write-ups and government-sector advisories, the release included five zero-day vulnerabilities confirmed as actively exploited in the wild, alongside a set of Critical issues (notably remote code execution paths) that warrant urgent prioritisation. Organisations running Windows endpoints—especially those with legacy dependencies such as Edge Internet Explorer Mode—faced elevated risk from rapid, weaponised exploitation patterns typical of Patch Tuesday “race windows”. CrowdStrike, Rapid7, and NHS England’s cyber advisory channels all stressed expedited patching, with the exploited items treated as priority remediation targets.

2. Contextual Background

2.1 Nature of the threat

Multiple independent trackers reported Microsoft’s May 2025 security release as addressing ~71–77 CVEs, with 72 a commonly cited count for “Patch Tuesday” coverage. For example, CrowdStrike’s analysis cites 72 vulnerabilities and five actively exploited zero-days, while other vendors count additional items based on categorisation scope. (CrowdStrike’s May 2025 Patch Tuesday analysis; NHS England Cyber Alert CC-4656; Rapid7 Patch Tuesday analysis; BleepingComputer coverage)

Actively exploited zero-days (5) — as enumerated in NHS England’s alert and echoed in vendor analyses:

• CVE-2025-30400 — Microsoft DWM Core Library Elevation of Privilege (Microsoft Advisory for CVE-2025-30400; NVD)
• CVE-2025-32701 — Windows Common Log File System (CLFS) Driver Elevation of Privilege (Microsoft Advisory for CVE-2025-32701; NVD)
• CVE-2025-32706 — Windows CLFS Driver Elevation of Privilege (Microsoft Advisory for CVE-2025-32706; NVD)
• CVE-2025-32709 — Windows Ancillary Function Driver for WinSock Elevation of Privilege (Microsoft Advisory for CVE-2025-32709; NVD)
• CVE-2025-30397 — Microsoft Scripting Engine Memory Corruption (RCE scenario via IE Mode) (Microsoft Advisory for CVE-2025-30397; NVD)

Microsoft did not publicly disclose detailed exploitation tradecraft for these five issues in the Patch Tuesday materials referenced by major third-party reporting, limiting defender visibility into actor tooling and intrusion chains. (BleepingComputer coverage)