Microsoft fixes 75 vulnerabilities, 11 critical, in May Patch Tuesday

Microsoft fixed 75 security vulnerabilities as part of the May edition of its monthly Patch Tuesday release plan, including 11 issues considered critical risks.

The software and services giant said that this month’s patch load will include patches for five vulnerabilities that are actively targeted in the wild, as well as two others with public exploit code available.

None of the previously known or exploited flaws is considered critical and only one, CVE-2025-32702, would directly allow for remote code execution. Microsoft said the vulnerability would need to be exploited via a locally installed Visual Studio file.

Among the actively exploited flaws are a memory corruption bug in the Windows Scripting Engine (CVE-2025-30397) allowing for code execution, and a pair of elevation of privilege vulnerabilities (CVE-2025-32701, CVE-2025-32706) in the Windows Common Log File System driver.

Mike Walters, president of security provider Action, said that the vulnerabilities were particularly dangerous as the elevation of privilege they afford would give a threat actor total control over a vulnerable system.

“Attackers exploiting these vulnerabilities can escalate privileges to SYSTEM level, granting them full control to run arbitrary code, install malware, modify data, or disable security protections,” Walters said.

“With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation.“

Normally, the "Critical" rating is reserved for security issues that will allow an attacker to remotely take over the targeted machine with little-to-no interaction needed on the user end. This month, however, only six such vulnerabilities were described as remote code execution.

Among the more serious critical vulnerabilities were found in Azure. They include a pair of elevation of privilege flaws (CVE-2025-29827, CVE-2025-29813), as well as a spoofing bug (CVE-2025-29972.)

Dustin Childs, head of research with the Trend Zero Day Initiative, noted that while the May patch Tuesday release is relatively light compared with previous months, there are a number of flags that could indicate some emerging trends, particularly around potential attacks on Office.

“This number of fixes isn’t unusual for May, but it does put Microsoft ahead of where they were at this point last year in regards to CVEs released,” Childs explained.

“It’s also unusual to see so many Office-related bugs getting patched in a single month. Perhaps this is a harbinger of attacks we can expect to see later this year.”

Childs notes that administrators would be well advised to test and deploy this month’s patches as soon as possible, due to the upcoming Pwn2Own competition in Berlin.

The hacking contest challenges researchers to find and exploit zero-day vulnerabilities in a variety of systems, and the days following the competition often bring a slew of unscheduled, high-priority patches.