A lot of people are going to be screaming from the hilltops today about the 4 Critical and 1 Important vulnerability that all scored above a CVSS 9.0, include a 10.0 (CVE-2025-29813), a pair of 9.9s (CVE-2025-29827 and CVE-2025-29972), a 9.8 (CVE-2025-30387), and a 9.1 (CVE-2025-47733). I think that those people are drawing attention to the wrong place. The 4 Critical vulnerabilities were all already patched by Microsoft. They were only included as part of Microsoft’s move to greater transparency with cloud vulnerabilities. There is no action for operational teams to take, so there’s no reason to direct everyone’s attention to them. Instead, let’s draw people’s attention to places where they can act and make a difference in their environments’ security posture. That leaves us with the single Important vulnerability that rated a 9.8, which is released as a Docker image. Users of Azure AI services Document Intelligence Studio should take the time to update their image to the latest tag to mitigate this vulnerability.
Today, we should talk about the 7 vulnerabilities that Microsoft listed as exploited (5 of them) and publicly disclosed (2 of them).
Let’s start with the two publicly disclosed vulnerabilities - CVE-2025-32702 and CVE-2025-26685. These are probably back of mind issues that most people won’t worry about, so I wanted to address that immediately given they do have that publicly disclosed tag. CVE-2025-26685 does not require admin action and has no update available. CVE-2025-32702 is a vulnerability in Visual Studio that could lead to code execution; however, a user would need to download a malicious file to face exploitation.
When it comes to the 5 exploited vulnerabilities, it’s really just more of the same stuff we see every month. We have two vulnerabilities impacting CLFS (CVE-2025-32701 and CVE-2025-32706), both of which could allow elevation of privilege to SYSTEM. Next up is CVE-2025-32709, a vulnerability in Windows AFD for WinSock, which could allow elevation of privilege to administrator. Up next is the Scripting Engine with CVE-2025-30397, a vulnerability that could allow code execution when running Edge in Internet Explorer mode. Finally, we have CVE-2025-30400, a vulnerability in Microsoft DWM that could allow elevation of privilege to SYSTEM.
If all of this terminology – CLFS, Windows AFD for WinSock, Scripting Engine, and Microsoft DWM – seems familiar, it’s because it pops up over and over again on Patch Tuesday. These are some of the most frequently targeted and exploited components within the Windows platform.
For those at the top of the food chain – CISOs and CSOs – this is a great Patch Tuesday to test your teams to see how well they know their environment. On top of a number of Azure services that were patched by Microsoft and require no end-user effort, we’re seeing some rarely patched components whose names might not be familiar to a lot of people. Things like Microsoft Dataverse and Azure AI services Document Intelligence Studio. Ask your teams how they are handling these updates, which use non-standard update mechanisms, and find out if they really know their environments and their update processes.
One takeaway this month is just how light the month is when it comes to patches. After you remove the vulnerabilities that don’t require updates (Microsoft has already updated the backend) or vulnerabilities that are often auto-updated (Office and Edge), there’s not a lot left for admins, particularly if they are not running some of the non-standard software that we’re seeing in today’s patch drop. With long weekends coming up in Canada (this weekend) and the US (next weekend), this might be just the reprieve that admins were looking for as we start to get into nicer weather in the Northern Hemisphere.
Fortra® Security & Trust Center
Security advisories. Emerging threats. New discoveries from our team of security researchers. Timely notifications.
