[German]On May 13, 2025, Microsoft released numerous security updates for Windows, Office and other products. I promptly provided a brief overview of the vulnerabilities addressed. Security provider Tenable subsequently sent me their assessment of the vulnerabilities, which I am posting here on the blog for your information.
In May 2025, Microsoft patched seven zero-day vulnerabilities, five of which were exploited in the wild and two of which were already known before the patches were released. Four of the seven zero-days were elevation-of-privilege vulnerabilities, two allowed remote code execution and one was a spoofing vulnerability.
CVE-2025-30397 in Scripting Engine
CVE-2025-30397, a memory corruption vulnerability in the scripting engine, can only be exploited if the potential victim is using Microsoft Edge in Internet Explorer mode – a high hurdle considering Edge only has a 5 percent market share. Internet Explorer mode is used to provide organizations with backward compatibility when needed.
In addition, client-side authentication is required and the potential victim would have to click on a link manipulated by the attacker. Despite confirmed exploitation of the bug in the wild, it is unlikely to happen on a wide scale due to the numerous hurdles.
There have only been a few scripting engine vulnerabilities in the last three years. However, in August 2024, another memory corruption zero-day was reported in the Scripting Engine: CVE-2024-38178. According to researchers and the National Cyber Security Center (NCSC) of the Republic of Korea, this has already been exploited in the wild. It is unclear whether this is related to follow-up attacks.
CVE-2025-30400 in DWM Core Library for Windows
CVE-2025-30400 is one of the four Elevation of Privilege vulnerabilities patched this month. It affects the Desktop Window Manager (DWM) Core Library for Windows.
Since 2022, 26 elevation-of-privilege vulnerabilities in the DWM Core Library have been addressed as part of Patch Tuesday. In fact, the April release contained fixes for five elevation-of-privilege vulnerabilities in the DWM Core Library. Prior to CVE-2025-30400, only two elevation-of-privilege vulnerabilities in the DWM Core Library were exploited as zero-days: CVE-2024-30051 in 2024 and CVE-2023-36033 in 2023.
CVE-2025-32701 and CVE-2025-32706 in CLFS driver
CVE-2025-32701 and CVE-2025-32706 are both elevation-of-privilege vulnerabilities in the Windows Common Log File System (CLFS) driver. The Common Log File System is a general-purpose logging subsystem that can be accessed by both kernel-mode and user-mode applications to create powerful transaction logs. It was introduced with Windows Server 2003 R2 and included in later Windows operating systems.
This is the second month in a row that an elevation-of-privilege vulnerability in CLFS has been exploited as a zero-day. CVE-2025-29824 was patched in April 2025 and exploited by a threat actor known as Storm-2460, which used the PipeMagic malware to spread ransomware in compromised environments.
Although the exact method of exploitation of CVE-2025-32701 and CVE-2025-32706 in the wild is not known, it can be assumed that both were part of post-compromise activities that were either targeted espionage or financially motivated activities such as ransomware distribution. Since 2022, 33 vulnerabilities have been reported in the CLFS Driver – 28 of which were elevation-of-privilege vulnerabilities. Six of these vulnerabilities were exploited in the wild as zero-days (CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, CVE-2024-49138, CVE-2025-29824).
CVE-2025-32709 in afd.sys
CVE-2025-32709 is an elevation-of-privilege vulnerability in afd.sys, the Windows Ancillary Function Driver. This communicates with the Windows Sockets API (WinSock) to allow Windows applications to connect to the internet. Since 2022, ten elevation-of-privilege vulnerabilities in afd.sys have been addressed as part of Patch Tuesday.
The latest vulnerability in afd.sys was published in the February 2025 release, and this was also exploited as a zero-day. Similar to the other published elevation-of-privilege vulnerabilities, these are usually exploited as part of post-compromise activities.
My conclusion
When I look at what Tenable has done with regard to the vulnerabilities patched in recent months, it makes me feel quite different. On the one hand, Windows and Microsoft 365 come across as walking vulnerability (some of which affect core parts of Windows). On the other hand, Microsoft's products are overloaded with features that open up further vulnerabilities. And with the grafted-on CoPilot and AI solutions, another attack vector is created.
What particularly annoys me is that a number of the vulnerabilities outlined above have been exploited as 0-days. On the one hand, Microsoft is "puffing out its cheeks" when it comes to LLMs and explaining how great it all is. On the other hand, there are tread actors who find the vulnerabilities, develop exploits and use it in attacks. I would have expected a team at Microsoft, constantly scanning its core products for vulnerabilities using AI solutions and fuzzy techniques in order to find vulnerabilities faster than more malicious actors.
But it doesn't seem to be the case – at least from the outside. Instead, a layer of voodoo with snake oil (VBS, Defender, MoW etc.) is poured over the products in the hope that the marketing slides will look convincing to the users out there who find it all without alternative. Somehow it's all badly broken – and the image I've had of Microsoft since the 80s (buying up products from others, making big promises, but then throwing the whole thing onto the market very late and more badly than rightly implemented) hasn't changed in any way even in 2025. Or how do you see or feel about it?
Similar articles:
Microsoft Security Update Summary (May 13, 2025)
Patchday: Windows 10/11 Updates (May 13, 2025)
Patchday: Windows Server-Updates (May 13, 2025)
Patchday: Microsoft Office Updates (May 13, 2025)
