CVEs have been published or revised in the Security Update Guide

May 8, 2025

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2025-29813

• Title: Azure DevOps Elevation of Privilege Vulnerability
• Version: 1.0
• Reason for revision: Information published.
• Originally released: May 8, 2025
• Last updated: May 8, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: No

CVE-2025-29827

• Title: Azure Automation Elevation of Privilege Vulnerability
• Version: 1.0
• Reason for revision: Information published.
• Originally released: May 8, 2025
• Last updated: May 8, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: No

CVE-2025-29972

• Title: Azure Storage Resource Provider Spoofing Vulnerability
• Version: 1.0
• Reason for revision: Information published.
• Originally released: May 8, 2025
• Last updated: May 8, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: No

CVE-2025-33072

• Title: Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability
• Version: 1.0
• Reason for revision: Information published.
• Originally released: May 8, 2025
• Last updated: May 8, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: No

CVE-2025-47732

• Title: Microsoft Dataverse Remote Code Execution Vulnerability
• Version: 1.0
• Reason for revision: Information published.
• Originally released: May 8, 2025
• Last updated: May 8, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: No

CVE-2025-47733

• Title: Microsoft Power Apps Information Disclosure Vulnerability
• Version: 1.0
• Reason for revision: Information published.
• Originally released: May 8, 2025
• Last updated: May 8, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: No

Microsoft security update summary for May 2025

May 13, 2025

Here’s a summary of Microsoft security updates released on this date.

Critical security updates

• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft Office for Android
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2024 for 32-bit editions
• Microsoft Office LTSC 2024 for 64-bit editions
• Microsoft Office LTSC for Mac 2021
• Microsoft Office LTSC for Mac 2024
• Remote Desktop client for Windows Desktop
• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows App Client for Windows Desktop
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025
• Windows Server 2025 (Server Core installation)

Important security updates

• .NET 8.0 installed on Linux
• .NET 8.0 installed on Mac OS
• .NET 8.0 installed on Windows
• .NET 9.0 installed on Linux
• .NET 9.0 installed on Mac OS
• .NET 9.0 installed on Windows
• Azure AI Document Intelligence Studio
• Azure File Sync v19.0
• Azure File Sync v20.0
• Build Tools for Visual Studio 2022
• Microsoft Defender for Endpoint for Linux
• Microsoft Defender for Identity
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)
• Microsoft Office for Universal
• Microsoft PC Manager
• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Server Subscription Edition
• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.10
• Microsoft Visual Studio 2022 version 17.12
• Microsoft Visual Studio 2022 version 17.13
• Microsoft Visual Studio 2022 version 17.8
• Office Online Server
• Visual Studio Code
• Windows 10 HLK version 20H2
• Windows 10 HLK version 21H1
• Windows 10 HLK version 21H2
• Windows 10 HLK Version 22H2
• Windows 11 HLK 22H2
• Windows 11 HLK 24H2
• Windows HLK for Windows 10 version 2004
• Windows HLK for Windows Server 2019
• Windows HLK for Windows Server 2022
• Windows HLK for Windows Server 2025
• Windows HLK Version 1809

No action required security updates

• Microsoft msagsfeedback.azurewebsites.net
• Azure Storage Resource Provider (SRP)
• Azure Automation
• Azure DevOps
• Microsoft Power Apps
• Microsoft Dataverse

CVEs have been published or revised in the Security Update Guide

May 17, 2025

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

ADV990001

• Title: Latest Servicing Stack Updates
• Version: 72.0
• Reason for revision: Advisory updated to announce new versions of Servicing Stack Updates are available. Please see the FAQ for details.
• Originally released: November 13, 2018
• Last updated: May 13, 2025
• Aggregate CVE severity rating:
• Customer action required: Yes

CVE-2022-2601

• Title: Redhat: CVE-2022-2601 grub2 - Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass
• Version: 3.0
• Reason for revision: In the Security Updates table, updated Download and Article links for all supported versions of Windows to the security updates released on May 13, 2025. These updates apply improvements to SBAT for the detection of Linux systems, and address the known issue with dual booting for Windows and Linux. Customers who experienced issues with dual booting Windows and Linux should install the May 13, 2025 security updates. Customers whose systems are configured to receive automatic updates do not need to take any further action
• Originally released: August 13, 2024
• Last updated: May 16, 2025
• Aggregate CVE severity rating: Important
• Customer action required: Yes

CVE-2023-40547

• Title: Redhat: CVE-2023-40547 Shim - RCE in HTTP boot support may lead to secure boot bypass
• Version: 3.0
• Reason for revision: In the Security Updates table, updated Download and Article links for all supported versions of Windows to the security updates released on May 13, 2025. These updates apply improvements to SBAT for the detection of Linux systems, and address the known issue with dual booting for Windows and Linux. Customers who experienced issues with dual booting Windows and Linux should install the May 13, 2025 security updates. Customers whose systems are configured to receive automatic updates do not need to take any further action
• Originally released: August 13, 2024
• Last updated: May 16, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: Yes

CVE-2024-29187

• Title: GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM
• Version: 3.0
• Reason for revision: In the Security Updates table, added Windows Driver Kit (WDK), Windows SDK, Windows 11 HLK 24H2, Windows 11 HLK 22H2, Windows 10 HLK Version 22H2, Windows 10 HLK Version 21H2, Windows HLK for Windows Server 2022, Windows HLK for Windows Server 2019, and Windows HLK Version 1809 because these developer kits are also affected by this vulnerability. Microsoft strongly recommends that customers using these products install the updates to be fully protected from the vulnerability. See the FAQs section of this vulnerability for more information.
• Originally released: June 11, 2024
• Last updated: May 13, 2025
• Aggregate CVE severity rating: Important
• Customer action required: Yes

CVE-2024-29187

• Title: GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM
• Version: 3.1
• Reason for revision: Updated the FAQs to further clarify the update guidance for this CVE. This is an informational change only.
• Originally released: June 11, 2024
• Last updated: May 15, 2025
• Aggregate CVE severity rating: Important
• Customer action required: Yes

CVE-2024-49128

• Title: Windows Remote Desktop Services Remote Code Execution Vulnerability
• Version: 2.0
• Reason for revision: To comprehensively address CVE-2024-49128, Microsoft has released May 2025 security updates for all affected versions of Windows Server Microsoft recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
• Originally released: December 10, 2024
• Last updated: May 13, 2025
• Aggregate CVE severity rating: Critical
• Customer action required: Yes

CVE-2025-30388

• Title: Windows Graphics Component Remote Code Execution Vulnerability
• Version: 2.0
• Reason for revision: Microsoft is announcing the availability of the security updates for Microsoft Office for Mac. Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action. See the [Release Notes](https://go.microsoft.com/fwlink/p/?linkid=831049) for more information and download links.
• Originally released: May 13, 2025
• Last updated: May 14, 2025
• Aggregate CVE severity rating: Important
• Customer action required: Yes

CVE-2025-30393

• Title: Microsoft Excel Remote Code Execution Vulnerability
• Version: 2.0
• Reason for revision: Microsoft is announcing the availability of the security updates for Microsoft Office for Mac. Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action. See the [Release Notes](https://go.microsoft.com/fwlink/p/?linkid=831049) for more information and download links.
• Originally released: May 13, 2025
• Last updated: May 14, 2025
• Aggregate CVE severity rating: Important
• Customer action required: Yes

CVE-2025-32709

• Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• Version: 2.0
• Reason for revision: In the Security Updates table, added all supported editions of Windows Server 2008 and Windows Server 2008 R2 as they are affected by this vulnerability. Customers running these versions of Windows Server please note that to be protected from this vulnerability you need to install the out-of-band updates as follows: * Windows Server 2008 R2: KB5061195 (Security-only update) * Windows Server 2008 R2: KB5061196 (Monthly Rollup) * Windows Server 2008: KB5061197 (Security-only update) * Windows Server 2008: KB5061198 (Monthly Rollup) Please see the Security Updates table and FAQs section for more information
• Originally released: May 13, 2025
• Last updated: May 15, 2025
• Aggregate CVE severity rating: Important
• Customer action required: Yes