What the new zero-days mean for Windows, Azure, and identity security

Microsoft’s May 2025 security updates, or Microsoft Patch Tuesday as it is commonly known, rolls out a hefty 72 security fixes, headlined by seven zero-day flaws: five already weaponised in the wild and two publicly disclosed before a patch was ready. 

Alongside these, Microsoft labels six issues as “Critical,” five enabling remote-code execution (RCE) and one leaking sensitive information.

The remaining vulnerabilities span every major attack class: 17 elevation-of-privilege bugs, 28 additional RCEs, 15 information-disclosure issues, seven denial-of-service holes, two spoofing weaknesses, and two security-feature bypasses.

Why should identity-first defenders care? Because each category feeds directly into the modern kill-chain: an RCE or spoofing flaw gets attackers inside, an elevation-of-privilege bug turns that toe-hold into SYSTEM control, and the result is unfettered access to the very tokens, keys and service principals that underpin your Microsoft Entra ID and Azure workloads. 

The breakdown that follows shows exactly where those risks lie, and how disciplined patching, combined with Identity Fabric visibility, ITDR, ISPM and just-in-time PAM, closes the door before attackers can weaponise your identities.

The seven zero-day CVEs you must patch first

1. CVE-2025-30400 – Windows DWM Core Library (EoP)
   A use-after-free flaw in Desktop Window Manager lets a local user jump straight to SYSTEM. Once elevated, an attacker can dump hashes and impersonate accounts, making it a powerful launch-pad for credential theft. 
2. CVE-2025-32701 – Windows CLFS Driver (EoP)
   Another use-after-free, this time in the Common Log File System. Exploitation delivers SYSTEM privileges, enabling lateral movement across any Windows estate, including Azure VMs. 
3. CVE-2025-32706 – Windows CLFS Driver (EoP)
   An input-validation bug in the same driver family; different code path, same outcome: instant SYSTEM access for a local attacker. 
4. CVE-2025-32709 – Winsock AFD Driver (EoP)
   Kernel-level use-after-free in the Ancillary Function Driver for Winsock. Successful exploit means full control of network-heavy workloads and the secrets they handle. 
5. CVE-2025-30397 – Microsoft Scripting Engine (RCE)
   A type-confusion bug that fires via a crafted web page or email. Code executes in the user’s context, letting attackers hijack browser tokens or Azure AD refresh tokens in one click. 
6. CVE-2025-26685 – Microsoft Defender for Identity (Spoofing)
   An unauthenticated attacker on the local network can spoof any account to the Defender for Identity sensor, blinding Entra ID analytics and masking real compromises. 
7. CVE-2025-32702 – Visual Studio (RCE)
   Malicious solution files or extensions can inject commands that run during a build, leaking developer PATs or CI/CD secrets. This is perfect for supply-chain attacks on Azure DevOps pipelines. 

Azure and Entra on the firing line

Here are the vulnerabilities that directly hits Microsoft cloud services and identity security

• CVE-2025-33072 – Azure Feedback Site (Info Disclosure). Attackers could siphon diagnostic data from msagsfeedback.azurewebsites.net. Marked Critical.
• CVE-2025-30387 – Document Intelligence Studio (EoP). Path-traversal gives admin control of on-prem instances that sync to Azure AI. 
• CVE-2025-29827 – Azure Automation (EoP). Weak auth checks let a user escalate runbook permissions and hijack cloud workflows. Marked Critical.
• CVE-2025-29813 – Azure DevOps Server (EoP). Local users can become project-collection admins, exposing source code and pipelines linked to Azure. Marked Critical. 
• CVE-2025-29973 – Azure File Sync Agent (EoP). SYSTEM takeover on file-sync servers means attackers can read or overwrite anything mirrored to Azure Files. 
• CVE-2025-29972 – Azure Storage Resource Provider (Spoofing). Lets attackers impersonate the storage provider, potentially rerouting or poisoning storage operations. Marked Critical.
• CVE-2025-26685 – Defender for Identity (Spoofing). Directly undercuts Entra’s identity-threat signals; also a zero-day (see above).

Read: Microsoft Entra Permissions Management Retirement: Analysis and guidance

Privilege-escalation risks to IAM workloads

These are some of the indirect threats that, nevertheless, matter when it comes to identity security.

Kernel EoP bugs such as CVE-2025-30400, CVE-32701, CVE-2025-32706 and CVE-2025-32709 are OS-level flaws. They don’t weaken authentication themselves. However, if an attacker has local access -- an Azure VM, a Windows 365 Cloud PC, or an Entra-hybrid DC -- these exploits provide SYSTEM privileges, making credential theft and lateral movement far easier.

Why call them “indirect”? Because once a foothold exists -- say on an Azure VM, Windows 365 Cloud PC, or an Entra-hybrid domain controller -- these flaws let attackers pivot to SYSTEM, dump tokens, or poison build pipelines. In a cloud-first world, “local” quickly becomes “global”.

Why patch management is an identity-security superpower

Staying current with Patch Tuesday is the fastest way to erase known exploit paths. But modern attackers don’t stop at unpatched code; they chase unprotected identities.

Patch → Prevent Exploit: closing zero-days like CVE-2025-30397 cuts off token theft before phishing campaigns even start.
Patch → Preserve Telemetry: applying CVE-2025-26685 ensures Defender for Identity sees real user behaviour, not spoofed noise.
Patch → Block Privilege Chains: kernel EoP fixes stop an intruder from leaping from “standard user” to “domain admin” in a single exploit.

Read: How to stop identity threats across AWS and Azure accounts: A practical guide to ITDR and ISPM

Five identity-first steps to take today

1. Lay down an Identity Fabric. Discover every human, service, and workload identity, and every permission, across on-prem and Azure.
2. Automate your Identity Threat Detection & Response (ITDR). Hunt token misuse, impossible travel, and shadow admins in real time.
3. Understand and enhance your Identity Security Posture Management (ISPM). Continuously track and weed out stale keys, over-broad roles, and mis-scoped app registrations.
4. Enforce Just-in-Time Privileged Access (PAM). Grant high-risk rights only when needed and auto-revoke them when the task finishes.
5. Automate patch-to-identity loops. Feed patch compliance into your Identity Fabric so risky, unpatched hosts lose access until they’re safe.

Unosecur unifies these capabilities - Identity Fabric, ITDR, ISPM, and PAM - to shrink the attack surface and shut down identity abuse at machine speed. Combine Unosecur’s platform with a disciplined Patch Tuesday routine, and you’ll neutralise both code-level exploits and the identity-based attacks they aim to fuel.

Ready to modernise your patch-and-identity strategy? Get your free risk assessment now.

‍