All new patches will be approved in our patch policy.

May brings 77 security updates with 5 zero-day patches.

Notably this month Microsoft released patches for 77 vulnerabilities with 11 rated “Critical” in severity.

• CVE-2025-32701 and CVE-2025-32706 are both zero-day vulnerabilities in the Windows Common Log File Driver System where an attacker could gain SYSTEM privileges.
• CVE-2025-30400 is a zero-day vulnerability in the Windows Desktop Window Manager (DWM).
• CVE-2025-32702 is a Visual Studio 2022 and 2019 Remote Code Execution (RCE) exploitation requiring the user to download and open a malicious file.
• CVE-2025-32709 is a Windows Ancillary Function Driver for WinSock Elevation of Privilege (EoP) zero-day vulnerability where exploitation can lead to administrator privileges.
• CVE-2025-30397 is a zero-day flaw in the Microsoft Scripting Engine targeting Internet Explorer and Microsoft Edge running in Internet Explorer mode.
• New Microsoft Security Advisory ADV241717.
• A few new SSUs for Windows Server 2012/2016 and Windows 10 versions 1507.

Heads Up!

KB5058379 causing some Windows 10 machines to automatically boot into the WinRE BitLocker recovery screen. Windows 11 is not affected by this issue.
A variety of sources claim disabling Intel Trusted Execution Technology (TXT) in the BIOS will allow the machines to boot normally.
FYI – KB5058379/KB5058405 fixes Linux boot issues on dual-boot Windows systems.

Disclosed: CVE-2025-26685, CVE-2025-32702
Exploited: CVE-2025-30397, CVE-2025-30400, CVE-2025-32709, CVE-2025-32701, CVE-2025-32706

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:5/13/2025)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10/11 Security Stack Updates are included in the monthly Cumulative Updates.

ADV241717 | PowerShell Defense in Depth Updates (Published:5/15/2025)

https://msrc.microsoft.com/update-guide/advisory/ADV241717
An issue exists in PowerShell that could lead to unauthorized command access that is being addressed by defense-in-depth measures in PowerShell 7 and Windows PowerShell.
System administrators are advised to update PowerShell 7 to an unaffected version (see affected software). Customers using PowerShell for Windows on Windows 11, version 24H2 or Windows Server 2025 are advised to install the May 2025 security updates to address this issue.

Known Issues

No new known issues reported by Microsoft.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“KB5058379 Windows 10 leads to corruption and endpoints asking for bitlocker key”

https://answers.microsoft.com/en-us/windows/forum/all/may-13-kb5058379-windows-10-leads-to-corruption/58b3b179-70a0-4bd8-abae-c9b89dd9c9b9
https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5058379-update-triggering-bitlocker-recovery-after-install/
https://www.windowslatest.com/2025/05/15/windows-10-kb5058379-locks-pcs-bitlocker-recovery-triggered-on-boot-bsods/

“August 2024 security update might impact Linux boot in dual-boot setup devices”

https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2#3377msgdesc

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

• KB5058403 – Windows Server 2012 R2 (ESU)
• KB5058451 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5058387 – Original release version 1507 (OS Build 10240)
• KB5058383 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5058392 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5058379 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5058379 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

• KB5058405 – 22H2 (OS Build 22621)
• KB5058405 – 23H2 (OS Build 22631)
• KB5058411 – 24H2 (OS Build 26100)

(Version 21H2 is no longer under support)

Windows Server

• KB5058383 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5058392 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5058385 – Server 2022 (OS Build 20348)
• KB5058384 – Server 23H2 (OS Build 25398)
• KB5058411 – Server 2025 (OS Build 26100)

 

• KB5055515 – Cumulative security update for Internet Explorer

 

May 2025 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/may-2025-updates-for-microsoft-office-93785c24-bb7b-49e7-9368-17718788f566

Notable CVEs

CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397
Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode. This attack requires an authenticated client to click a link so that an unauthenticated attacker can initiate remote code execution. The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400
Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32701
Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32702
Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio allows an unauthorized attacker to execute code locally. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706
Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain administrator privileges.