Microsoft’s May 2025 Patch Tuesday has delivered critical security updates addressing 72 vulnerabilities, including five zero-days actively exploited in the wild and two publicly disclosed flaws. This release continues a trend of high-severity fixes, with NTFS, CLFS driver, and RCE vulnerabilities remaining prominent attack vectors. The updates span Windows, Azure, and Office products, requiring immediate attention from security teams.
Summary for CISOs
The May 2025 Patch Tuesday includes:
– **5 zero-days** under active exploitation (details below)
– **72 total vulnerabilities**, with 17 rated critical
– Recurring issues in NTFS, CLFS driver, and Hyper-V
– One wormable TCP/IP stack flaw (CVE-2025-26686)
– Extended Protection for Authentication (EPA) now default in Windows Server 2025
Zero-Day Vulnerabilities
The five exploited zero-days include three NTFS flaws and two privilege escalation vulnerabilities. CVE-2025-24991 and CVE-2025-24993 allow memory disclosure and local code execution via malicious virtual disks, while CVE-2025-24984 exploits NTFS heap memory leaks through USB drives. These were reported by ESET and Microsoft Threat Intelligence. The CLFS driver flaw (CVE-2024-49138), previously patched in December 2024, resurfaced with new exploitation techniques.
Critical RCE and Privilege Escalation Flaws
Remote code execution vulnerabilities dominate the critical-rated patches. CVE-2025-26686 in the Windows TCP/IP stack is wormable, requiring no user interaction. Hyper-V escapes (CVE-2025-27491) and Office document exploits (CVE-2025-27745/27748/27749) also pose significant risks. The LDAP client RCE (CVE-2024-49112) with a CVSS 9.8 score remains unpatched in some legacy systems.
| Month | Vulnerabilities | Zero-Days | Critical |
|---|---|---|---|
| Dec 2024 | 72 | 1 | 17 |
| Mar 2025 | 57 | 6 | 6 |
| Apr 2025 | 121 | 1 | 11 |
| May 2025 | 72 | 5 | 17 |
Remediation and Best Practices
Prioritize patching systems affected by the five zero-days and critical RCE flaws. Test updates for Hyper-V and TCP/IP stack changes in development environments first. Microsoft recommends enabling EPA for NTLM relay attack mitigation. Monitor CISA’s KEV catalog for mandatory patching deadlines, particularly for CVE-2025-26686 and CVE-2025-24984.
Conclusion
The May 2025 updates reflect ongoing challenges with legacy components like NTFS and CLFS. The recurrence of similar vulnerabilities suggests attackers are refining exploitation techniques. Organizations should review patch deployment timelines and consider additional controls for high-risk systems.
References
- “Microsoft: 6 Zero-Days in March 2025 Patch Tuesday,” Krebs on Security, Mar. 2025.
- “Microsoft Fixes 72 Flaws Including 1 Zero-Day,” The Hacker News, Dec. 2024.
- “Microsoft Addressed 121 Vulnerabilities in April 2025,” TechAipost, Apr. 2025.
