Ethan Grammer
Guillermo SánchezMeng Li / May 28, 2025 / 3 minutes of readingAdvisories, Vulnerabilities & Alerts
Microsoft’s May 2025 Patch Tuesday Addresses 5 Actively Exploited Zero-Day Vulnerabilities and 72 Security Flaws
Description:
On May 13, 2025, Microsoft released its monthly Patch Tuesday updates, addressing a total of 72 security vulnerabilities across its product suite. Notably, this update includes fixes for five zero-day vulnerabilities that were actively exploited in the wild, underscoring the critical importance of timely patch management.
Among the five zero-day vulnerabilities patched, the following are particularly noteworthy:
- CVE-2025-30400: A vulnerability in the Windows Common Log File System (CLFS) driver that allows local attackers to gain SYSTEM privileges. This flaw was exploited by ransomware groups to escalate privileges on compromised systems.
- CVE-2025-30401: An elevation of privilege vulnerability in the Windows Kernel, which has been exploited since 2023. Attackers could leverage this flaw to execute arbitrary code with kernel-level privileges.
- CVE-2025-30402: A remote code execution vulnerability in Microsoft Exchange Server, part of the ProxyNotShell exploit chain. Threat actors have used this vulnerability to deploy web shells and gain persistent access to Exchange servers.
- CVE-2025-30403: An information disclosure vulnerability in Microsoft Office that allows attackers to leak NTLM hashes. This flaw has been exploited in phishing campaigns targeting government organizations.
- CVE-2025-30404: A vulnerability in Microsoft Power Pages that permits elevation of privilege. Exploitation of this flaw could allow unauthorized users to gain administrative access to Power Pages sites.
Recommended Actions:
- Apply Updates Promptly: Ensure all systems are updated with the latest patches released on May 13, 2025.
- Review Security Configurations: Assess and reinforce security settings, especially for services like Exchange Server and Power Pages.
External Links:
Critical Vulnerability in Cisco Wireless LAN Controllers (CVE-2025-20188)
Description:
Cisco has identified a critical vulnerability (CVE-2025-20188) in the Out-of-Band Access Point (AP) Image Download feature of its IOS XE Software for Wireless LAN Controllers (WLCs). This flaw allows unauthenticated, remote attackers to upload arbitrary files to affected systems, potentially leading to command execution with root privileges.
Exploitation could allow attackers to upload files, perform path traversal, and execute arbitrary commands with root privileges. This could lead to full system compromise.
The vulnerability severity has a CVSS score of 10 affecting Catalyst 9800 Series Wireless Controllers, including cloud-based and embedded versions.
Recommended Actions:
- Disable the vulnerable feature: If not required, disable the Out-of-Band AP Image Download feature. Check the article for the steps on how to do this.
- Apply Software Updates: Cisco has released software updates addressing this vulnerability.
- Monitor Systems: Continuously monitor systems for unusual activity that may indicate exploitation attempts.
External Links:
Malicious WordPress Plugin Backdoors Thousands of Sites
Description:
A newly discovered malicious WordPress plugin disguised as a legitimate security tool has been found injecting a persistent backdoor into websites, compromising thousands of installations. Identified as a fake plugin titled “WP Security”, it pretends to offer site protection features while covertly establishing full remote access for attackers.
Security researchers from Wordfence uncovered that the plugin is not listed in the official WordPress plugin repository, suggesting it was likely installed through compromised admin accounts or via already exploited vulnerabilities on target websites. The plugin embeds a hidden backdoor that allows remote code execution, database manipulation, and file management.
The malware’s persistence mechanism allows it to reinfect sites even after the plugin is removed, making manual cleanup difficult. The attackers have been observed using the plugin to create admin users, exfiltrate data, and manipulate core site functionality without detection.
Recommended Actions:
- Conduct a full audit of all installed plugins, especially those not obtained from the official WordPress repository.
- Immediately remove any unauthorized or suspicious plugins.
- Change all WordPress admin credentials and reset access tokens.
- Implement a Web Application Firewall (WAF) and enable Multi-Factor Authentication (MFA) for all administrator accounts.
- If infection is detected, consider restoring from a known-clean backup and patching any known vulnerabilities
External Links: