The May 2025 Patch Tuesday crash lands with a large 4GB Cumulative Update for Windows 11 and Server 2025 that includes new features like Recall, Click to Do, and other AI improvements for Copilot+ PCs. If your download cache for patches in N‑central and N‑sight are full this month the large size of the CU might be to blame, so your spring-cleaning duties might not be over just yet. The push of Recall also requires attention from MSP and IT Professionals that have previously gone through measures to disable (or otherwise exert control over) Recall to verify expected behavior in their environments, or make adjustments if your old methods no longer work.   

Microsoft Vulnerabilities

Microsoft released fixes for 72 vulnerabilities, including seven zero-day vulnerabilities and six marked Critical. Of those seven zero-days five of them are Under Active Exploitation and should be on the top of prioritization lists. The two previously disclosed zero-days are marked as Exploitation Less Likely and Exploitation Unlikely and will affect a smaller install base than the other zero-days so being a few steps down on the prioritization list could be warranted in most environments. The larger concern for the month likely lies with the two CVEs affecting RDP.

CVE‑2025‑29966 and CVE‑2025‑29967 – Remote Desktop Client Remote Code Execution vulnerabilities, CVSS 8.8, are buffer overflow vulnerabilities. These twin flaws reside in the RDP client’s bitmap‑compression routine. A malicious RDP server (or MITM gateway) can send an over‑sized bitmap update that overflows an internal heap buffer, letting the attacker run arbitrary code. Successful exploitation can give an threat actor a beach‑head inside a network. There were no additional mitigation instructions from Microsoft concerning these vulnerabilities but now would probably be a good time to review if port 3389 is being blocked on the perimeter of networks as a small, but important mitigation. Monitoring for unusual RDP client crashes or RDP session logons from external IP may also provide early indicators of exploitation activity.

CVE-2025-29833 is a Hyper-V VMBus Remote Code execution vulnerability marked Exploitation Less Likely but is carrying a 7.7 CVSS. Exploitation of this vulnerability would allow an attacker to escape the VM boundary of a Linux or Windows guest OS and run arbitrary code on Hyper-V host. Exploitation of this vulnerability requires winning a race condition likely influencing its designation as Exploitation Less Likely but the consequences of abuse of this vulnerability are severe enough that it should receive prioritization. Big thanks to the Microsoft acknowledgments on this vulnerability for introducing more people to Chief Banana. Who says security researchers don’t have a sense of humor.

CVE-2025-30386 is a Microsoft Office Remote Code Execution vulnerability that triggers when Outlook or Windows Explorer’s Preview Pane parses a specially crafted .rtf, .doc and .docm files. Microsoft guidance is to ensure Office 2021, Office 2019, Office 2016 and M365 Apps build 17531.3051 or later are updated. As additional mitigation against this type of attack you can consider disabling the Preview Pane in Outlook and block .rtf, .doc, and .docm files as attachments in your email security platform.

Planning for Windows 10 EoS in October

With Windows 10 hurtling toward end of support on 10 October 2025, MSPs face the prospect of a three‑year limbo where security is available only through Microsoft’s Extended Security Updates (ESU) program or convincing clients to make the switch from Windows 10 to Windows 11. While Redmond has thrown a lifeline by pledging to patch Microsoft 365 Apps on Windows 10 for that same period, those fixes don’t cover the OS—meaning every legacy machine now carries an extra licensing fee, added patch‑catalog complexity, and bespoke GPO/Intune rings to keep ESU channels separate. Factor in the operational drag of dual baselines and the heightened cyber‑risk of an aging platform, and the logical conclusion is clear: ESU endpoints should command a premium support rate that reflects higher license costs, extra vulnerability management overhead, and the reputational risk your MSP assumes by letting clients cling to decade‑old silicon.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

Ensure that you maintain consistent patching procedures for assessment, testing, and deployment into your production environments. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling for patches related to Zero-Days, vulnerabilities with detected exploitations, and those with a higher likelihood of exploitation into your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd