May is all about clarity and fresh starts—and that includes your IT environment. As we observe Mental Health Awareness Month, there’s no better time to reduce security stress by staying ahead of threats. This month’s Patch Tuesday brings fixes for 78 vulnerabilities, including 7 zero-days and 6 critical vulnerabilities, helping you keep your systems secure and your operations worry-free.
Let's uncover what's fresh in this year's fifth Patch Tuesday. Also, register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.
Fact: This count excludes the Azure, Dataverse, Mariner, and Microsoft Edge flaws that were addressed earlier this month.
Security updates have been released for critical Microsoft products, including:
To view the complete list of affected products, features, and roles, please refer to the MSRC Release Notes
Fun fact: This could mark the first Patch Tuesday where the Common Log File System Driver stands out as a leading candidate for the dubious distinction of being the most frequently exploited component.
Here’s how this month’s vulnerabilities are distributed:
Bottom line? Remote Code Execution (RCE) leads this month too; they are the primary focus of attention in security updates.
This vulnerability impacts the Desktop Window Manager (DWM), a crucial Windows component responsible for rendering visual effects. Exploiting a use-after-free bug, attackers with limited access could potentially escalate to SYSTEM privileges locally. It's akin to lending someone your house keys and discovering they've taken ownership. Microsoft credits the discovery of this flaw to its Threat Intelligence Center and confirms it has already been exploited in the wild.
This vulnerability exploits the Common Log File System Driver through a use-after-free flaw. An authorized attacker could leverage this to elevate their privileges, essentially granting themselves admin access on the system. It's a typical privilege escalation issue that tends to resurface with different variations every few months. Microsoft's internal threat team has identified this vulnerability as actively exploited.
This one takes a slightly different approach with improper input validation instead of memory issues. But the result is the same—SYSTEM-level access. With contributions from Google Threat Intelligence and CrowdStrike, this is clearly a high-profile discovery. It’s actively exploited in the wild, and if you're not patching now, you're volunteering for a red team exercise (except it's a real attacker this time).
Yet another use-after-free flaw, this time in the Ancillary Function Driver for Windows Sockets (WinSock). This vulnerability also enables local SYSTEM access, which is about as bad as it sounds. Reported anonymously, it’s being actively exploited and, again, affects the kind of core component you don’t want misbehaving. Patch or prepare for trouble—your network stack is at risk.
This memory corruption flaw stems from type confusion in the scripting engine, which can be triggered when a user clicks a malicious link in Edge or Internet Explorer (yes, that’s still a thing). The kicker? The attacker doesn’t even need to authenticate. All they need is your curiosity—and a click. A chilling reminder to patch AND train your users. This zero-day was caught by Microsoft’s threat intelligence team and is being exploited.
A publicly disclosed spoofing flaw that allows unauthenticated attackers on the same network to impersonate other accounts. This can be exploited over a local area network due to weak authentication mechanisms. It’s not actively exploited (yet), but now that it’s public knowledge, don’t count on that staying true for long. Discovered by Joshua Murrell at NetSPI.
This RCE vulnerability in Visual Studio stems from improper command input sanitization—basically, command injection. If an attacker tricks someone into opening a malicious project or file, they can execute arbitrary code on the developer's machine. It’s not known to be actively exploited, but with its wide reach and severity, patching should be a top priority—especially in development environments.
Takeaway: Even if you’re patched against Microsoft vulnerabilities, don’t forget third-party software—it’s just as critical!
78 vulnerabilities might sound like a lot, and with 7 zero-day vulnerabilities—5 of which are exploited in the wild—the situation is definitely heating up. Think of it like a pressure cooker; you don’t want to wait too long before releasing the steam. Patch your systems now before things really start to boil over! With Endpoint Central, Patch Manager Plus and Vulnerability Manager Plus, you can streamline the entire patch management process— from testing patches to deploying them— effectively mitigating vulnerabilities. You can also tailor patch tasks according to your enterprise needs.
Register now for our free Patch Tuesday webinar to gain more insights about these Patch Tuesday Updates. Our experts will not only offer in-depth analysis about the updates but also provide best practice to manage Patches in your network. You can also ask our experts all your patch-related questions and get live answers in the webinar.