Microsoft issued the May-May update Patch Tuesday, eliminating 72 vulnerabilities in the products of the company, including five exploited in real attacks and two zero-day gaps, previously discovered publicly. Among the eliminated vulnerabilities: 28 are associated with remote code (RCE), 17 with an increase in privileges, 15 with a leakage of information, seven with refusal to maintain (DOS), two allow for protective mechanisms and two to fake data. This list does not include vulnerabilities previously eliminated in Azure, Microsoft Edge, and other products.
The most dangerous vulnerability, actively used by attackers, received the identifier cve-2025-30400. It affects the DWM Core library in Windows and allows a local user with access rights to receive system privileges due to the USE-AFTER-FREE error. It was found by Microsoft Threat Intelligence Center.
Another vulnerability, cve-2025-32701, in the Windows Common Log File System also gives attackers access to the System. Microsoft attributes its discovery to its internal team. The third similar vulnerability is cve-2025-32706, revealed by researchers from Google Threat Intelligence Group and Crowdstrike.
In addition, Microsoft eliminated the danger emanating from cve-2025-32709 in the Ancillary Function Driver for WinSock driver, where the USE-AFTER-FREE error can be used by local attackers. The researcher who reported this vulnerability remains undisclosed.
The fifth actively operated vulnerability (cve-2025-30397) belongs to the Microsoft scenarios and can be used through the edges or internet browsers or Internet Explorer. The problem is a typical error in contacting the resource, which allows the remote attacker to execute arbitrary code if the user crosses the specially prepared link.
Among the zero days opened before the update release, cve-2025-26685 is