CISOs need to pay attention to patching five zero day Windows vulnerabilities and two other holes with available proof-of-concept exploits among the 70 fixes issued today by Microsoft in its May Patch Tuesday releases.
Mike Walters, president of Action1, told CSO that leaders should focus in particular on these vulnerabilities:
A scripting engine memory corruption vulnerability (CVE-2025-30397) is a zero day being actively exploited. It enables remote code execution via type confusion in the Microsoft Scripting Engine. It affects Internet Explorer mode in Microsoft Edge, which is still widely used for legacy compatibility.
“While user interaction is required, delivery through phishing links or emails remains a key risk,” Walters said. “CISOs should reinforce user awareness around phishing and implement robust web content filtering and email security controls;”
Windows Common Log File System (CLFS) driver elevation of privilege zero day vulnerabilities (CVE-2025-32701 and CVE-2025-32706).
Both vulnerabilities are actively exploited in the wild, Walters said, enabling attackers to gain System-level privileges. “As CLFS is a core component across all supported Windows versions, the risk spans most enterprise environments,” he said “In addition to patching, CISOs should review privilege management policies and monitor for anomalous activity that may signal exploitation attempts;”
Two Microsoft Office remote code execution vulnerabilities (CVE-2025-30386 and CVE-2025-30377).
Both vulnerabilities enable remote code execution without user interaction, including via the Preview Pane in Outlook, noted Walters. Attackers exploit memory handling flaws to execute arbitrary code, posing a significant risk given Microsoft Office’s enterprise ubiquity, he said. “Patching alone may not suffice—CISOs should disable the Preview Pane where possible and reinforce policies against opening unsolicited documents;”
Remote Desktop Client and Gateway Service remote code execution vulnerabilities (CVE-2025-29966 and CVE-2025-29967).
These vulnerabilities affect remote access services, which are vital for remote work and IT administration, allowing arbitrary code execution on both client and server systems. Exploitation can occur via phishing or by DNS spoofing that directs users to malicious RDP servers, Walters pointed out. “CISOs should go beyond patching by enforcing strict controls on RDP usage, enabling network-level authentication, and monitoring for suspicious RDP activity,” he said.
Screaming from hilltops?
“A lot of people are going to be screaming from the hilltops today about the four Critical and one Important vulnerability [in Azure] that all scored above a CVSS 9.0,” said Tyler Reguly, associate director of security R&D at Fortra. “I think that those people are drawing attention to the wrong place. The four critical vulnerabilities were all already patched by Microsoft.”
Since there is no action required from IT, he said, “there’s no reason to direct everyone’s attention to them. Instead, let’s draw people’s attention to places where they can act and make a difference in their environments’ security posture. That leaves us with the single Important vulnerability that rated a 9.8, which is released as a Docker image. Users of Azure AI services Document Intelligence Studio should take the time to update their image to the latest tag to mitigate this vulnerability.”
As for the five exploited vulnerabilities, “it’s really just more of the same stuff we see every month,” he said.
In addition to the vulnerabilities Walters recommended targeting, he highlighted CVE-2025-30400, a vulnerability in Microsoft DWM that could allow elevation of privilege to SYSTEM.
“For those at the top of the food chain – CISOs and CSOs – this is a great Patch Tuesday to test your teams to see how well they know their environment.” Reguly added. “On top of a number of Azure services that were patched by Microsoft and require no end-user effort, we’re seeing some rarely patched components whose names might not be familiar to a lot of people, things like Microsoft Dataverse and Azure AI services Document Intelligence Studio. Ask your teams how they are handling these updates, which use non-standard update mechanisms, and find out if they really know their environments and their update processes.”
Publicly disclosed vulnerabilities
Two publicly disclosed flaws in Microsoft products that Reguly was not concerned about are:
CVE-2025-32702, an improper neutralization of special elements used in a command (‘command injection’) in Visual Studio that allows an unauthorized attacker to execute code locally.
CVE-2025-26685, a vulnerability that allows an unauthorized attacker to perform spoofing over an adjacent network and fool Microsoft Defender. There is no update available.
‘No emergency’
Johannes Ullrich, dean of research at the SANS Institute, doesn’t think any of the patches released qualifies as an emergency. Instead, he said, CISOs should ensure that the patches are rolled out in accordance with their vulnerability management program. In particular, testing that patches were applied correctly is important.
There is one interesting already exploited vulnerability, he said: CVE-2025-30397. This vulnerability (detailed above by Walters) is only exploitable if Microsoft Edge is operating in “Internet Explorer” mode. By default, Edge is not running in Internet Explorer mode, but there may be cases, in particular on workstations used by system administrators and developers, where it’s appropriate to enable this mode, Ullrich said. Configuration management should be used to prevent this from happening unless it is specifically required for a particular use case, he said.
“Luckily,” Ullrich added, “the vulnerability that, in my opinion, has the most ‘potential’ for attackers, CVE-2025-29831, is only exploitable while the RDP service is restarted. Unless the attacker is able to trigger a restart, this vulnerability will likely not be exploitable. But it yet again highlights the importance of RDP servers.”
SAP, Zoom patches
Separately, SAP released 18 Security Notes ranging from critical authorization issues to remote code execution, information disclosure, and cross-site scripting.
Jonathan Stross, a SAP security analyst at Pathlock, said in a blog that they include two particularly dangerous flaws in NetWeaver Visual Composer, both with CVSS scores over 9.0. There are also critical vulnerabilities present in SAP S/4HANA, Business Objects, and Live Auction Cockpit.
CVE-2025-31324, a missing authorization check in SAP NetWeaver Visual Composer.
The critical vulnerability (CVSS 10.0) in Visual Composer allows unauthenticated users to upload malicious executables to the suite’s development server. If exploited, this can lead to complete system compromise, including data theft and service disruption, Stross wrote. The fix applies to VCFRAMEWORK 7.50 and must be implemented immediately, as it was previously reported to have been exploited as a zero day. This note updates an April 2025 Patch Day release.
CVE-2025-42999, an insecure deserialization in Visual Composer, is a separate but related vulnerability (CVSS 9.1) that allows privileged users to exploit insecure deserialization and potentially execute malicious code on the host system. SAP has removed the vulnerable deserialization logic and recommends optional integration with Virus Scan Interface (VSI), wrote Stross. Organizations using NetWeaver Visual Composer should apply this patch in parallel with CVE-2025-31324, he added.
CVE-2025-30018 covers five vulnerabilities with CVSS scores of up to 8.6 in SAP SRM Live Auction Cockpit . These stem from deprecated Java applets and can be exploited without authentication. Stross notes. Organizations using SRM 7.14 should decommission the Java applet components and follow the SAP Note guidance for safe configurations, he said.
CVE-2025-43010, a code injection in SAP S/4HANA SCM Master Data Layer, has a CVSS score of 8.3. It allows low-privileged users to remotely inject ABAP code that can modify or destroy system programs. The vulnerable function module has been deprecated. Affected are both on-premises and private cloud installations across multiple S4CORE and SCM_BASIS versions.
Zoom disclosed seven vulnerabilities in its Workplace meeting apps – one ranked high severity – that pose significant risks such as privilege escalation, denial-of-service (DoS) and remote code execution.
“Cyber professionals are considering the need for deep fake detection and prevention impacting virtual meetings today, said Jim Routh, chief trust officer at Saviynt. “It turns out that the software defects/vulnerabilities announced recently in Zoom Workplace are far more critical at this time.”
“DoS and remote code execution vulnerabilities have the potential for significant business disruption with the potential for ransomware exploits,” he added. “Software resilience for enterprise software companies is achievable with more maturity in the development process to identify and remediate race conditions.”
No Responses