Microsoft primes 71 fixes for Might Patch Tuesday – Sophos Information

Microsoft on Tuesday launched 71 patches affecting 14 product households. Six of the addressed points, 5 involving distant code execution and one allowing data disclosure (together with PII, Personally Identifiable Info), are thought-about by Microsoft to be of Important severity, and 12 have a CVSS base rating of 8.0 or larger. 5, all Necessary-severity points in Home windows, are identified to be beneath energetic exploit within the wild.

At patch time, 9 extra CVEs usually tend to be exploited within the subsequent 30 days by the corporate’s estimation. Varied of this month’s points are amenable to direct detection by Sophos protections, and we embrace data on these in a desk beneath.

Along with these patches, eight Necessary-severity Adobe Reader points affecting ColdFusion are lined within the launch. These are listed in Appendix D beneath. That appendix additionally comprises data on eight Edge-related vulnerabilities and 7 affecting Azure, Dataverse, or Energy Apps. Although a number of of the non-Edge points are thrilling, with CVSS Base scores over 9.0 (a “excellent” 10, in a single case), Microsoft’s launched data signifies that each one have been patched in latest days – in different phrases, the data supplied is strictly FYI.

We’re as at all times together with on the finish of this submit appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix masking the advisory-style updates; and a breakout of the patches affecting the varied Home windows Server platforms nonetheless in assist.

By the numbers

• Complete CVEs: 71
• Publicly disclosed: 2
• Exploit detected: 5
• Severity
  • Important: 6
  • Necessary: 65
• Affect:
  • Distant Code Execution: 28
  • Elevation of Privilege: 17
  • Info Disclosure: 15
  • Denial of Service: 7
  • Safety Function Bypass: 2
  • Spoofing: 2
• CVSS base rating 9.0 or higher: 1*
• CVSS base rating 8.0 or higher: 11

* Plenty of advisory-only points this month, affecting Azure, Dataverse, and Energy Apps however patched by Microsoft previous to the Might launch, have been assigned important CVSS scores. Please see Appendix D for particulars.

Determine 1: Distant code execution returns to the highest of the charts for Might’s Patch Tuesday. Notice the weird Important-severity information-disclosure situation. This happens in Nuance PowerScribe 360, a product from the medical sphere – ask your native radiologist for particulars. (Eight Edge updates lined this month aren’t launched with full influence data and thus don’t seem on this chart)

Merchandise

• Home windows: 43
• Workplace: 14
• 365: 13
• Excel: 7
• SharePoint: 4
• Visible Studio: 4
• RDP Consumer: 2
• .NET: 1
• Azure: 1
• Dataverse: 1
• Defender: 1
• Nuance PowerScribe 360: 1
• PC Supervisor: 1
• Home windows HLK: 1

As is our customized for this record, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. It must be famous, by the way in which, that CVE names in Might don’t at all times replicate affected product households carefully. Particularly, some CVEs names within the Workplace household could point out merchandise that don’t seem within the record of merchandise affected by the CVE, and vice versa.

Determine 2: Fourteen product households determine in Might’s Patch Tuesday launch. This month, we return to separating Edge / Chromium points from the pack; these are lined in Appendix D, as are some advisory and information-only however attention-grabbing points affecting Azure, Dataverse, and Energy Apps

Notable Might updates

Along with the problems mentioned above, quite a lot of particular objects benefit consideration.

CVE-2025-30385, CVE-2025-30701, CVE-2025-32706 — Home windows Frequent Log File System Driver Elevation of Privilege Vulnerability

CLFS issues account for 2 of the 5 vulnerabilities presently identified to be beneath assault within the wild, and the opposite one (CVE-2025-30385) is anticipated to see motion throughout the subsequent 30 days. The logging system has taken a excessive variety of patches previously few years, together with just lately seen abuse by each Play and PipeMagic malware of CVE-2025-29824, which was patched final month. Microsoft’s identified to be spinning up a brand new verification step for parsing CLFS log recordsdata, however within the meantime, the system’s giving RDP a run for its cash as a supply of administrator grief.

CVE-2025-30377, CVE-2025-30386 — Microsoft Workplace Distant Code Execution Vulnerability
Each of those vulnerabilities might be triggered by way of Preview Pane. If it had been a contest CVE-2025-30386 would have the slight edge, as Microsoft finds that within the worst case, of their phrases, “an attacker may ship a specifically crafted electronic mail to the consumer and not using a requirement that the sufferer open, learn, or click on on the hyperlink.” Each vulnerabilities apply to 365 in addition to Workplace.

CVE-2025-27488 — Microsoft Home windows {Hardware} Lab Package (HLK) Elevation of Privilege Vulnerability

An Necessary-class situation, this bug impacts the Home windows {Hardware} Package Lab, which is a framework for testing {hardware} gadgets and drivers for sure editions of Home windows; a number of variations of the complete package likewise take an replace this month. That’s good, as the issue itself lies in sure third-party infrastructure throughout the package utilizing a hard-coded password (!).

CVE-2025-30384 — Microsoft SharePoint Server Distant Code Execution Vulnerability

An Necessary-severity situation requiring the attacker to arrange the goal forward of time, the finder credited for this merchandise is “zcgonvh’s cat Vanilla.” We admit to some curiosity about how Vanilla caught this bug; did they use… a mouse?

Determine 3: RCE and EoP points proceed to dominate the charts in 2025

 Sophos protections

As you possibly can each month, when you don’t wish to wait to your system to drag down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Affect and Severity

This can be a record of Might patches sorted by influence, then sub-sorted by severity. Every record is additional organized by CVE.

Distant Code Execution (28 CVEs)

Elevation of Privilege (17 CVEs)

Info Disclosure (15 CVEs)

Denial of Service (7 CVEs)

Safety Function Bypass (2 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

This can be a record of the Might CVEs judged by Microsoft to be both beneath exploitation within the wild or extra more likely to be exploited within the wild throughout the first 30 days post-release. The record is additional organized by CVE. Apparently, 28 of this month’s vulnerabilities have been marked in Microsoft’s launch supplies as “exploitation unlikely” – a class far much less generally assigned by the corporate previously.

This can be a record of Might’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or larger. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our collection on patch prioritization schema. For a have a look at the CVSS scores for sure merchandise lined on this month’s advisories, please see Appendix D.

Appendix C: Merchandise Affected

This can be a record of Might’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which can be shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Sure important points for which advisories have been issued are lined in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made accessible by Microsoft; for additional data on why sure merchandise could seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (43 CVEs)

Workplace (14 CVEs)

365 (13 CVEs)

Excel (7 CVEs)

SharePoint (4 CVEs)

Visible Studio (4 CVEs)

RDP Consumer (2 CVEs)

.NET (1 CVE)

Azure (1 CVE)

Dataverse (1 CVE)

Defender (1 CVE)

Nuance PowerScribe 360 (1 CVE)

PC Supervisor (1 CVE)

Home windows HLK (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 8 Adobe advisories on this month’s launch.

There are, this month, a further load of Microsoft advisories and informational releases that deserve consideration. Most of them are Edge-related, and we current these within the standard trend. Nonetheless, seven extra CVEs contain Azure, Dataverse, or Energy Apps. All of them have already been addressed by Microsoft and thus ought to pose no motion merchandise for directors, however are important sufficient that we select to flag them right here with their severities and CVSS scores. Might’s launch additionally contains servicing stack updates.

Appendix E: Affected Home windows Server variations

This can be a desk of the CVEs within the Might launch affecting 9 Home windows Server variations, 2008 by 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Important-severity points are marked in purple; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity, as every reader’s scenario, particularly because it considerations merchandise out of mainstream assist, will range. For particular Information Base numbers, please seek the advice of Microsoft. Please notice that CVE-2025-29971 is a client-only Home windows situation and thus seems on this chart, however with no server variations marked.