Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Microsoft Patch Tuesday May 2025 patches 71 vulnerabilities (5 Critical, 66 Important, 0 Moderate), patch Immediately!!
Image
Gepubliceerd : 14/05/2025
* Last update: 14/05/2025
* Affected software:
→.NET, Visual Studio, and Build Tools for Visual Studio
→Windows operating system and associated components
→Microsoft Office and associated components
→Azure
→Nuance PowerScribe
→Remote Desktop Gateway Service
→Microsoft Defender
* Type: Several types, ranging from Spoofing to Remote Code Execution and Privilege Escalation.
* CVE/CVSS:
Microsoft patched 71 vulnerabilities in its May 2025 Patch Tuesday release, 5 rated as critical, 66 rated >important. Including 5 0- day vulnerabilities that are actively exploited.
Number of CVE by type:
→28 Remote Code Execution vulnerabilities
→18 Elevation of Privilege vulnerabilities
→14 Information Disclosure vulnerabilities
→2 Spoofing vulnerability
→7 Denial of Service vulnerabilities
→2 Security Feature Bypass vulnerabilities
Sources
Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2025-May
Risks
Microsoft’s May 2025 Patch Tuesday includes 71 vulnerabilities (5 critical, 66 important, 0 moderate and 0 low), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes 5 actively exploited zero-day vulnerabilities. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.
Description
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2025-32701 and CVE-32706: Windows Common Log File System Driver (Actively exploited)
Elevation of Privilege Vulnerability, CVSS: 7.8.
CVE-2025-32701: Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-32706: Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
An attacker who successfully exploited either vulnerability could gain SYSTEM privileges.
According to Microsoft, both these vulnerabilities are actively exploited. According to the Zero Day Initiative, vulnerabilities in the Windows Common Log File System Driver have previously been exploited by different groups – including ransomware gangs – who usual pair a privilege escalation vulnerability in this Windows component with a code execution bug in order to take over a system (https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review).
CVE-2025-30400: Microsoft DWM (Actively exploited)
Elevation of Privilege Vulnerability, CVSS: 7.8
Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited either vulnerability could gain SYSTEM privileges. According to Microsoft, this vulnerability is actively exploited. Flaws in Microsoft DWM have been exploited in the past, including in attacks back in 2024 to distribute QakBot malware (https://securelist.com/cve-2024-30051/112618/).
CVE-2025-32709: Windows Ancillary Function Driver for WinSock (Actively exploited)
Elevation of Privilege Vulnerability, CVSS: 7.8.
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited either vulnerability could gain SYSTEM privileges.
According to the Zero Day Initiative, attackers targeted the same component – Windows Ancillary Function Driver for WinSock – already in February this year (https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review).
CVE-2025-30397: Microsoft Scripting Engine (Actively exploited)
Remote Code Execution Vulnerability, CVSS: 7.5.
The flaw resides in the access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine, which allows an unauthorized attacker to execute code over a network.
According to Microsoft, this vulnerability is actively exploited but the attack requires certain conditions to be met. To successfully exploit this vulnerability, an attacker must first prepare the target, so it uses Edge in Internet Explorer Mode. The attack also requires that the authenticated client clicks a link for the unauthenticated attacker to be able to initiate remote code execution.
This vulnerability affects all supported versions of Microsoft Windows because, even when the Internet Explorer 11 application on certain platforms and Microsoft Edge Legacy application are deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported.
Other notable vulnerabilities
Microsoft assesses that the following vulnerabilities may be actively exploited in the future. It marked as “Exploitation more likely” the following vulnerabilities:
• CVE-2025-24603 affecting Windows Kernel. CVSS: 7.8.
• CVE-2025-29841 affecting Universal Print Management Service. CVSS: 7.0
• CVE-2025-29971 affecting Web Threat Defense (WTD.sys). CVSS: 7.5
• CVE-2025-29976 and CVE-2025-30382 affecting Microsoft Office Sharepoint. CVSS: 7.8
• CVE-2025-30385 affecting Windows Common Log File System Driver. CVSS: 7.8.
• CVE-2025-30386 affecting Microsoft Office. CVSS: 8.4.
• CVE-2025-30388 affecting Windows Graphics Component. CVSS: 7.8.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Microsoft Patch Tuesday May 2025 - https://msrc.microsoft.com/update-guide/releaseNote/2025-May
Zero Day Initiative - https://www.zerodayinitiative.com/blog/2025/5/13/the-may-2025-security-update-review
The Hacker News - https://thehackernews.com/2025/05/microsoft-fixes-78-flaws-5-zero-days.html
CyberScoop - https://cyberscoop.com/microsoft-patch-tuesday-may-2025/
Tenable - https://www.tenable.com/blog/microsofts-may-2025-patch-tuesday-addresses-71-cves-cve-2025-32701-cve-2025-32706