Every day has the potential to be a bad day for a CSO. However, the second Tuesday of each month – Patch Tuesday – is almost guaranteed to be one of those days, though with any luck it’s merely troublesome, not catastrophic.
In 2025, however, some of them gave CSOs heartburn: Microsoft issued mitigations for 1,246 CVEs, including 158 rated critical. Forty-one of them were zero days, and researchers at Tenable estimate that elevation of privilege vulnerabilities accounted for about 38.3% of all Patch Tuesday vulnerabilities in 2025, followed by remote code execution flaws at about 30%.
We asked security experts which of those bugs worried them the most. Here’s how they responded.
New tactics and AI change the game
More vulnerabilities were spotted this year than in 2024, says Gene Moody, field CTO at patching automation provider Action1, an upward trend that’s been ongoing for the past five years.
One thing, however, is different: Thanks to the use of AI by threat actors, as well as cunning new tactics, security teams have less time than ever to install patches.
“Attack groups will do things like hold their first attack until the day after Patch Tuesday, because it puts Microsoft on the spot: They would have to release a massive out-of-band update or wait until the next Patch Tuesday,” he said. “So if you are waiting for 30 day or quarterly cycles to patch, you are behind the curve. You are spending weeks to potentially months unprotected, and [with] no excuse to be so.”
“You have to patch what needs to be patched, not just what can be patched,” Moody added. “You don’t have 30 days to do testing, plan down time. You no longer have the luxury of saying, ‘We’re going to push all of this out at once.’ You need to say, ‘I’m going to knock out the ones that are going to kill me first,’ and if you automate this [initial batch], you have more man hours to analyze and scrutinize the rest.”
Take, for example, one of the nastiest holes found this year, ToolShell (CVE-2025-53770), which is actually two chained vulnerabilities in on-premises SharePoint 2016/2019 servers. It allows an unauthenticated attacker the ability to execute remote code. It holds a 9.8 CVSS score, and exploiting it has become a favorite of initial access brokers.
Scott Caveza, senior staff research engineer at Tenable, described its possible exploitation as a “nightmare scenario … that CSOs will want to avoid at all costs.” But, Moody pointed out, today most large organizations access SharePoint from the cloud. So its CVSS score is only important to those with SharePoint servers in-house.
Watch those lower-scored vulnerabilities
Several lower scored vulnerabilities could have caused serious damage if not quickly addressed, Moody said. These included:
CVE 2025 24993, a Windows NTFS memory corruption issue affecting nearly every Windows system by default, enabled local code execution by an unauthorized attacker;
CVE 2025 24990, a privilege escalation flaw in the Agere modem driver shipped with Windows allowed attackers to elevate to SYSTEM with little effort, and without an actual Agere modem being in use, turning limited access into total control;
CVE 2025 62221, a use-after-free bug in the Windows cloud files mini filter driver, was actively exploited and provided a dependable path to SYSTEM once code execution was achieved. While it required initial access, Moody points out it was a very short path to total control that was easy to execute, with low skill requirements;
CVE 2025 53779, the Kerberos BadSuccessor privilege escalation, threatened domain level compromise by allowing any domain authenticated account to escalate privileges by spoofing tokens within Active Directory environments. In a blog, Action1 director of vulnerability research Jack Bicer called this hole “a gift to ransomware operators … providing an express elevator to domain admin.”
Caveza also drew attention to two escalation of privilege flaws, CVE-2025-24983 in the Windows kernel, and CVE-2025-29824, in the Windows common log file system driver, because both were used with the PipeMagic backdoor to spread ransomware.
He also noted
CVE-2025-26633, a security feature bypass vulnerability affecting the Microsoft Management Console (MMC). This was a zero day vulnerability abused by multiple threat actors to deploy malware, including the MSC EvilTwin trojan loader, and has been used with multiple malware variants, including backdoors and infostealer malware;
CVE-2025-33053, a remote code execution vulnerability affecting Internet Shortcut Files. Check Point Research found this zero-day flaw to have been abused by an APT known as Stealth Falcon, which used the flaw to distribute Horus Agent malware.
Look out for Preview Pane attacks
Tyler Reguly, associate director for research and development at Fortra, said CSOs should think about defending against Preview Pane attacks in Windows and Office. Threat actors could have exploited these flaws to run malicious code when an employee previewed a specially crafted file or email.
One example was CVE-2025-30377, which researchers at ZeroPath called “one of the most dangerous vulnerabilities discovered in Microsoft Office” when it was revealed in May.
These kinds of attack “represent some of the biggest risks to organizations,” said Reguly. “Those silent exploits that run as soon as an email is viewed are a potential risk, since most people make use of the Preview Pane. While there may be bigger vulnerabilities that were more impactful that I’m sure others will call attention to, this is the class of vulnerability that I would want to call out and ensure that others are watching for.”
CVSS score ‘only part of a puzzle’
Moody urged CSOs to stop thinking about CVSS as a score and start thinking of it as a means to developing a score; a CVSS score is “only part of a puzzle.”
Most CSOs don’t have the foundational understanding of how vulnerabilities relate to their specific IT environment and concerns, he pointed out. “People tend to chase CVSS [thinking] ‘9.5, bad’. Well, 9.5 is a theoretical bad. It’s a worse case scenario in a lab if you manage to pull it off – but that vulnerability may not even be expressed in your environment. Or it may be in your environment but in a benign way.
“By contrast, the 6.2 may be the most critical one you need to stop right now because it’s on 10,000 forward- facing web servers.”
He urged CSOs to triage vulnerabilities by using the US Cybersecurity and Infrastructure Security Agency’s (CISA) Stakeholder Specific Vulnerability Classification (SSVC) framework.
No Responses