Post-Patch Tuesday Roundup: May 2025 | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: May 2025

Welcome to the Softcat Patch Tuesday roundup for May 2025, where we offer insight into the major patches released this month. In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, Citrix, Fortinet, Ivanti, and SAP. Also provided is information on the recent Scattered Spider attack as well as the launch of the European Vulnerability Database.

Post patch tuesday image 1

David Hewson

Cyber Assessment Team Leader

Microsoft

In their May Patch Tuesday release, Microsoft has addressed 78 vulnerabilities. Of these, five have been actively exploited in the wild, with a further two being publicly disclosed zero days.

The patches cover a broad array of applications and services, including: Windows, Visual Studio, Microsoft Office, Microsoft SharePoint, Microsoft Defender for Identity, Web Threat Defence, Universal Print Management Service, and more.

This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure. Outlined below are the actively exploited and publicly disclosed Zero-Days detailed in this month’s Patch Tuesday:

 

Actively Exploited Zero-Days

· CVE-2025-30400 – This is an Elevation of Privilege vulnerability in Windows DWM Core Library that can allow an attacker to elevate their privileges to SYSTEM level. It is rated as Important, with a CVSS score of 7.8.

· CVE-2025-32701 and CVE-2025-32706 – These are both Elevation of Privilege vulnerabilities in the Windows Common Log File System Driver that can allow an attacker to elevate their privileges to SYSTEM level. They are both rated as Important, with a CVSS score of 7.8. The difference is that CVE-2025-32701 exploits a Use After Free weakness, whereas CVE-2025-32706 exploits Improper Input Validation.

· CVE-2025-32709 – This is an Elevation of Privilege vulnerability in the Windows Ancillary Function Driver for WinSock that can allow an attacker to elevate their privileges to SYSTEM level. It is rated as Important, with a CVSS score of 7.8.

· CVE-2025-30397 – This is a Remote Code Execution vulnerability in the Microsoft Scripting Engine that can allow an attacker to execute arbitrary code over a network. It is rated as Important, with a CVSS score of 7.5. The attacker would need to lure the victim into clicking a specially crafted URL, which could then allow the attacker to execute remote code on the target system. Although this is known to have been exploited, the victim would have to be using Microsoft Edge in Internet Explorer mode.

Since these are known to have been exploited in the wild, users should look to patch these vulnerabilities as soon as possible to prevent potential exploitation.

 

Publicly Disclosed Zero-Days

· CVE-2025-26685 – This is a Spoofing vulnerability in Microsoft Defender for Identity that can allow an unauthorised attacker to spoof an identity over an adjacent network. It is rated as Important, with a CVSS score of 6.5. This vulnerability is not noted to have been exploited in the wild, and exploitation is considered unlikely. The unauthenticated attacker would need LAN access to exploit this vulnerability, allowing them to bypass authentication mechanisms.

· CVE-2025-32702 – This is a Remote Code Execution vulnerability in Visual Studio caused by improper neutralisation of special elements used in a command (command injection). It can allow an attacker to execute arbitrary code locally. It is rated as Important, with a CVSS score of 7.8. Although exploitation is considered less likely, it is known to be exploitable. The attacker would need to convince a user to open a specially crafted file, leading to code execution on the victim’s system.

 

Adobe

Adobe has released 13 updates this month, addressing a significant number of vulnerabilities. The applications in question are:

· Adobe Lightroom

· Adobe Dreamweaver

· Adobe Connect

· Adobe InDesign

· Adobe Substance 3D Painter

· Adobe Photoshop

· Adobe Animate

· Adobe Illustrator

· Adobe Bridge

· Adobe Dimension

· Adobe Substance 3D Stager

· Adobe Substance 3D Modeler

· Adobe ColdFusion

 

Cisco

Cisco has so far released 30 advisories for 36 vulnerabilities noted in May, with the impact ratings ranging from Medium to Critical. The Critical vulnerabilities relate to the Cisco IOS XE Wireless Controller Software as well as Multiple Cisco Products.

 

Citrix

Citrix has released one security bulletin this month, which addresses XenServer and Citrix Hypervisor. CVE-2024-28956 is a CPU hardware issue affecting Intel CPUs; it may allow privileged code in a guest VM to infer memory content from another VM running on the same CPU core. While this is not a vulnerability in the eServer or Citrix Hypervisor products themselves, Intel microcode and product code updates have been released to mitigate the issue. It has been rated with Medium severity.

It’s recommended that customers using Citrix Hypervisor 8.2CU1 upgrade to XenServer 8.4 before the product reaches End of Life (El) on 25th June 2025.

 

Fortinet

Fortinet has published/updated 15 advisories in May: 1 Critical, 6 High, 5 Medium, and 3 Low severity. The Critical vulnerability affects FortiOS, FortiProxy, and FortiSwitchManager.

CVE-2025-22252 is an authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager TACACS+ configurations that use a remote TACACS+ server with ASCII authentication. It can allow an attacker with knowledge of an existing admin account to gain access as a valid admin. It is rated as Critical, with a CVSS score of 9.0. Since this vulnerability is capable of escalating privileges, users should upgrade to the recommended versions immediately to prevent potential exploitation. The vulnerability is triggered when ASCII authentication is enabled, and the recommended workaround is to use alternate authentication methods such as PAP, MSCHAP, or CHAP.

 

Ivanti

Ivanti have addressed three products in their May security update:

· Ivanti Neurons for ITSM (on-premises only) (CVSS 9.8)

· Cloud Security Application (CSA) (CVSS 7.8)

· Ivanti Neurons for MDM (CVSS 5.4)

Although the Ivanti Neurons for ITSM is rated as Critical, Ivanti has noted that “Customers who have followed Ivanti’s guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment. Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ.

 

SAP

SAP has released 16 new security notes and 2 updates to previous security notes. 2 of these CVEs are rated Critical and 5 rated High. The products affected by are:

· SAP NetWeaver

· SAP Supplier Relationship Management

· SAP S/4HANA Cloud Private Edition or on-premise

· SAP BusinessObjects Business Intelligence Platform

· SAP Landscape Transformation

· SAP PDCE

 

Industrial Control Systems

Any customers utilising industrial control systems (ICS) should be aware of the following security advisories from CISA:

· ICSA-25-128-01 Horner Automation Cscape

· ICSA-25-128-02 Hitachi Energy RTU500 series

· ICSA-25-128-03 Mitsubishi Electric CC-Link IE TSN

· ICSA-25-093-01 Hitachi Energy RTU500 Series (Update A)

· ICSMA-25-128-01 Pixmeo OsiriX MD

· ICSA-25-126-01 Optigo Networks ONS NC600

· ICSA-25-126-02 Milesight UG65-868M-EA

· ICSA-25-126-03 BrightSign Players

 

Scattered Spider

Key advice to mitigate this attack is as follows:

· Ensure 2-step verification (multi-factor authentication) is deployed comprehensively.

· Enhance monitoring against unauthorised account misuse; for example, looking for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behaviour, especially where the detection type is 'Microsoft Entra Threat intelligence'.

· Pay specific attention to Domain Admin, Enterprise Admin, Cloud Admin accounts, and check if access is legitimate.

· Review helpdesk password reset processes, including how the helpdesk authenticates staff members credentials before resetting passwords, especially those with escalated privileges.

· Ensure your security operation centres can identify logins from atypical sources such as VPNs services in residential ranges through source enrichment and similar.

· Ensure that you have the ability to consume techniques, tactics and procedures sourced from threat intelligence rapidly whilst being able to respond accordingly”.

For more information on the recent Scattered Spider attacks – our Cyber Services team recently released a blog on this, which can be found here.

Additional information can also be found on the NCSC website here.

 

New European Vulnerability Database Launches

The European Union Agency for Cybersecurity (ENISA) has officially launched the European Vulnerability Database (EUVD), aimed at providing a centralised source of vulnerability information, exploitation status, and mitigation suggestions. This initiative comes in response to concerns over the future of the US National Vulnerability Database (NVD) and recent turmoil surrounding the CVE program, including MITRE’s contract extension.

The EUVD, developed as a part of the NIS2 directive, will operate similarly to the NVD, aggregating data from sources such as CSIRTs, vendors, and other databases like CISA’s Known Exploited Vulnerability Catalog and MITRE’s CVE program. Information will be automatically transferred into the EUVD for easier access.

For a more detailed overview please see Infosecurity Magazine’s write up.

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.