Microsoft primes 71 fixes for Could Patch Tuesday – Sophos Information

Microsoft on Tuesday launched 71 patches affecting 14 product households. Six of the addressed points, 5 involving distant code execution and one allowing info disclosure (together with PII, Personally Identifiable Info), are thought of by Microsoft to be of Important severity, and 12 have a CVSS base rating of 8.0 or larger. 5, all Necessary-severity points in Home windows, are identified to be beneath energetic exploit within the wild.

At patch time, 9 further CVEs usually tend to be exploited within the subsequent 30 days by the corporate’s estimation. Numerous of this month’s points are amenable to direct detection by Sophos protections, and we embody info on these in a desk beneath.

Along with these patches, eight Necessary-severity Adobe Reader points affecting ColdFusion are lined within the launch. These are listed in Appendix D beneath. That appendix additionally comprises info on eight Edge-related vulnerabilities and 7 affecting Azure, Dataverse, or Energy Apps. Although a number of of the non-Edge points are thrilling, with CVSS Base scores over 9.0 (a “good” 10, in a single case), Microsoft’s launched info signifies that every one have been patched in latest days – in different phrases, the data offered is strictly FYI.

We’re as all the time together with on the finish of this publish appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix protecting the advisory-style updates; and a breakout of the patches affecting the assorted Home windows Server platforms nonetheless in help.

By the numbers

• Complete CVEs: 71
• Publicly disclosed: 2
• Exploit detected: 5
• Severity
  • Important: 6
  • Necessary: 65
• Influence:
  • Distant Code Execution: 28
  • Elevation of Privilege: 17
  • Info Disclosure: 15
  • Denial of Service: 7
  • Safety Characteristic Bypass: 2
  • Spoofing: 2
• CVSS base rating 9.0 or higher: 1*
• CVSS base rating 8.0 or higher: 11

* A variety of advisory-only points this month, affecting Azure, Dataverse, and Energy Apps however patched by Microsoft previous to the Could launch, have been assigned important CVSS scores. Please see Appendix D for particulars.

Determine 1: Distant code execution returns to the highest of the charts for Could’s Patch Tuesday. Observe the bizarre Important-severity information-disclosure subject. This happens in Nuance PowerScribe 360, a product from the medical sphere – ask your native radiologist for particulars. (Eight Edge updates lined this month will not be launched with full impression info and thus don’t seem on this chart)

Merchandise

• Home windows: 43
• Workplace: 14
• 365: 13
• Excel: 7
• SharePoint: 4
• Visible Studio: 4
• RDP Consumer: 2
• .NET: 1
• Azure: 1
• Dataverse: 1
• Defender: 1
• Nuance PowerScribe 360: 1
• PC Supervisor: 1
• Home windows HLK: 1

As is our customized for this record, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on. It must be famous, by the best way, that CVE names in Could don’t all the time replicate affected product households intently. Particularly, some CVEs names within the Workplace household could point out merchandise that don’t seem within the record of merchandise affected by the CVE, and vice versa.

Determine 2: Fourteen product households determine in Could’s Patch Tuesday launch. This month, we return to separating Edge / Chromium points from the pack; these are lined in Appendix D, as are some advisory and information-only however attention-grabbing points affecting Azure, Dataverse, and Energy Apps

Notable Could updates

Along with the problems mentioned above, a wide range of particular gadgets benefit consideration.

CVE-2025-30385, CVE-2025-30701, CVE-2025-32706 — Home windows Widespread Log File System Driver Elevation of Privilege Vulnerability

CLFS issues account for 2 of the 5 vulnerabilities at present identified to be beneath assault within the wild, and the opposite one (CVE-2025-30385) is predicted to see motion throughout the subsequent 30 days. The logging system has taken a excessive variety of patches prior to now few years, together with lately seen abuse by each Play and PipeMagic malware of CVE-2025-29824, which was patched final month. Microsoft’s identified to be spinning up a brand new verification step for parsing CLFS log information, however within the meantime, the system’s giving RDP a run for its cash as a supply of administrator grief.

CVE-2025-30377, CVE-2025-30386 — Microsoft Workplace Distant Code Execution Vulnerability
Each of those vulnerabilities could be triggered through Preview Pane. If it have been a contest CVE-2025-30386 would have the slight edge, as Microsoft finds that within the worst case, of their phrases, “an attacker might ship a specifically crafted electronic mail to the person with no requirement that the sufferer open, learn, or click on on the hyperlink.” Each vulnerabilities apply to 365 in addition to Workplace.

CVE-2025-27488 — Microsoft Home windows {Hardware} Lab Package (HLK) Elevation of Privilege Vulnerability

An Necessary-class subject, this bug impacts the Home windows {Hardware} Package Lab, which is a framework for testing {hardware} gadgets and drivers for sure editions of Home windows; a number of variations of all the package likewise take an replace this month. That’s good, as the issue itself lies in sure third-party infrastructure throughout the package utilizing a hard-coded password (!).

CVE-2025-30384 — Microsoft SharePoint Server Distant Code Execution Vulnerability

An Necessary-severity subject requiring the attacker to organize the goal forward of time, the finder credited for this merchandise is “zcgonvh’s cat Vanilla.” We admit to some curiosity about how Vanilla caught this bug; did they use… a mouse?

Determine 3: RCE and EoP points proceed to dominate the charts in 2025

 Sophos protections

As you’ll be able to each month, when you don’t need to wait in your system to drag down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace package deal in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a record of Could patches sorted by impression, then sub-sorted by severity. Every record is additional organized by CVE.

Distant Code Execution (28 CVEs)

Elevation of Privilege (17 CVEs)

Info Disclosure (15 CVEs)

Denial of Service (7 CVEs)

Safety Characteristic Bypass (2 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

It is a record of the Could CVEs judged by Microsoft to be both beneath exploitation within the wild or extra prone to be exploited within the wild throughout the first 30 days post-release. The record is additional organized by CVE. Curiously, 28 of this month’s vulnerabilities have been marked in Microsoft’s launch supplies as “exploitation unlikely” – a class far much less generally assigned by the corporate prior to now.

It is a record of Could’s CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or larger. They’re organized by rating and additional sorted by CVE. For extra info on how CVSS works, please see our collection on patch prioritization schema. For a have a look at the CVSS scores for sure merchandise lined on this month’s advisories, please see Appendix D.

Appendix C: Merchandise Affected

It is a record of Could’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of instances, as soon as for every product household. Sure important points for which advisories have been issued are lined in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made accessible by Microsoft; for additional info on why sure merchandise could seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (43 CVEs)

Workplace (14 CVEs)

365 (13 CVEs)

Excel (7 CVEs)

SharePoint (4 CVEs)

Visible Studio (4 CVEs)

RDP Consumer (2 CVEs)

.NET (1 CVE)

Azure (1 CVE)

Dataverse (1 CVE)

Defender (1 CVE)

Nuance PowerScribe 360 (1 CVE)

PC Supervisor (1 CVE)

Home windows HLK (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 8 Adobe advisories on this month’s launch.

There are, this month, an extra load of Microsoft advisories and informational releases that deserve consideration. Most of them are Edge-related, and we current these within the regular style. Nevertheless, seven further CVEs contain Azure, Dataverse, or Energy Apps. All of them have already been addressed by Microsoft and thus ought to pose no motion merchandise for directors, however are important sufficient that we select to flag them right here with their severities and CVSS scores. Could’s launch additionally contains servicing stack updates.

Appendix E: Affected Home windows Server variations

It is a desk of the CVEs within the Could launch affecting 9 Home windows Server variations, 2008 by way of 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Important-severity points are marked in purple; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream help, will fluctuate. For particular Information Base numbers, please seek the advice of Microsoft. Please notice that CVE-2025-29971 is a client-only Home windows subject and thus seems on this chart, however with no server variations marked.