Microsoft primes 71 fixes for May Patch Tuesday – Sophos News

Microsoft on Tuesday released 71 patches affecting 14 product families. Six of the addressed issues, five involving remote code execution and one permitting information disclosure (including PII, Personally Identifiable Information), are considered by Microsoft to be of Critical severity, and 12 have a CVSS base score of 8.0 or higher. Five, all Important-severity issues in Windows, are known to be under active exploit in the wild.

At patch time, nine additional CVEs are more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below.

In addition to these patches, eight Important-severity Adobe Reader issues affecting ColdFusion are covered in the release. Those are listed in Appendix D below. That appendix also contains information on eight Edge-related vulnerabilities and seven affecting Azure, Dataverse, or Power Apps. Though several of the non-Edge issues are exciting, with CVSS Base scores over 9.0 (a “perfect” 10, in one case), Microsoft’s released information indicates that all have been patched in recent days – in other words, the information provided is strictly FYI.

We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family; an appendix covering the advisory-style updates; and a breakout of the patches affecting the various Windows Server platforms still in support.

By the numbers

• Total CVEs: 71
• Publicly disclosed: 2
• Exploit detected: 5
• Severity
  • Critical: 6
  • Important: 65
• Impact:
  • Remote Code Execution: 28
  • Elevation of Privilege: 17
  • Information Disclosure: 15
  • Denial of Service: 7
  • Security Feature Bypass: 2
  • Spoofing: 2
• CVSS base score 9.0 or greater: 1*
• CVSS base score 8.0 or greater: 11

* A number of advisory-only issues this month, affecting Azure, Dataverse, and Power Apps but patched by Microsoft prior to the May release, have been assigned significant CVSS scores. Please see Appendix D for details.

Figure 1: Remote code execution returns to the top of the charts for May’s Patch Tuesday. Note the unusual Critical-severity information-disclosure issue. This occurs in Nuance PowerScribe 360, a product from the medical sphere – ask your local radiologist for details. (Eight Edge updates covered this month are not released with full impact information and thus do not appear in this chart)

Products

• Windows: 43
• Office: 14
• 365: 13
• Excel: 7
• SharePoint: 4
• Visual Studio: 4
• RDP Client: 2
• .NET: 1
• Azure: 1
• Dataverse: 1
• Defender: 1
• Nuance PowerScribe 360: 1
• PC Manager: 1
• Windows HLK: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. It should be noted, by the way, that CVE names in May don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: Fourteen product families figure in May’s Patch Tuesday release. This month, we return to separating Edge / Chromium issues from the pack; those are covered in Appendix D, as are some advisory and information-only but interesting issues affecting Azure, Dataverse, and Power Apps

Notable May updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-30385, CVE-2025-30701, CVE-2025-32706 — Windows Common Log File System Driver Elevation of Privilege Vulnerability

CLFS problems account for two of the five vulnerabilities currently known to be under attack in the wild, and the other one (CVE-2025-30385) is expected to see action within the next 30 days. The logging system has taken a high number of patches in the past few years, including recently seen abuse by both Play and PipeMagic malware of CVE-2025-29824, which was patched last month. Microsoft’s known to be spinning up a new verification step for parsing CLFS log files, but in the meantime, the system’s giving RDP a run for its money as a source of administrator grief.

CVE-2025-30377, CVE-2025-30386 — Microsoft Office Remote Code Execution Vulnerability
Both of these vulnerabilities can be triggered via Preview Pane. If it were a competition CVE-2025-30386 would have the slight edge, as Microsoft finds that in the worst case, in their words, “an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link.” Both vulnerabilities apply to 365 as well as Office.

CVE-2025-27488 — Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability

An Important-class issue, this bug affects the Windows Hardware Kit Lab, which is a framework for testing hardware devices and drivers for certain editions of Windows; multiple versions of the entire kit likewise take an update this month. That’s good, as the problem itself lies in certain third-party infrastructure within the kit using a hard-coded password (!).

CVE-2025-30384 — Microsoft SharePoint Server Remote Code Execution Vulnerability

An Important-severity issue requiring the attacker to prepare the target ahead of time, the finder credited for this item is “zcgonvh’s cat Vanilla.” We admit to some curiosity about how Vanilla caught this bug; did they use… a mouse?

Figure 3: RCE and EoP issues continue to dominate the charts in 2025

 Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of May patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (28 CVEs)

Elevation of Privilege (17 CVEs)

Information Disclosure (15 CVEs)

Denial of Service (7 CVEs)

Security Feature Bypass (2 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

This is a list of the May CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is further arranged by CVE. Interestingly, 28 of this month’s vulnerabilities have been marked in Microsoft’s release materials as “exploitation unlikely” – a category far less commonly assigned by the company in the past.

This is a list of May’s CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema. For a look at the CVSS scores for certain products covered in this month’s advisories, please see Appendix D.

Appendix C: Products Affected

This is a list of May’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain significant issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (43 CVEs)

Office (14 CVEs)

365 (13 CVEs)

Excel (7 CVEs)

SharePoint (4 CVEs)

Visual Studio (4 CVEs)

RDP Client (2 CVEs)

.NET (1 CVE)

Azure (1 CVE)

Dataverse (1 CVE)

Defender (1 CVE)

Nuance PowerScribe 360 (1 CVE)

PC Manager (1 CVE)

Windows HLK (1 CVE)

Appendix D: Advisories and Other Products

There are 8 Adobe advisories in this month’s release.

There are, this month, an additional load of Microsoft advisories and informational releases that deserve attention. Most of them are Edge-related, and we present those in the usual fashion. However, seven additional CVEs involve Azure, Dataverse, or Power Apps. All of them have already been addressed by Microsoft and thus should pose no action item for administrators, but are significant enough that we choose to flag them here with their severities and CVSS scores. May’s release also includes servicing stack updates.

Appendix E: Affected Windows Server versions

This is a table of the CVEs in the May release affecting nine Windows Server versions, 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft. Please note that CVE-2025-29971 is a client-only Windows issue and thus appears in this chart, but with no server versions marked.