Microsoft and SAP Security Updates: May 2025 Patch Tuesday Insights

In May 2025, Microsoft released its Patch Tuesday updates, addressing a staggering 78 vulnerabilities across its software ecosystem. This month’s updates are particularly critical, as they include five zero-day vulnerabilities confirmed to be exploited in the wild. Additionally, 11 vulnerabilities have been flagged as critical, impacting essential cloud services like Azure and business platforms such as Microsoft Office. This article provides a comprehensive overview of the latest updates, focusing on the most severe flaws and the vulnerabilities that pose the highest risk of exploitation.

Overview of Microsoft’s May 2025 Patch Tuesday Updates

The May 2025 Patch Tuesday updates from Microsoft are a call to action for organizations to prioritize their patch management strategies. With five zero-day vulnerabilities actively exploited and 11 critical vulnerabilities identified, the urgency for immediate remediation cannot be overstated. The Cybersecurity and Infrastructure Security Agency (CISA) has already added all five exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, setting a patch deadline of June 3, 2025.

Zero-Day Vulnerabilities Addressed

Among the vulnerabilities patched this month, five have been confirmed as actively exploited. These vulnerabilities pose significant risks and should be addressed without delay:

1. CVE-2025-30400 (CVSS 7.8): A use-after-free bug in the Windows Desktop Window Manager (DWM) Core Library that allows authenticated attackers to elevate privileges to SYSTEM level, potentially taking control of critical system resources.

2. CVE-2025-32701 (CVSS 7.8): This vulnerability affects the Common Log File System (CLFS) driver, enabling local attackers to gain elevated privileges through another use-after-free flaw.

3. CVE-2025-32706 (CVSS 7.8): Found in the CLFS driver, this flaw results from improper input validation, allowing authenticated users to achieve SYSTEM-level access.

4. CVE-2025-32709 (CVSS 7.8): Involves a use-after-free flaw in the Ancillary Function Driver for WinSock, enabling local users to escalate privileges within the operating system.

5. CVE-2025-30397 (CVSS 7.5): Targets the Windows scripting engine, allowing Remote Code Execution (RCE) if a user is tricked into clicking a malicious link, making it particularly dangerous for browser-based or email-delivered attacks.

Publicly Disclosed Zero-Day Flaws

In addition to the actively exploited vulnerabilities, two zero-day flaws were publicly disclosed before patches were made available:

1. CVE-2025-32702 (CVSS 7.8): A command injection vulnerability in Visual Studio that allows unauthenticated attackers to execute arbitrary code locally due to poor input sanitization.

2. CVE-2025-26685 (CVSS 6.5): A spoofing vulnerability in Microsoft Defender for Identity that allows unauthenticated attackers on the same local network to impersonate other accounts.

Critical Vulnerabilities in Microsoft’s Update

Microsoft flagged 11 vulnerabilities as critical in this month’s rollout, highlighting the potential for remote code execution, privilege escalation, spoofing, and data exposure. These vulnerabilities impact widely used enterprise services, including Azure, Microsoft Office, and Remote Desktop Client. Here are some of the most critical vulnerabilities:

• CVE-2025-29813 (CVSS 10.0): Elevation of Privilege in Azure DevOps Server, allowing attackers to gain elevated privileges.
• CVE-2025-29827 (CVSS 9.9): Elevation of Privilege in Azure Automation, posing serious risks to cloud automation processes.
• CVE-2025-29972 (CVSS 9.9): Spoofing in Azure Storage Resource Provider, which could lead to unauthorized access.
• CVE-2025-29967 (CVSS 8.8): Remote Code Execution in Remote Desktop Client, a high-value target in enterprise environments.

Importance of Timely Patching

Organizations must act swiftly to patch these vulnerabilities, especially those that are not currently being exploited but have characteristics that make them attractive for future exploitation. Delaying remediation could invite unnecessary risks, as threat actors often scan for newly patched bugs.

Vulnerabilities to Monitor Closely

Some vulnerabilities that require immediate attention include:

• CVE-2025-30386 (CVSS 8.4): Microsoft Office RCE.
• CVE-2025-24063 (CVSS 7.8): Windows Kernel Streaming Service Driver Elevation of Privilege.
• CVE-2025-29976 (CVSS 7.8): Microsoft Office SharePoint Server Elevation of Privilege.

Strengthening Defenses with Patch Management

Given the number of zero-days and critical vulnerabilities, organizations must prioritize patch deployment and continuously monitor for emerging threats. Utilizing tools like SOCRadar’s Cyber Threat Intelligence and Attack Surface Management modules can provide real-time context and prioritization support, helping teams defend against critical flaws.

SAP Security Patch Day Highlights

In parallel with Microsoft’s updates, SAP administrators are advised to review newly released updates that patch an exploited flaw in SAP NetWeaver. This month, SAP released 16 new security notes, including a patch for CVE-2025-42999 (CVSS 9.1), which involves insecure deserialization in the Visual Composer component. This vulnerability was discovered during an investigation into previous zero-day activity and has been linked to active exploitation.

Recommendations for SAP Administrators

SAP admins are urged to apply patches associated with Security Notes 3594142 and 3604119, both rated critical. These patches address flaws that could allow Remote Code Execution without authentication under certain role conditions in Visual Composer. Additionally, SAP recommends disabling the Visual Composer service if possible and actively monitoring systems for suspicious activity.

Conclusion

The May 2025 Patch Tuesday updates from Microsoft and SAP highlight the ongoing challenges organizations face in securing their software environments. With multiple zero-days and critical vulnerabilities identified, timely patching and proactive security measures are essential to mitigate risks. Organizations should prioritize their patch management strategies and leverage available tools to enhance their defenses against emerging threats. For detailed information on the vulnerabilities and technical specifics, refer to Microsoft’s official May 2025 Patch Tuesday notes and SAP’s May 2025 Security Notes page.