Microsoft security alert.
May 13, 2025
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 67 vulnerabilities that were fixed in 13 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 13 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Cumulative Security Update for Internet Explorer (KB5058380)
- Severity
- Serious 3
- Qualys ID
- 100424
- Vendor Reference
- KB5058380
- CVE Reference
- N/A
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft has released a security update for Internet Explorer.
This security update resolves vulnerabilities in Internet Explorer 11.
Affected Software
Internet Explorer 11 for Windows Server 2012 R2
Internet Explorer 11 for Windows Server 2012
Internet Explorer 11 for Windows Server 2008 R2QID Detection Logic:
This authenticated QID detects vulnerable mshtml.dll file versions on affected endpoints. - Consequence
-
The vendor has stated that they currently not aware of any security issues in this update.
- Solution
-
Customers are advised to refer to the official advisory. Patch download link can also be found here
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5058380
-
Microsoft SharePoint Server Security Update for May 2025
- Severity
- Critical 4
- Qualys ID
- 110493
- Vendor Reference
- KB5002706, KB5002708, KB5002709, KB5002712, KB5002722
- CVE Reference
- CVE-2025-29976, CVE-2025-30378, CVE-2025-30382, CVE-2025-30384
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft has released May 2025 security update to fix Remote Code Execution and Elevation of Privilege vulnerabilities in its Sharepoint Server Versions 2016, 2019, and Sharepoint Subscription Edition.
This security update contains the following KBs:
KB5002706
KB5002708
KB5002709
KB5002712
KB5002722QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Sharepoint via the Windows Registry and flags the QID based on Vulnerable File Version. - Consequence
-
Vulnerable SharePoint may be prone to Remote Code Execution and Elevation of Privilege Vulnerabilities.
- Solution
-
Customers are advised to refer to the below Article:
CVE-2025-29976,
CVE-2025-30378,
CVE-2025-30382, and
CVE-2025-30384 for more information regarding the vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-29976
CVE-2025-30378
CVE-2025-30382
CVE-2025-30384
-
Microsoft Office Security Update for May 2025
- Severity
- Critical 4
- Qualys ID
- 110494
- Vendor Reference
- KB5002695, KB5002707, KB5002711, KB5002716, Office Click-2-Run and Office 365 Release Notes, Office Release Notes for Mac
- CVE Reference
- CVE-2025-26629, CVE-2025-29977, CVE-2025-29978, CVE-2025-29979, CVE-2025-30375, CVE-2025-30376, CVE-2025-30377, CVE-2025-30379, CVE-2025-30381, CVE-2025-30383, CVE-2025-30386, CVE-2025-30388, CVE-2025-30393, CVE-2025-32704, CVE-2025-32705
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft has released Office Security Updates for May 2025 to fix Remote Code Execution vulnerabilities.
This security update contains the following:
KB5002717
KB5002695
KB5002711
KB5002707
KB5002716
Office Release Notes for Mac and
Office Click-2-Run and Office 365 Release NotesQID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsoft Office.Operating System: MacOS
This QID checks for the vulnerable versions of affected Office Applications. - Consequence
-
Vulnerable products may be prone to Remote Code Execution vulnerabilities.
- Solution
-
Customers are advised to refer to these Article(s):
CVE-2025-30393,
CVE-2025-30377,
CVE-2025-30376,
CVE-2025-32705,
CVE-2025-32704,
CVE-2025-30388,
CVE-2025-30386,
CVE-2025-30383,
CVE-2025-30381,
CVE-2025-30379,
CVE-2025-30375,
CVE-2025-29979,
CVE-2025-26629,
CVE-2025-29978, and
CVE-2025-29977 for more information regarding these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-26629
CVE-2025-29977
CVE-2025-29978
CVE-2025-29979
CVE-2025-30375
CVE-2025-30376
CVE-2025-30377
CVE-2025-30379
CVE-2025-30381
CVE-2025-30383
CVE-2025-30386
CVE-2025-30388
CVE-2025-30393
CVE-2025-32704
CVE-2025-32705
-
Microsoft PC Manager Elevation of Privilege Vulnerability for May 2025
- Severity
- Critical 4
- Qualys ID
- 92255
- Vendor Reference
- CVE-2025-29975
- CVE Reference
- CVE-2025-29975
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft PC Manager is a utility app for your PC. It offers features such as one-click boost, storage clean-up, file management, and protection of your default settings from unauthorized changes.
Affected Version:
Microsoft PC Manager versions prior to 3.16.1.0.QID Detection Logic:
This authenticated QID runs a WMI query to fetch the Microsoft PC Manager app version. - Consequence
-
An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
- Solution
-
Customers are advised to refer to CVE-2025-29975 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-29975
-
Microsoft Remote Desktop Client Remote Code Execution (RCE) Vulnerability for May 2025
- Severity
- Urgent 5
- Qualys ID
- 92256
- Vendor Reference
- CVE-2025-29966, CVE-2025-29967
- CVE Reference
- CVE-2025-29966, CVE-2025-29967
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
Remote Desktop client for Windows Desktop to access Windows apps and desktops remotely from a different Windows device.
Affected Versions:-
Remote Desktop client Prior to 1.2.6228.0
QID Detection Logic:(Authenticated)
This QID checks for a vulnerable Remote Desktop client - Consequence
-
An attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attackers server with the vulnerable Remote Desktop Client.
- Solution
-
Customers are advised to refer to Microsoft Advisories for this Vulnerability CVE-2025-29967 and CVE-2025-29966
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-29966
CVE-2025-29967
-
Microsoft .NET Security Update for May 2025
- Severity
- Critical 4
- Qualys ID
- 92258
- Vendor Reference
- CVE-2025-26646
- CVE Reference
- CVE-2025-26646
- CVSS Scores
- Base 5.4 / Temporal 4
- Description
-
Microsoft .NET Security Update for May 2025
Affected Versions:
.Net 9.0 prior to 9.0.5
.Net 8.0 prior to 8.0.16
QID Detection Logic (Authenticated):
On Windows, this QID detects vulnerable versions of Microsoft .NET by checking the file version.
On Linux, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in '/usr/share/dotnet/shared/Microsoft.NETCore.App/' and '/root/shared/Microsoft.NETCore.App' folders.
On Mac, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in '/usr/share/dotnet/shared/Microsoft.NETCore.App/' folder. - Consequence
- Successful exploitation of this vulnerability could lead to a security breach or may affect integrity, availability, and confidentiality.
- Solution
-
Customers are advised to refer following articles for more information on the vulnerabilities and patches.
CVE-2025-26646
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-26646
-
Microsoft Windows Security Update for May 2025
- Severity
- Critical 4
- Qualys ID
- 92259
- Vendor Reference
- KB5058379, KB5058383, KB5058387, KB5058392, KB5058405, KB5058411, KB5058497
- CVE Reference
- CVE-2025-24063, CVE-2025-27468, CVE-2025-29829, CVE-2025-29830, CVE-2025-29832, CVE-2025-29833, CVE-2025-29835, CVE-2025-29836, CVE-2025-29837, CVE-2025-29838, CVE-2025-29839, CVE-2025-29840, CVE-2025-29841, CVE-2025-29842, CVE-2025-29954, CVE-2025-29955, CVE-2025-29956, CVE-2025-29957, CVE-2025-29958, CVE-2025-29959, CVE-2025-29960, CVE-2025-29961, CVE-2025-29962, CVE-2025-29963, CVE-2025-29964, CVE-2025-29966, CVE-2025-29967, CVE-2025-29969, CVE-2025-29970, CVE-2025-29971, CVE-2025-29974, CVE-2025-30385, CVE-2025-30388, CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32707
- CVSS Scores
- Base 5.4 / Temporal 4.5
- Description
-
Microsoft Windows Security Update for May 2025
KB5058379
KB5058392
KB5058497
KB5058405
KB5058387
KB5058411
KB5058383
QID Detection Logic (Authenticated):This QID checks for the file version of 'ntoskrnl.exe'.
- Consequence
- Successful exploitation of this vulnerability could lead to a security breach or may affect integrity, availability, and confidentiality.
- Solution
-
Customers are advised to refer following articles for more information on the vulnerabilities and patches.
KB5058379
KB5058392
KB5058497
KB5058405
KB5058387
KB5058411
KB5058383
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5058379
KB5058383
KB5058387
KB5058392
KB5058405
KB5058411
KB5058497
-
Microsoft Windows Server Security Update for May 2025
- Severity
- Critical 4
- Qualys ID
- 92260
- Vendor Reference
- KB5058380, KB5058383, KB5058384, KB5058385, KB5058392, KB5058403, KB5058411, KB5058429, KB5058430, KB5058449, KB5058451, KB5058454, KB5058497, KB5058500
- CVE Reference
- CVE-2025-24063, CVE-2025-26677, CVE-2025-27468, CVE-2025-29829, CVE-2025-29830, CVE-2025-29831, CVE-2025-29832, CVE-2025-29833, CVE-2025-29835, CVE-2025-29836, CVE-2025-29837, CVE-2025-29838, CVE-2025-29839, CVE-2025-29840, CVE-2025-29841, CVE-2025-29842, CVE-2025-29954, CVE-2025-29955, CVE-2025-29956, CVE-2025-29957, CVE-2025-29958, CVE-2025-29959, CVE-2025-29960, CVE-2025-29961, CVE-2025-29962, CVE-2025-29963, CVE-2025-29964, CVE-2025-29966, CVE-2025-29967, CVE-2025-29968, CVE-2025-29969, CVE-2025-29970, CVE-2025-29974, CVE-2025-30385, CVE-2025-30388, CVE-2025-30394, CVE-2025-30397, CVE-2025-32701, CVE-2025-32706, CVE-2025-32707
- CVSS Scores
- Base 5.4 / Temporal 4.5
- Description
-
Microsoft Windows Server Security Update for May 2025
KB5058429
KB5058430
KB5058403
KB5058449
KB5058392
KB5058385
KB5058497
KB5058451
KB5058454
KB5058384
KB5058500
KB5058411
KB5058383
QID Detection Logic (Authenticated):This QID checks for the file version of 'ntoskrnl.exe'.
- Consequence
- Successful exploitation of this vulnerability could lead to a security breach or may affect integrity, availability, and confidentiality.
- Solution
-
Customers are advised to refer following articles for more information on the vulnerabilities and patches.
KB5058429
KB5058430
KB5058403
KB5058449
KB5058392
KB5058385
KB5058497
KB5058451
KB5058454
KB5058384
KB5058500
KB5058411
KB5058383
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5058383
KB5058384
KB5058385
KB5058392
KB5058403
KB5058411
KB5058429
KB5058430
KB5058449
KB5058451
KB5058454
KB5058497
KB5058500
-
Microsoft Visual Studio Code Security Update for May 2025
- Severity
- Critical 4
- Qualys ID
- 92261
- Vendor Reference
- CVE-2025-21264
- CVE Reference
- CVE-2025-21264
- CVSS Scores
- Base 5.4 / Temporal 4
- Description
-
Microsoft Visual Studio Code Security Update for May 2025
Affected Versions:
Visual Studio Code prior to 1.100.1
QID Detection Logic (Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code across Windows (code.exe), macOS (Visual Studio Code application), and Linux (code package). - Consequence
- Successful exploitation of this vulnerability could lead to a security breach or may affect integrity, availability, and confidentiality.
- Solution
-
Customers are advised to refer following articles for more information on the vulnerabilities and patches.
CVE-2025-21264
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-21264
-
Microsoft Visual Studio Security Update for May 2025
- Severity
- Serious 3
- Qualys ID
- 92262
- Vendor Reference
- CVE-2025-26646, CVE-2025-32702, CVE-2025-32703
- CVE Reference
- CVE-2025-26646, CVE-2025-32702, CVE-2025-32703
- CVSS Scores
- Base 5.4 / Temporal 4
- Description
-
Microsoft Visual Studio Security Update for May 2025
Affected Versions:
Microsoft Visual Studio 2022 Version 17.10 prior to 17.10.14
Microsoft Visual Studio 2022 Version 17.8 prior to 17.8.21
Microsoft Visual Studio 2022 Version 17.14 prior to 17.14.0
Microsoft Visual Studio 2022 Version 17.13 prior to 17.13.7
Microsoft Visual Studio 2022 Version 17.12 prior to 17.12.8
Microsoft Visual Studio 2019 Version 16.11 (Includes 16.0 - 16.10) prior to 16.11.47
Microsoft Visual Studio 2017 Version 15.9 (Includes 15.0 - 15.8) prior to 15.9.73
QID Detection Logic (Authenticated):
This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key 'HKLM\SOFTWARE\Microsoft' and file 'devenv.exe' version to check the version of the Visual Studio. - Consequence
- Successful exploitation of this vulnerability could lead to a security breach or may affect integrity, availability, and confidentiality.
- Solution
-
Customers are advised to refer following articles for more information on the vulnerabilities and patches.
CVE-2025-32702
CVE-2025-26646
CVE-2025-32703
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-26646
CVE-2025-32702
CVE-2025-32703
-
Microsoft Defender For Linux Privilege Elevation Vulnerability for May 2025
- Severity
- Serious 3
- Qualys ID
- 92263
- Vendor Reference
- Releases for Defender for Endpoint on Linux
- CVE Reference
- CVE-2025-26684
- CVSS Scores
- Base 6 / Temporal 4.4
- Description
-
Microsoft Defender for Endpoint on Linux provides anti-malware and endpoint detection and response (EDR) capabilities.
External control of file name or path in Microsoft Defender for Endpoint allows an authenticated attacker to elevate privileges locally, and execute arbitrary code.
Affected Versions:
Microsoft Defender for Endpoint for Linux versions prior to 101.25032.0008QID Detection Logic:
This authenticated QID detects vulnerable software versions by running the "mdatp version" command to detect vulnerable endpoints. - Consequence
-
Successful exploitation allows an authenticated, local attacker to elevate privileges and execute arbitrary code on the targeted system.
- Solution
-
Customers are advised to upgrade to the latest Microsoft Defender For Linux version to remediate this vulnerability. Please refer this link for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Defender for Endpoint for Linux
-
Microsoft Windows DWM Core Library Elevation of Privilege Vulnerability for May 2025
- Severity
- Critical 4
- Qualys ID
- 92264
- Vendor Reference
- CVE-2025-30400
- CVE Reference
- CVE-2025-30400
- CVSS Scores
- Base 4.3 / Temporal 3.6
- Description
-
Microsoft Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2025-30400.
Affected Operating System: Windows 11 Version 22H2, Windows Server 2022 Core, Windows 10 Version 21H2, Windows 10 Version 1809, Windows 11 Version 24H2, Windows Server 2019 Core, Windows Server 23H2, Windows 10 Version 22H2, Windows Server 2022, Azure Stack HCI Version 22H2, Windows Server 2025, Windows 11 Version 23H2, Windows Server 2025 Core, Windows Server 2019
The KB Articles associated with the update:
Patch version is 10.0.26100.4061 for KB5058411.
Patch version is 10.0.25398.1611 for KB5058384.
Patch version is 10.0.22621.5331 for KB5058405.
Patch version is 10.0.19041.5848 for KB5058379.
Patch version is 10.0.20348.3692 for KB5058385.
Patch version is 10.0.17763.7309 for KB5058392.
Security Hotpatch update for Windows Server 2025 and Windows 11 Version 24H2 is KB5058497.
Security Hotpatch update for Windows Server 2022 is KB5058500.QID Detection Logic (Authenticated):
This QID checks for the file version of 'ntoskrnl.exe'. - Consequence
- Successful exploitation of this vulnerability may allow an authorized attacker to elevate privileges locally.
- Solution
-
Vendor has released patch. Please refer to the Microsoft Security Advisory (CVE-2025-30400) for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-30400 WIndows
-
Microsoft Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability for May 2025
- Severity
- Critical 4
- Qualys ID
- 92265
- Vendor Reference
- CVE-2025-32709
- CVE Reference
- CVE-2025-32709
- CVSS Scores
- Base 4.3 / Temporal 3.6
- Description
-
Microsoft Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2025-32709.
Affected Operating System: Windows 11 Version 22H2, Windows Server 2022 Core, Windows Server 2016 Core, Windows 10 Version 21H2, Windows 10 Version 1507, Windows 10 Version 1809, Windows Server 2022, Azure Stack HCI Version 22H2, Windows Server 2016, Windows Server 2012 R2 Core, Windows Server 2025 Core, Windows Server 2012 Core, Windows Server 2019 Core, Windows 11 Version 23H2, Windows Server 2012 R2, Windows 11 Version 24H2, Windows 10 Version 1607, Windows Server 2019, Windows 10 Version 22H2, Windows Server 23H2, Windows Server 2025, Windows Server 2012
The KB Articles associated with the update:
KB5058383
KB5058451
KB5058379
KB5058403
KB5058384
KB5058405
KB5058392
KB5058387
KB5058385
KB5058411QID Detection Logic (Authenticated):
This QID checks for the file version of 'ntoskrnl.exe'. - Consequence
- Successful exploitation of this vulnerability may allows an authorized attacker to elevate privileges locally.
- Solution
-
Vendor has released patch. Please refer to the Microsoft Security Advisory (CVE-2025-32709) for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2025-32709
These new vulnerability checks are included in Qualys vulnerability signature 2.6.322-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100424
- 110493
- 110494
- 92255
- 92256
- 92258
- 92259
- 92260
- 92261
- 92262
- 92263
- 92264
- 92265
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.