May 2025 continued the trend of increasingly sophisticated and targeted attacks, with several critical vulnerabilities discovered across core Microsoft Windows components, Fortinet appliances, and essential enterprise software like SAP NetWeaver. Notably, multiple zero-days were actively exploited in the wild before patches became available, underscoring the urgent need for continuous vulnerability management and rapid response. In this article, we break down the most impactful CVEs disclosed in May, explain the risks, and offer practical mitigation guidance.
What We'll Cover
CVE-2025-32706: Heap-Based Buffer Overflow in Windows CLFS
Severity: Important
CVSS Score: 7.8
Vulnerability Type: Local Privilege Escalation
Impact: SYSTEM-Level Access
Affected Systems: Windows 10/11, Server 2019/2022
This zero-day vulnerability resides in the Common Log File System (CLFS) driver and has already been exploited in targeted attacks. The flaw allows local attackers to escalate privileges to SYSTEM, which can lead to full compromise of the host.
Mitigation Strategies:
Install Microsoft’s May 2025 security updates immediately. Use endpoint detection and response (EDR) tools to flag anomalous CLFS interactions.
CVE-2025-32709: Privilege Escalation in Windows WinSock AFD Driver
Severity: Important
CVSS Score: 7.8
Vulnerability Type: Local Privilege Escalation
Impact: SYSTEM-Level Control
Affected Systems: Windows 10 and above
This vulnerability exploits a flaw in the AFD.sys driver, commonly used by networking services, to escalate privileges. Like CVE-2025-32706, it has been exploited in real-world attacks.
Mitigation Strategies:
Apply May 2025 security updates from Microsoft. Limit local account access where possible and monitor process privilege changes.
CVE-2025-32756: RCE in Fortinet Security Appliances
Severity: Critical
CVSS Score: 9.6
Vulnerability Type: Stack-Based Buffer Overflow
Impact: Remote Code Execution
Affected Systems: FortiVoice, FortiMail, FortiRecorder, FortiNDR
A critical overflow vulnerability in Fortinet appliances allows remote attackers to execute arbitrary code. Exploits have been observed in the wild, targeting internet-facing systems.
Mitigation Strategies:
Update affected Fortinet products to the latest firmware immediately. Restrict administrative access via VPNs and monitor logs for unusual activity.
CVE-2025-30400: Use-After-Free in Windows Desktop Window Manager
Severity: Important
CVSS Score: 7.8
Vulnerability Type: Memory Corruption
Impact: Privilege Escalation
Affected Systems: Windows Desktop Environments
This vulnerability in Desktop Window Manager (DWM) is being exploited as a local privilege escalation method. The attack relies on manipulating window object memory states.
Mitigation Strategies:
Install Microsoft’s May patches and deploy user behavior analytics to detect privilege escalation techniques.
CVE-2025-29966 & CVE-2025-29967: RDP Stack Overflows in Windows
Severity: Critical
CVSS Score: 8.8
Vulnerability Type: Remote Code Execution
Impact: Full System Compromise
Affected Systems: Windows Servers with Remote Desktop Services
Two RDP-related buffer overflow vulnerabilities allow unauthenticated remote code execution. These are especially dangerous if the RDP service is exposed to the internet.
Mitigation Strategies:
Apply Microsoft’s updates urgently. Disable RDP from the public internet and enforce network-level authentication (NLA) with MFA.
CVE-2025-30377 & CVE-2025-30386: RCE via Microsoft Office Files
Severity: Critical
CVSS Score: 8.4
Vulnerability Type: Use-After-Free
Impact: Remote Code Execution
Affected Systems: Microsoft Office 2016–2021, Microsoft 365
These vulnerabilities are triggered by opening specially crafted documents, even through the Preview Pane. They are prime candidates for phishing-based delivery.
Mitigation Strategies:
Apply Office patches. Disable Preview Pane in Outlook and Windows Explorer. Educate users about document-based threats.
CVE-2025-31324: A Critical Flaw in SAP NetWeaver
Severity: Critical
CVSS Score: 10.0
Vulnerability Type: Missing Authorization Check
Impact: Remote Code Execution
Affected Systems: SAP NetWeaver 7.xx (All SPS)
Still relevant in May, this CVE allows unauthenticated code upload to the Visual Composer “developmentserver.” It remains under active attack across enterprise networks.
Mitigation Strategies:
If not already done, apply SAP’s patch. Remove or disable the affected component if it is unused.
CVE-2025-27363: Heap Buffer Overflow in FreeType
Severity: High
CVSS Score: 8.6
Vulnerability Type: Heap Overflow
Impact: Remote Code Execution
Affected Systems: Applications relying on FreeType for font rendering
While CVE-2025-27363 was first disclosed in March 2025, it resurfaced as a top-priority threat in May when it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue. The vulnerability lies in the FreeType font rendering library used in many Android systems. A crafted font file can trigger a heap overflow, allowing remote attackers to execute code without user interaction. This is commonly referred to as a zero-click exploit.
This vulnerability became particularly dangerous in May as threat actors began actively targeting unpatched Android devices in the wild. Google’s May Android Security Bulletin included an urgent patch, and CISA’s warning highlighted its use in targeted attacks.
Mitigation Strategies:
- If you manage Android devices within your organisation, ensure they are updated with Google’s May 2025 security patch.
- Disable or restrict font rendering from untrusted sources wherever possible.
- Monitor mobile endpoints for unusual behaviour, particularly from messaging apps or apps that display external content using embedded fonts.
Several critical vulnerabilities were exploited as zero-days, with attackers aiming for privilege escalation and remote code execution in high-value targets. Delaying action could leave core infrastructure wide open to ransomware, espionage, or service disruption. Patching, hardening, and visibility remain your strongest defences.
Cybersecurity isn’t static. Your defences shouldn’t be either. Let us help you stay resilient and proactive in the face of evolving threats.
