May 14, 2025

Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available.

Microsoft and several security firms have disclosed that attackers are exploiting a pair of bugs in the Windows Common Log File System (CLFS) driver that allow attackers to elevate their privileges on a vulnerable device. The Windows CLFS is a critical Windows component responsible for logging services, and is widely used by Windows system services and third-party applications for logging. Tracked as CVE-2025-32701 & CVE-2025-32706, these flaws are present in all supported versions of Windows 10 and 11, as well as their server versions.

Kev Breen, senior director of threat research at Immersive Labs, said privilege escalation bugs assume an attacker already has initial access to a compromised host, typically through a phishing attack or by using stolen credentials. But if that access already exists, Breen said, attackers can gain access to the much more powerful Windows SYSTEM account, which can disable security tooling or even gain domain administration level permissions using credential harvesting tools.

“The patch notes don’t provide technical details on how this is being exploited, and no Indicators of Compromise (IOCs) are shared, meaning the only mitigation security teams have is to apply these patches immediately,” he said. “The average time from public disclosure to exploitation at scale is less than five days, with threat actors, ransomware groups, and affiliates quick to leverage these vulnerabilities.”

Two other zero-days patched by Microsoft today also were elevation of privilege flaws: CVE-2025-32709, which concerns afd.sys, the Windows Ancillary Function Driver that enables Windows applications to connect to the Internet; and CVE-2025-30400, a weakness in the Desktop Window Manager (DWM) library for Windows. As Adam Barnett at Rapid7 notes, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day elevation of privilege vulnerability in this same DWM component.

The fifth zero-day patched today is CVE-2025-30397, a flaw in the Microsoft Scripting Engine, a key component used by Internet Explorer and Internet Explorer mode in Microsoft Edge.

Chris Goettl at Ivanti points out that the Windows 11 and Server 2025 updates include some new AI features that carry a lot of baggage and weigh in at around 4 gigabytes. Said baggage includes new artificial intelligence (AI) capabilities, including the controversial Recall feature, which constantly takes screenshots of what users are doing on Windows CoPilot-enabled computers.

Microsoft went back to the drawing board on Recall after a fountain of negative feedback from security experts, who warned it would present an attractive target and a potential gold mine for attackers. Microsoft appears to have made some efforts to prevent Recall from scooping up sensitive financial information, but privacy and security concerns still linger. Former Microsoftie Kevin Beaumont has a good teardown on Microsoft’s updates to Recall.

In any case, windowslatest.com reports that Windows 11 version 24H2 shows up ready for downloads, even if you don’t want it.

“It will now show up for ‘download and install’ automatically if you go to Settings > Windows Update and click Check for updates, but only when your device does not have a compatibility hold,” the publication reported. “Even if you don’t check for updates, Windows 11 24H2 will automatically download at some point.”

Apple users likely have their own patching to do. On May 12 Apple released security updates to fix at least 30 vulnerabilities in iOS and iPadOS (the updated version is 18.5). TechCrunch writes that iOS 18.5 also expands emergency satellite capabilities to iPhone 13 owners for the first time (previously it was only available on iPhone 14 or later).

Apple also released updates for macOS Sequoia, macOS Sonoma, macOS Ventura, WatchOS, tvOS and visionOS. Apple said there is no indication of active exploitation for any of the vulnerabilities fixed this month.

As always, please back up your device and/or important data before attempting any updates. And please feel free to sound off in the comments if you run into any problems applying any of these fixes.


25 thoughts on “Patch Tuesday, May 2025 Edition

  1. Mahhn

    MS has made it clear, privacy is a huge no no.
    Since other than games I only use the browser on my PC, I downloaded Ubuntu last night and started the change.
    It may take getting used to, but the abusive relationship with MS is ending for me.

    Reply
    1. Jaymo

      If you want a Linux that’s fast, has no bloat & so well written it runs in RAM, even as little as 4gb of RAM Bookworm Puppy, have 2011 latitudes that are faster running it than they ran Win7

      Reply
  2. Ronald Rossi

    So who asked MS for the recall program? CIA, NSA, Mossad??
    Surely not users
    I contend it is just a spy tool and servers no legitimate purpose

    Reply
    1. BigP

      the purpose of Recall is to assist the user. You’d ask “hey AI big brother, can you bring up the website I was looking at a while back that had those cute bunnies?” and it would presumably find the URL from the screenshot and send the browser there. It probably has to send data to big brother AI to be processed. (how else does it know there’s bunnies in the screenshot) This data is anonymized, but the problem with anonymized data is it can often be un-anonymized later. (the aggregate data itself can reveal that) Imagine it taking screenshots of the people you video chat with, for instance… they may send that data home to identify those people and make assumptions about who you are.

      I think MS believed the users would want this, but judging from the backlash they obviously do not… at least not until it proves to be a very useful feature. Currently a lot of Visual Studio users use intellicode/intellisense… and bits of that I think do send parts of your code to big brother AI. (anonymized, but it’s still not suitable for certain environment where sensitive but unclassified things are handled)

      Reply
    2. mealy

      You can’t spell Mossad without MS. Project Purple helps Google target innocent people to kill for #reasons, MS wants in.

      Reply
    3. Tony C

      I’ve long suspected it’s a cat and mouse on some vulnerabilities at least between the NSA and “hackers”, with the goal being for the NSA to continue to be able to vacuum up every single keystroke and file that we create. The problem with that model is that state actors and others discover said exploits and begin using them themselves. So, patches are rolled out.

      Reply
  3. Steve Colson

    One issue with Windows 11 version 24H2 is that it deletes WordPad. However, there is a method to restore it.

    Reply
  4. Bear

    iPadOS 17.7.7 update issued for older iPads is causing a problem for by not retaining the user’s configuration parameters and login credentials.
    A post on Apple Community suggests that “the value returned for any key of usrDefaults is nil. That explains why our apps forget many of their setting parameters.”
    https://discussions.apple.com/thread/256060025

    Reply
  5. donny2dolls

    My take-away from this is Kev Breen’s “The average time from public disclosure to exploitation at scale is less than five days…”. I’d previously been pausing updates for a week after Patch Tuesday to let MS find and fix the usual bugs before I updated my systems. Now I think I’ll shorten that pause to 4 days.

    Reply
  6. William Kemmler

    “The fifth zero-day patched today is CVE-2025-30397, a flaw in the Microsoft Scripting Engine, a key component used by Internet Explorer and Internet Explorer mode in Microsoft Edge.”

    And Microsoft wouldn’t have these kinds of problems and embarrassments if they only had the balls to tell big business they’ve had enough time to update their outdated and obsolete apps and intranets to modern standards and finally remove the last remaining parts of Internet Explorer (eg. mshtml.dll aka Trident) completely from Windows and remove the idiotic “Explorer Mode” from MSEdge. it’s been three years since Microsoft announced the deprecation and removal of Internet Explorer. But yet they are still patching it even now. Time for them to just move on, remove any last vestiges of IE and leave any businesses that still haven’t got their stuff in order to deal with it. That is all.

    Reply
    1. mealy

      You would think after they went to Chrome internals they’d stop making the mistake of supporting known-faulty legacy cruft, but that’d be too obvious.

      Reply
  7. The Sultan

    Even after a fixing phase of 6 (six!) months the 24H2 Update still bricks the Wifi settings on many deployments, so that the machine cannot establish a functioning Wifi connection anymore after the functional update – shame on Microsoft for such a bad QA. It seems that this continues even into 25H2 which is currently in “Canary” test deployments.

    Reply
  8. TheBill

    For those of us who do not have an IT worker in the house, but do have a lot of computers, every Patch Tuesday is another nightmare of dealing machines needing reboots – all because of Microsoft’s kernel design. Meanwhile the Linux boxes hum along, never losing state because of an unplanned forced reboot. And now I have a bunch of expensive HP workstations that will not run Windows 11, while Microsoft’s position is that I should buy all new computers, and HP says the workstations are out of support.

    It must be Ubuntu time.

    Reply
    1. Doug in MKE

      I have been a long-time Ubuntu user on multiple devices. Linux has been a great tool, extending the life of largely-acceptable hardware long declared obsolete by Microsoft. I have long felt that the Microsoft and Apple embrace of Planned Obsolesence, like the Automobile Tail Fin mentality of IS Automakers in the 50’s, will lead to their demise.

      However, I suggest looking at OpenSuse (or others). Ubuntu’s embrace of “snapd” is concerning; it may only be a matter of time until something nefarious is embedded within a snap container, with little insight to the user. Devuan Is also intriguing because of its avoidance of dbus … though it might be a bit more geeky to use.

      Reply
    2. mealy

      Consider that MS is a singular company whereas Linux is a vastly distributed and totally different animal. MS profit and market share interests far outweigh the (internal business logic) ‘utility’ of keeping legacy HW on platform, and the mandate of TPM 2.0 for their newer product isn’t so much unexpected or unreasonable as their policy of forcing that new version on users absolutely IS – as they completely abandon their only competing product that does the job. It’s very much in the spirit of planned obsolescence as the concept was conceived – to force consumers into a predictable pattern of consumption that they make more predictable profit from, regardless of ‘actual security’ needs or concerns. TPM 2.0 is somewhat trickier for bootjackers to get around, but they still can, will and do. It was a business decision, not a security decision. If you want a security-first OS it’s a matter of tradeoffs with feature set and interoperability with the ‘average’ user base vs the volume of users required to facilitate updates and a revenue stream to support it all. We’ve seen several Linux versions try to capitalize on the void with quite few successes, in terms of share. What ultimately is required is something at the size and scale of MS but with entirely different values and revenue streams sufficient to protect it from the business minds who ultimately are the reason we can’t have nice, secure things merely at cost instead of expensive bloated contract. Tiers can exist. MS exists to test the line of what users will endure vs the fear of learning another slightly less Cornflower blue path to their objective.

      Reply
      1. Tony C

        “planned obsolescence”. First time I’ve encountered the phrase, but it’s spot on.

        “It’s the reason we can’t have nice things”, lol, so funny, but true.

        I sure hope the systems they roll out at the NSA etc are not the same ones consumers are getting.

        Problem is, China at least has reportedly compromised at least some of our most “safeguarded” systems already.

        Then, you have DOGE kiddies running around Washington compromising systems. It’s a sad state of affairs.

        These crack engineers of Elon’s are so good that there are still some bugs on Twitter / X that still exist to this day since his takeover. What the hell, let them into the most secure systems in our government to do as they please.

        Reply
        1. Mahhn

          Planned obsolescence has been an MS foundation for many years. When I was a small system builder 25+ years ago, attending a meeting of with others at an MS presentation hosted by one of those (mostly defunct now) Distributors that sellers have to buy chips, MS licenses and such from – MS was Bragging about how their new OS at the time was not going to work with older hardware so we could sell all new hardware to our customers. Which pissed us all off, as we work directly with the small business that can’t afford stupid fees for and replacing all computers regularly like that.

          Reply
    3. Dennis Stella

      I feel you. I have several HPZ series workstations that are Xeon based, currently running Windows 10 Pro that are TPM 1.2 with the same issue but also the processors are not supported. Running Ubuntu on all of them as virtual machines. Will be removing Windows and doing full installs of Ubuntu.

      Reply
  9. mealy

    bleepingcomputer.com/news/microsoft/windows-10-kb5058379-update-triggering-bitlocker-recovery-after-install/

    But at least they’re offering you an opt-IN to the copilot snitch program, for now. Bets on how long that lasts.

    Reply
  10. JayMo

    WTF Microsoft, this update reset my taskbar preferences FCS youi’d think M$ would have learned by nw not to do this, after the backlash they received when they constantly reset the default programs to M$ programs every single major update … go to hell M$ … am very very close to having a linux system with everything I use, not much more top go before you fools lose another user, no more stealing my info you skunts!

    Reply
  11. Bob

    Some stealth crap included. Three popup windows appear on my desktop after waking up from sleep. Not nice! Made worse, no documentation on how to get rid of them. (They do go away when you click anywhere on the desktop. Still why should one have to do this extra step?)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *