Summary
On May 14, 2025 (UTC+8), Microsoft released its May 2025 Security Updates, which included patches for a total of 82 CVEs, a decrease of 42 CVEs compared to the previous month.
In terms of vulnerability severity, there were 11 vulnerabilities marked as "Critical" and 67 vulnerabilities marked as "Important/High". In terms of vulnerability types, there were primarily 32 remote code execution vulnerabilities, 21 privilege escalation vulnerabilities, and 17 information disclosure vulnerabilities.
Statistics
Vulnerability Trend
Figure 1 Vulnerabilities Patched by Microsoft in the Last 12 Months
On the whole, Microsoft released 82 patches in May 2025, including 11 critical vulnerability patches.
Based on Microsoft's historical vulnerability disclosures and the specific circumstances of this year, Sangfor FarSight Labs estimates that Microsoft will announce fewer vulnerabilities in the coming June in comparison to May. We expect a figure of approximately 70 vulnerabilities.
Comparison of Vulnerability Trends
The following figure shows the number of patches released by Microsoft in the month of May from 2022 to 2025.
Figure 2 Number of Windows Patches Released by Microsoft in May from 2022 to 2025
The following figure shows the trend and number of vulnerabilities at different severity levels addressed by Microsoft in May from 2022 to 2025.
Figure 3 Number of Vulnerabilities by Severity Level Addressed by Microsoft in May from 2022 to 2025
The following figure shows the number of vulnerabilities by type addressed by Microsoft in May from 2022 to 2025.
Figure 4 Number of Vulnerabilities by Type Addressed by Microsoft in May from 2022 to 2025
Data source: Microsoft security updates
Compared to last year, there has been an increase in terms of the number of vulnerabilities of this year. The number of vulnerabilities addressed by Microsoft in May 2025 has increased. A total of 82 vulnerability patches, including 11 critical ones, have been reported this month.
Compared to last year, the number of vulnerabilities at the Critical level addressed by Microsoft has increased, and that of vulnerabilities at the Important/High level has decreased. Specifically, 11 vulnerabilities at the Critical level have been addressed, an increase of about 1000%; and 67 vulnerabilities at the Important/High level have been addressed, a decrease of about 10%.
In terms of the vulnerability type, the number of remote code execution (RCE) vulnerabilities, denial-of-service (DoS) vulnerabilities, and elevation of privilege (EoP) vulnerabilities has all increased. We should remain highly vigilant because, when combined with social engineering techniques, attackers can exploit RCE vulnerabilities to take over the entire LAN and launch attacks.
Details of Key Vulnerabilities
Analysis
Microsoft DWM Core Library Elevation of Privilege Vulnerability (CVE-2025-30400)
Desktop Window Manager (DWM) is a composite window manager in Microsoft Windows since Windows Vista. It allows the use of hardware acceleration to render the graphical user interface of Windows. It was originally created to enable portions of the new "Windows Aero" user experience, which allowed for effects such as transparency and 3D window switching.
An elevation of privilege vulnerability exists in it, which attackers can exploit to gain higher privileges on the target system. This vulnerability has been reportedly exploited in the wild, and after assessment, it is considered critical in threat level. We recommend that users promptly update the Microsoft security patches.
Scripting Engine Memory Corruption Vulnerability (CVE-2025-30397)
Microsoft Scripting Engine is responsible for parsing scripts such as JavaScript, and is essential in MSHTML, EdgeHTML, and the scripting platform. MSHTML is applied in Microsoft Edge's Internet Explorer mode and other applications using the WebBrowser control, whereas EdgeHTML is applied in WebView and some Universal Windows Platform (UWP) applications. Both MSHTML and EdgeHTML integrate with the scripting platform.
A memory corruption vulnerability exists in it, which attackers can exploit to execute arbitrary code on the target system. This vulnerability has been reportedly exploited in the wild, and after assessment, it is considered critical in threat level. We recommend that users promptly update the Microsoft security patches.
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2025-32709)
Winsock is a Windows application programming interface (API) that defines how applications access network services through sockets, especially the TCP/IP protocol. It offers a standard API that enables Windows network applications to transmit data and communicate with each other.
An elevation of privilege vulnerability exists in it, which attackers can exploit to gain higher privileges on the target system. This vulnerability has been reportedly exploited in the wild, and after assessment, it is considered critical in threat level. We recommend that users promptly update the Microsoft security patches.
Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2025-32701/CVE-2025-32706)
Common Log File System (CLFS) is a general-purpose log file system that can be accessed by both kernel-mode and user-mode applications for building high-performance transaction logs.
An elevation of privilege vulnerability exists in it, which attackers can exploit to gain higher privileges on the target system. This vulnerability has been reportedly exploited in the wild, and after assessment, it is considered critical in threat level. We recommend that users promptly update the Microsoft security patches.
Affected Versions
| Vulnerability Name & CVE ID | Affected Version |
|---|---|
| Microsoft DWM Core Library Elevation of Privilege Vulnerability (CVE-2025-30400) | Windows Server 2025 (Server Core installation) Windows Server 2025 Windows Server 2022, 23H2 Edition (Server Core installation) Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 11 Version 24H2 for x64-based Systems Windows 11 Version 24H2 for ARM64-based Systems Windows 11 Version 23H2 for x64-based Systems Windows 11 Version 23H2 for ARM64-based Systems Windows 11 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for x64-based Systems Windows 10 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for 32-bit Systems Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems |
Solutions
Official Solution
Microsoft has released patches for affected software. Affected users can install the corresponding security patches based on the system versions:
Download Links:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32701
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706
References
https://msrc.microsoft.com/update-guide/releaseNote/2025-May
Timeline
On May 14, 2025, Microsoft released a security bulletin.
On May 14, 2025, Sangfor FarSight Labs released a vulnerability alert.
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
