On May 13, 2025, Microsoft released its May 2025 security update, addressing 78 newly disclosed vulnerabilities. Arctic Wolf has highlighted six of these vulnerabilities in this security bulletin, including five that have been exploited in the wild and one that Microsoft has rated as critical.
Vulnerabilities
| Vulnerability | CVSS | Description | Exploited? |
| CVE-2025-30397 | 7.5 | Scripting Engine Memory Corruption Vulnerability – An unauthenticated remote threat actor can exploit this by convincing an authenticated user into clicking a malicious link, which initiates remote code execution (RCE) via Internet Explorer mode in Microsoft Edge. | Yes |
| CVE-2025-30400 | 7.8 | Microsoft DWM Core Library Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to gain SYSTEM privileges. | Yes |
| CVE-2025-32701 | 7.8 | Windows Common Log File System Driver Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to gain SYSTEM privileges. | Yes |
| CVE-2025-32706 | 7.8 | Windows Common Log File System Driver Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to gain SYSTEM privileges. | Yes |
| CVE-2025-32709 | 7.8 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to gain administrator privileges. | Yes |
| CVE-2025-30386 | 8.4 | Microsoft Office Remote Code Execution Vulnerability – A critical use-after-free vulnerability in Microsoft Office that a threat actor can exploit by sending a specially crafted file which executes code when the victim opens it. In the worst-case scenario, the threat actor can trigger code execution when the file is simply viewed in the Preview Pane, with no user interaction required. Although the code runs locally, it is considered remote code execution since the threat actor operates remotely. | No |
Recommendation
Upgrade to Latest Fixed Versions
Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions.
| Product | CVE | Update Article |
| Windows Server 2025 | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058411, 5058497 |
| Windows Server 2022, 23H2 Edition | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058384 |
| Windows Server 2022 | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058385, 5058500 |
| Windows Server 2019 | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058392 |
| Windows Server 2016 | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058383 |
| Windows Server 2012 R2 | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058403, 5058380 |
| Windows Server 2012 | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058451, 5058380 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706 | 5058430, 5058454, 5058380 |
| Windows Server 2008 for x64-based, and 32-bit Systems Service Pack 2 | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706 | 5058449, 5058429, 5058380 |
| Windows 11 Version 24H2 for x64-based, and ARM64-based Systems | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058411, 5058497 |
| Windows 11 Version 23H2 for x64-based, and ARM64-based Systems | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058405 |
| Windows 11 Version 22H2 for x64-based, and ARM64-based Systems | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058405, |
| Windows 10 Version 22H2 for 32-bit, x64-based, and ARM64-based Systems | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058379 |
| Windows 10 Version 21H2 for 32-bit, x64-based, and ARM64-based Systems | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058379 |
| Windows 10 Version 1809 for 32-bit, and x64-based Systems | CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058392 |
| Windows 10 Version 1607 for 32-bit, and x64-based Systems | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058383 |
| Windows 10 for 32-bit, and x64-based Systems | CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 | 5058387 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Resources
