May’s Patch Tuesday Serves Up 78 Updates, Including 5 Zero-day Fixes

Five zero-day exploits gain this month’s Windows updates a “Patch Now” recommendation.

This May Patch Tuesday merchandise is very overmuch a “back-to-basics” update pinch conscionable 78 patches for Microsoft Windows, Office, Visual Studio, and .NET. Notably, Microsoft has not released immoderate patches for Microsoft Exchange Server aliases Microsoft SQL Server.

Due to nan concerns of publically reported exploits for 5 Windows vulnerabilities, nan Application Readiness squad has recommended a “Patch Now” schedule for Windows and a modular merchandise cadence for nan different platforms. To thief navigate these changes, nan squad from Readiness has provided a adjuvant infographic detailing nan risks of deploying updates to each platform.

Known issues

There are still reports of issues pinch devices pinch Citrix Session Recording Agent (SRA) type 2411 installed connected Windows 10 platforms. This is an ongoing issue, pinch nary further reported fixes aliases updates from Citrix aliases Microsoft. Otherwise (at nan clip of writing), Microsoft has not reported immoderate issues pinch this month’s update for its Windows desktop and server platforms.

Major revisions and mitigations

Microsoft has not published immoderate awesome revisions aliases mitigations to its patches and information fixes for this May.

Windows lifecycle and enforcement updates

Microsoft has not published immoderate enforcement updates this month.

Testing guidance

Each month, nan squad astatine Readiness analyzes nan latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based connected assessing a ample exertion portfolio and a broad study of nan Microsoft patches and their imaginable effect connected Windows platforms and exertion deployments.

We person surgery nan astir important changes into feature-based groupings to thief pinch testing prioritization. The Readiness squad recommends nan pursuing areas for testing for nan May Patch Tuesday spot cycle:

Remote Desktop, security, and identification

• Test your Remote Desktop Gateway configurations. Establish sessions done nan gateway and reconnect a fewer times to guarantee stability.
• Validate VPN creation, connection, and deletion. Also trial accelerated reconnection and password alteration flows pinch PEAP-MSCHAPv2.
• Load strategy level crypto libraries and validate CheckSignatureInFile behaviour utilizing bequest (2011) certificates.
• Test unafraid footwear scenarios, particularly if moving dual-boot pinch Linux. Ensure each logins activity aft this month’s updates.
• Run PowerShell modules pinch and without AppLocker policies to corroborate argumentation enforcement integrity.

Media and codecs

• Check your subtitles successful MKV formats for Blu-ray playback.
• Test audio/video signaling utilizing some soul and outer devices.
• Validate DRM-protected content, particularly successful Microsoft Edge and Office apps. Testing regimes should see a rhythm of playback, record, and watercourse — past cheque your strategy logs for crashes aliases errors.

Storage and filesystems

• Perform Windows correction log creation, appends, and reopen scenarios utilizing Common Log File System APIs.
• Simulate SMB files entree from aggregate windows. Changes successful 1 position should bespeak successful nan other.
• Validate UNC way entree crossed apps. Run these tests pinch Microsoft Explorer and line-of-business apps that entree web shares aliases log files.

Installation and exertion infrastructure

Given nan attraction of nan Readiness team, it would beryllium remiss to hide nan changes to Microsoft’s update and exertion infrastructure pinch nan pursuing tests:

• Conduct basal install, repair, roll-back and uninstall tests for MSI Installer packages. This process should beryllium (mostly) automated by now.
• If you’re an statement that employs App Silos, you will request create a trial rhythm that includes invoking nan BFS driver via an isolated app context
• Run web, record transfer, and messaging scenarios to trial web throughput nether load.

In summation to these circumstantial trial exercises, we highly urge a afloat business logic trial of your soul and line-of-business applications that person important graphics requirements. This is required owed to nan changes to nan Windows kernel and GDI (graphic) subsystems).

Readiness recommends your testing successful privilege successful nan pursuing order: RDP and distant access, exertion installations, PowerShell testing, and past retention strategy testing.

Updates by merchandise family

Each month, we break down nan update rhythm into merchandise families (as defined by Microsoft) pinch nan pursuing basal groupings:

• Browsers (Microsoft IE and Edge)
• Microsoft Windows (both desktop and server)
• Microsoft Office
• Microsoft Exchange and SQL Server
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far)

Browsers

Microsoft has not released immoderate autochthonal updates for its browsers this month. However, location were 5 Chromium updates (CVE-2025-4050, CVE-2025-4372, CVE-2025-4096, CVE-2025-4052, and CVE-2025-405) that will update Microsoft Edge. All of these low-profile changes tin beryllium added to your modular merchandise calendar.

Microsoft Windows

Microsoft has released 3 captious updates, positive 41 patches rated arsenic important. The captious updates impact Microsoft’s Remote Desktop level and nan Virtual Machine autobus (VMBus).

Unfortunately, nan pursuing Windows desktop updates person been reported arsenic exploited successful nan wild:

• CVE-2025-30400
• CVE-2025-32701
• CVE-2025-32706
• CVE-2025-32709
• CVE-2025-30397

As a consequence of these zero-days, nan Readiness squad recommends a “Patch Now” schedule for these Windows patches.

Microsoft Office

Microsoft has released 2 captious rated updates (CVE-2025-30377 and CVE-2025-30386) for nan Microsoft Office level this month. Both of these patches were updated mid-week for archiving reasons.

Following these captious patches, Microsoft has released a further 16 patches that person been rated arsenic important; they update Microsoft Office successful wide (as opposed to Word aliases Excel). Please adhd these Microsoft Office updates to your modular merchandise calendar.

Microsoft Exchange Server

No updates for Microsoft Exchange aliases Microsoft SQL server this month. Good news for each nan server teams.

Microsoft improvement platforms

A azygous captious update (CVE-2025-29813) to nan Microsoft DevOps level and 4 patches rated arsenic important by Microsoft person been released to nan developer platforms this month. All of nan patches rated arsenic important impact Visual Studio and Microsoft .NET. Add these updates to your modular merchandise schedule.

Adobe Reader (if you get this far)

No Adobe updates (published by Microsoft) for this May spot cycle. Given nan caller information advances implemented successful Windows 11 23H2 and 24H2, I deliberation that we will spot overmuch little of Adobe successful this column.