{"id":3174,"date":"2025-05-14T00:18:30","date_gmt":"2025-05-14T00:18:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3174"},"modified":"2025-05-14T00:18:30","modified_gmt":"2025-05-14T00:18:30","slug":"patch-tuesday-for-may-five-zero-day-vulnerabilities-cisos-should-focus-on","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3174","title":{"rendered":"Patch Tuesday for May: Five zero day vulnerabilities CISOs should focus on"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs need to pay attention to patching five zero day Windows vulnerabilities and two other holes with available proof-of-concept exploits among the 70 fixes issued today by Microsoft in its May Patch Tuesday releases.<\/p>\n

Mike Walters, president of Action1, told CSO that leaders should focus in particular on these vulnerabilities:<\/p>\n

A scripting engine memory corruption vulnerability (CVE-2025-30397) is a zero day<\/a> being actively exploited. It enables remote code execution via type confusion in the Microsoft Scripting Engine. It affects Internet Explorer mode in Microsoft Edge, which is still widely used for legacy compatibility.
\u201cWhile user interaction is required, delivery through phishing links or emails remains a key risk,\u201d Walters said. \u201cCISOs should reinforce user awareness around phishing and implement robust web content filtering and email security controls;\u201d<\/p>\n

Windows Common Log File System (CLFS) driver elevation of privilege zero day vulnerabilities (CVE-2025-32701 and CVE-2025-32706).
Both vulnerabilities are actively exploited in the wild, Walters said, enabling attackers to gain System-level privileges. \u201cAs CLFS is a core component across all supported Windows versions, the risk spans most enterprise environments,\u201d he said \u201cIn addition to patching, CISOs should review privilege management policies and monitor for anomalous activity that may signal exploitation attempts;\u201d<\/p>\n

Two Microsoft Office remote code execution vulnerabilities (CVE-2025-30386 and CVE-2025-30377).
Both vulnerabilities enable remote code execution without user interaction, including via the Preview Pane in Outlook, noted Walters. Attackers exploit memory handling flaws to execute arbitrary code, posing a significant risk given Microsoft Office\u2019s enterprise ubiquity, he said. \u201cPatching alone may not suffice\u2014CISOs should disable the Preview Pane where possible and reinforce policies against opening unsolicited documents;\u201d<\/p>\n

Remote Desktop Client and Gateway Service remote code execution vulnerabilities (CVE-2025-29966 and CVE-2025-29967).
These vulnerabilities affect remote access services, which are vital for remote work and IT administration, allowing arbitrary code execution on both client and server systems. Exploitation can occur via phishing or by DNS spoofing that directs users to malicious RDP servers, Walters pointed out. \u201cCISOs should go beyond patching by enforcing strict controls on RDP usage, enabling network-level authentication, and monitoring for suspicious RDP activity,\u201d he said.<\/p>\n

Screaming from hilltops?<\/strong><\/h2>\n

\u201cA lot of people are going to be screaming from the hilltops today about the four Critical and one Important vulnerability [in Azure] that all scored above a CVSS 9.0,\u201d said Tyler Reguly, associate director of security R&D at Fortra. \u201cI think that those people are drawing attention to the wrong place. The four critical vulnerabilities were all already patched by Microsoft.\u201d<\/p>\n

Since there is no action required from IT, he said, \u201cthere\u2019s no reason to direct everyone\u2019s attention to them. Instead, let\u2019s draw people\u2019s attention to places where they can act and make a difference in their environments\u2019 security posture. That leaves us with the single Important vulnerability that rated a 9.8, which is released as a Docker image. Users of Azure AI services Document Intelligence Studio should take the time to update their image to the latest tag to mitigate this vulnerability.\u201d<\/p>\n

As for the five exploited vulnerabilities, \u201cit\u2019s really just more of the same stuff we see every month,\u201d he said.<\/p>\n

In addition to the vulnerabilities Walters recommended targeting, he highlighted\u00a0CVE-2025-30400<\/a>, a vulnerability in Microsoft DWM that could allow elevation of privilege to SYSTEM.<\/p>\n

\u00a0\u201cFor those at the top of the food chain \u2013 CISOs and CSOs \u2013 this is a great Patch Tuesday to test your teams to see how well they know their environment.\u201d Reguly added. \u201cOn top of a number of Azure services that were patched by Microsoft and require no end-user effort, we\u2019re seeing some rarely patched components whose names might not be familiar to a lot of people, things like Microsoft Dataverse and Azure AI services Document Intelligence Studio. Ask your teams how they are handling these updates, which use non-standard update mechanisms, and find out if they really know their environments and their update processes.\u201d<\/p>\n

Publicly disclosed vulnerabilities<\/strong><\/h2>\n

Two publicly disclosed flaws in Microsoft products that Reguly was not concerned about are:<\/p>\n

CVE-2025-32702<\/a>, an improper neutralization of special elements used in a command (\u2018command injection\u2019) in Visual Studio that allows an unauthorized attacker to execute code locally.<\/p>\n

CVE-2025-26685<\/a>, a vulnerability that allows an unauthorized attacker to perform spoofing over an adjacent network and fool Microsoft Defender. There is no update available.<\/p>\n

\u2018No emergency\u2019<\/strong><\/h2>\n

Johannes Ullrich, dean of research at the SANS Institute, doesn\u2019t think any of the patches released qualifies as an emergency. Instead, he said, CISOs should ensure that the patches are rolled out in accordance with their vulnerability management program<\/a>. In particular, testing that patches were applied correctly is important.\u00a0<\/p>\n

There is one interesting already exploited vulnerability, he said:\u00a0CVE-2025-30397. This vulnerability (detailed above by Walters) is only exploitable if Microsoft Edge is operating in \u201cInternet Explorer\u201d mode. By default, Edge is not running in Internet Explorer mode, but there may be cases, in particular on workstations used by system administrators and developers, where it\u2019s appropriate to enable this mode, Ullrich said. Configuration management should be used to prevent this from happening unless it is specifically required for a particular use case, he said.<\/p>\n

\u201cLuckily,\u201d Ullrich added, \u201cthe vulnerability that, in my opinion, has the most \u2018potential\u2019 for attackers,\u00a0CVE-2025-29831, is only exploitable while the RDP service is restarted. Unless the attacker is able to trigger a restart, this vulnerability will likely not be exploitable. But it yet again highlights the importance of RDP servers.\u201d<\/p>\n

SAP, Zoom patches<\/strong><\/h2>\n

Separately, SAP<\/strong> released 18 Security Notes ranging from critical authorization issues to remote code execution, information disclosure, and cross-site scripting.<\/p>\n

Jonathan Stross, a SAP security analyst at Pathlock, said in a blog<\/a> that they include two particularly dangerous flaws in NetWeaver Visual Composer, both with CVSS scores over 9.0. There are also\u00a0critical vulnerabilities present in SAP S\/4HANA, Business Objects, and Live Auction Cockpit.<\/p>\n

CVE-2025-31324, a missing authorization check in SAP NetWeaver Visual Composer.
The critical vulnerability (CVSS 10.0) in Visual Composer allows unauthenticated users to upload malicious executables to the suite\u2019s development server. If exploited, this can lead to complete system compromise, including data theft and service disruption, Stross wrote. The fix applies to VCFRAMEWORK 7.50 and must be implemented immediately, as it was previously reported to have been exploited as a zero day<\/a>. This note updates an April 2025 Patch Day release.\u00a0\u00a0<\/p>\n

CVE-2025-42999, an insecure deserialization in Visual Composer, is a separate but related vulnerability (CVSS 9.1) that allows privileged users to exploit insecure deserialization and potentially execute malicious code on the host system. SAP has removed the vulnerable deserialization logic and recommends optional integration with Virus Scan Interface (VSI), wrote Stross. Organizations using NetWeaver Visual Composer should apply this patch in parallel with CVE-2025-31324, he added.<\/p>\n

CVE-2025-30018 covers five vulnerabilities with CVSS scores of up to 8.6 in SAP SRM Live Auction Cockpit . These stem from deprecated Java applets and can be exploited without authentication. Stross notes. Organizations using SRM 7.14 should decommission the Java applet components and follow the SAP Note guidance for safe configurations, he said.<\/p>\n

CVE-2025-43010, a code injection in SAP S\/4HANA SCM Master Data Layer, has a CVSS score of 8.3. It allows low-privileged users to remotely inject ABAP code that can modify or destroy system programs. The vulnerable function module has been deprecated. Affected are both on-premises and private cloud installations across multiple S4CORE and SCM_BASIS versions.<\/p>\n

Zoom<\/strong> disclosed seven vulnerabilities<\/a> in its Workplace meeting apps \u2013 one ranked high severity \u2013 that pose significant risks such as privilege escalation, denial-of-service (DoS) and remote code execution.<\/p>\n

\u201cCyber professionals are considering the need for deep fake detection<\/a> and prevention impacting virtual meetings today, said Jim Routh, chief trust officer at Saviynt. \u201cIt turns out that the software defects\/vulnerabilities announced recently in Zoom Workplace are far more critical at this time.\u201d<\/p>\n

\u201cDoS and remote code execution vulnerabilities have the potential for significant business disruption with the potential for ransomware exploits,\u201d he added. \u201cSoftware resilience for enterprise software companies is achievable with more maturity in the development process to identify and remediate race conditions.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs need to pay attention to patching five zero day Windows vulnerabilities and two other holes with available proof-of-concept exploits among the 70 fixes issued today by Microsoft in its May Patch Tuesday releases. Mike Walters, president of Action1, told CSO that leaders should focus in particular on these vulnerabilities: A scripting engine memory corruption […]<\/p>\n","protected":false},"author":0,"featured_media":3161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3174","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3174"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3174"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3174\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3161"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}