Back to overview

Threat intelligence

Microsoft Security Bulletin Coverage for May 2025

by Security News

Overview

Microsoft’s May 2025 Patch Tuesday has 76 vulnerabilities, 28 of which are Remote Code Execution. The SonicWall Capture Labs' threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2025 and has produced coverage for 11 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE 

CVE Title 

Signature 

CVE-2025-24063 

Kernel Streaming Service Driver Elevation of Privilege Vulnerability 

ASPY 7080 Exploit-exe exe.MP_445 

CVE-2025-29841 

Universal Print Management Service Elevation of Privilege Vulnerability 

ASPY 7081 Exploit-exe exe.MP_446 

CVE-2025-29971 

Web Threat Defense (WTD.sys) Denial of Service Vulnerability 

IPS 20999 Windows Web Threat Defense DoS (CVE-2025-29971) 

CVE-2025-30377 

Microsoft Office Remote Code Execution Vulnerability 

ASPY 7078 Malformed-xls xls.MP_19 

CVE-2025-30386 

Microsoft Office Remote Code Execution Vulnerability 

ASPY 7079 Malformed-pptx pptx.MP_1 

CVE-2025-30388 

Windows Graphics Component Remote Code Execution Vulnerability 

ASPY 639 Malformed-emf emf.MP_46 

CVE-2025-30397 

Scripting Engine Memory Corruption Vulnerability 

IPS 4579 Scripting Engine Memory Corruption Vulnerability (CVE-2025-30397) 

CVE-2025-30400 

Microsoft DWM Core Library Elevation of Privilege Vulnerability 

ASPY 638 Exploit-exe exe.MP_448 

CVE-2025-32701 

Windows Common Log File System Driver Elevation of Privilege Vulnerability 

ASPY 637 Exploit-exe exe.MP_447 

CVE-2025-32706 

Windows Common Log File System Driver Elevation of Privilege Vulnerability 

ASPY 636 Exploit-exe exe.MP_446 

CVE-2025-32709 

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

ASPY 640 Exploit-exe exe.MP_450 

Release Breakdown

The vulnerabilities can be classified into the following categories: 

chart_impact_1.png

chart_severity_2.png

For May, there are 11 critical and 65 important vulnerabilities. 

chart_Vul_count_3.png

chart_expl_dis_4.png

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month. 

chart_expl_assesment_5.png

Release Detailed Breakdown 

Denial of Service Vulnerabilities   

CVE 

CVE Title 

CVE-2025-26677 

Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability 

CVE-2025-29954 

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability 

CVE-2025-29955 

Windows Hyper-V Denial of Service Vulnerability 

CVE-2025-29957 

Windows Deployment Services Denial of Service Vulnerability 

CVE-2025-29968 

Active Directory Certificate Services (AD CS) Denial of Service Vulnerability 

CVE-2025-29971 

Web Threat Defense (WTD.sys) Denial of Service Vulnerability 

CVE-2025-30394 

Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability 

Elevation of Privilege Vulnerabilities   

CVE 

CVE Title 

CVE-2025-21264 

Visual Studio Code Security Feature Bypass Vulnerability 

CVE-2025-24063 

Kernel Streaming Service Driver Elevation of Privilege Vulnerability 

CVE-2025-26684 

Microsoft Defender Elevation of Privilege Vulnerability 

CVE-2025-27468 

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability 

CVE-2025-27488 

Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability 

CVE-2025-29813 

Azure DevOps Elevation of Privilege Vulnerability 

CVE-2025-29826 

Microsoft Dataverse Elevation of Privilege Vulnerability 

CVE-2025-29827 

Azure Automation Elevation of Privilege Vulnerability 

CVE-2025-29838 

Windows ExecutionContext Driver Elevation of Privilege Vulnerability 

CVE-2025-29841 

Universal Print Management Service Elevation of Privilege Vulnerability 

CVE-2025-29970 

Microsoft Brokering File System Elevation of Privilege Vulnerability 

CVE-2025-29973 

Microsoft Azure File Sync Elevation of Privilege Vulnerability 

CVE-2025-29975 

Microsoft PC Manager Elevation of Privilege Vulnerability 

CVE-2025-29976 

Microsoft SharePoint Server Elevation of Privilege Vulnerability 

CVE-2025-30385 

Windows Common Log File System Driver Elevation of Privilege Vulnerability 

CVE-2025-30387 

Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability 

CVE-2025-30390 

Azure ML Compute Elevation of Privilege Vulnerability 

CVE-2025-30400 

Microsoft DWM Core Library Elevation of Privilege Vulnerability 

CVE-2025-32701 

Windows Common Log File System Driver Elevation of Privilege Vulnerability 

CVE-2025-32706 

Windows Common Log File System Driver Elevation of Privilege Vulnerability 

CVE-2025-32707 

NTFS Elevation of Privilege Vulnerability 

CVE-2025-32709 

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

Information Disclosure Vulnerabilities   

CVE 

CVE Title 

CVE-2025-29829 

Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability 

CVE-2025-29830 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29832 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29835 

Windows Remote Access Connection Manager Information Disclosure Vulnerability 

CVE-2025-29836 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29837 

Windows Installer Information Disclosure Vulnerability 

CVE-2025-29839 

Windows Multiple UNC Provider Driver Information Disclosure Vulnerability 

CVE-2025-29956 

Windows SMB Information Disclosure Vulnerability 

CVE-2025-29958 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29959 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29960 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29961 

Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability 

CVE-2025-29974 

Windows Kernel Information Disclosure Vulnerability 

CVE-2025-30398 

Nuance PowerScribe 360 Information Disclosure Vulnerability 

CVE-2025-32703 

Visual Studio Information Disclosure Vulnerability 

Remote Code Execution Vulnerabilities   

CVE 

CVE Title 

CVE-2025-29831 

Windows Remote Desktop Services Remote Code Execution Vulnerability 

CVE-2025-29833 

Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability 

CVE-2025-29840 

Windows Media Remote Code Execution Vulnerability 

CVE-2025-29962 

Windows Media Remote Code Execution Vulnerability 

CVE-2025-29963 

Windows Media Remote Code Execution Vulnerability 

CVE-2025-29964 

Windows Media Remote Code Execution Vulnerability 

CVE-2025-29966 

Remote Desktop Client Remote Code Execution Vulnerability 

CVE-2025-29967 

Remote Desktop Client Remote Code Execution Vulnerability 

CVE-2025-29969 

MS-EVEN RPC Remote Code Execution Vulnerability 

CVE-2025-29977 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-29978 

Microsoft PowerPoint Remote Code Execution Vulnerability 

CVE-2025-29979 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30375 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30376 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30377 

Microsoft Office Remote Code Execution Vulnerability 

CVE-2025-30378 

Microsoft SharePoint Server Remote Code Execution Vulnerability 

CVE-2025-30379 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30381 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30382 

Microsoft SharePoint Server Remote Code Execution Vulnerability 

CVE-2025-30383 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30384 

Microsoft SharePoint Server Remote Code Execution Vulnerability 

CVE-2025-30386 

Microsoft Office Remote Code Execution Vulnerability 

CVE-2025-30388 

Windows Graphics Component Remote Code Execution Vulnerability 

CVE-2025-30393 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-30397 

Scripting Engine Memory Corruption Vulnerability 

CVE-2025-32702 

Visual Studio Remote Code Execution Vulnerability 

CVE-2025-32704 

Microsoft Excel Remote Code Execution Vulnerability 

CVE-2025-32705 

Microsoft Outlook Remote Code Execution Vulnerability 

Security Feature Bypass Vulnerability   

CVE 

CVE Title 

CVE-2025-29842 

UrlMon Security Feature Bypass Vulnerability 

Spoofing Vulnerabilities   

CVE 

CVE Title 

CVE-2025-26646 

.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability 

CVE-2025-26685 

Microsoft Defender for Identity Spoofing Vulnerability 

CVE-2025-29972 

Azure Storage Resource Provider Spoofing Vulnerability 

 

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Related Articles

  • CraftCMS Vulnerability Exposes Systems to Pre-Auth RCE, Now Exploited in the Wild (CVE-2025-32432)
    Read More
  • NetSupport RAT Malware Spied in Ukraine
    Read More