)
)
)
Summary
Mayday. Mayday. May Patch Tuesday?
This month’s episode dives into four key Windows vulnerabilities you need to address — from scripting engine memory corruption in legacy Internet Explorer components to remote code execution risks in Remote Desktop and Visual Studio. Ryan Braunstein and Mat Lee unpack what each CVE means for your environment, how attackers might exploit them, and what you can do to stay secure. If your org still leans on that one app tied to Internet Explorer, relies heavily on RDP, or builds with Visual Studio, this one’s for you.
Episode Transcript
Ryan Braunstein:Alright, happy Patch Tuesday everyone! It is May and you know what they say, April vulnerabilities bring May threat actors or something? Happy May, everyone. It's Patch Tuesday. It's an interesting month. We're light on macOS, but we've got plenty of juicy and interesting Windows vulnerabilities for you. Joining me today is Mat Lee, my wonderful Senior Security Engineer.
Mat Lee:The senior security engineer.
Ryan Braunstein:Yes, some people would say that. Anyway, jumping right in, I think we're gonna have like a shorter one for you, but I think they're gonna be a little bit more interesting. We've got CVE-2025-30397. It's a scripting engine memory corruption vulnerability. It's really odd because this particular vulnerability is one of those things where someone could phish you with a weird payload. If you have legacy Internet Explorer components running on your device, it can be used to basically run whatever it wants on your computer and just get a nice little priv-esc going on there. The user has to click on it, and it has to be in that legacy IE mode.
A lot of enterprise environments keep IE mode active because they have legacy apps. It's pretty easy to mitigate if you don't rely on those components. You can set a GPO to disable Internet Explorer 11 as a standalone browser. Also, you need to have it open and running in that mode for it to work. So if you're running Chromium Edge, it won't function — even if clicked. But don’t click it regardless.
Mat Lee:So I'm wondering, having not worked in a lot of Windows environments, why would you run Edge in IE mode? Maybe a learning moment for our listeners as well.
Ryan Braunstein:Yeah, I’ve worked with big law firms and other enterprises that have old licensed software that only runs in specific browsers. They don’t want to pay to upgrade those licenses, so they stick with what works. You'll even see Windows XP and Windows 7 in the wild just to support these apps. It's all about keeping legacy systems alive because of budget constraints.
Mat Lee:So it mostly comes down to compatibility.
Ryan Braunstein:Exactly. And again, education is huge around phishing. Don't click unknown links. Ensure Patch Tuesday updates are applied. But if you have legacy systems or don’t, just disable IE11 entirely. It's unnecessary.
We've also got CVE-2025-32707, an NTFS elevation of privilege vulnerability. Super interesting.
Mat Lee:Yeah, this one stood out because it requires the user to mount a virtual hard drive, like a VHD. It could come from a phishing email pretending to be your IT admin, maybe containing "important updates."
Ryan Braunstein:Or from, let’s say, “unlicensed” software sources. If you're mounting that stuff, you're opening up your system. It's why we don’t condone cracked software. You’re basically creating vulnerabilities for yourself.
Mat Lee:True. Software subscriptions are crazy now, and people try to find free versions — like Adobe Pro or similar.
Ryan Braunstein:Right, but again, you're taking a huge risk. Crack a piece of software and you’re probably opening a security hole. Sure, you might get to play the new Doom early, but at what cost?
Mat Lee:Yep, punching holes in things is never good. But it’s true. You could get in early… if you’re lucky.
Ryan Braunstein:Maybe. Anyway, let’s wrap this up with two more. First, CVE-2025-29967 — a Remote Desktop Client remote code execution vulnerability.
Mat Lee:Right. When a victim connects to an attacker-controlled RDP server using a vulnerable client, the server can execute code on the client’s machine. Think about it like a Windows command-and-control farm. You could even distribute a malicious RDP client version that connects back to the attacker.
Ryan Braunstein:Exactly. And remember, we’ve seen recent RDP gateway vulnerabilities too. If you haven’t patched, an attacker could chain these CVEs. It’s a serious entry point.
Mat Lee:And the last one — CVE-2025-32702 — is a Visual Studio remote code execution vulnerability. It’s basically command injection in Visual Studio (not VS Code). Attackers could execute local code. And since devs usually have elevated access, that’s a big deal.
Ryan Braunstein:Yep. They might have AWS or Azure credentials, or access to pipelines. If someone injects into a build platform, it’s game over for a while.
Mat Lee:Yeah, the last person you want getting phished is your engineer.
Ryan Braunstein:Definitely. Keep an eye out and patch quickly. That’s it for this month — anything else?
Mat Lee:I don’t think so. I saw a bunch of Excel CVEs this month, like ten, but they were all pretty similar. Looks like that team’s been busy.
Ryan Braunstein:Yep, happens every month. Thanks for joining, Mat. Thanks to everyone listening. See you next time!
Mat Lee:Thanks, everybody!
Start your free trial now.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
