Unsubscribe

Welcome to my May 2025 Patch Monday newsletter! It has been a busy month for our normal vendors in the chart below. Let's focus on the zero days first.

From Apple, we have a memory corruption issue affecting Apple's CoreAudio component. According to Apple there is a risk that affects Apple Watch Series 6 and later on before watchOS 11.5 that could allow a specially crafted media file to execute arbitrary code when processing an audio stream. So make sure any users that have corporate information stored on these devices get them updated ASAP.

Google released a few updates over the past 30 days patching 12 different vulnerabilities. Of these, 3 were rated high. Of these 3, one is a zero day that exists in the wild. The latest version of Chrome is 137.0.7151.41 for Windows and Mac. If you can't update to the latest version, at least update to 136.0.7103.114 which patches the vulnerability in this zero day.

Besides these it was a pretty standard month for Adobe, Mozilla and Zoom. See the chart below for the rest of the patches.

This month's newsletter sponsor, LOGbinder, released a new version of Supercharger for Windows Event Collection recently. I hosted a webinar for them where we discussed all the steps to setup Windows Event Collection for "internet" aka "off network" endpoints. Then we showed how Supercharger takes this huge process and makes it extremely easy to get done. Even if you missed it you can register to watch the recording now.

Be sure to browse the chart below and happy patching!

Follow randyfsmith on X

Subscribe to Randy Franklin Smith on Facebook

So, without further ado, here’s the chart of non-Microsoft 3rd party patches that affect Windows platforms in the past month.

Patch data provided by:

Identifier

Vendor/
Product

Affected Versions

Date Released
by Vendor

Vulnerability Info

Vender Severity / Our Recommedation

CVE-2025-27197

Adobe Lightroom

8.2 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

CVE-2025-30310

Adobe Dreamweaver

21.4 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe Connect

12.8 and earlier

5/13/2025

 Arbitrary Code Execution,
Privilege Escalation

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe InDesign

ID20.2 and earlier

ID19.5.2 and earlier

5/13/2025

 Application DoS,
Arbitrary Code Execution

Critical Priority 3: Update at admin's discretion

CVE-2025-30322

Adobe Substance 3D Painter

11.0 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admin's discretion

Multiple CVE's

Adobe Photoshop

2025 26.5 and earlier

2024 25.12.2 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admin's discretion

Multiple CVE's

Adobe Animate

2023 23.0.11 and earlier

2024 24.0.8 and earlier

5/13/2025

 Application DoS,
Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

CVE-2025-30330

Adobe Illustrator

2025 29.3 and earlier

2024 28.7.5 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe Bridge

14.1.6 and earlier

15.0.3 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe Dimension

4.1.1 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe Substance 3D Stager

3.1.1 and earlier

5/13/2025

 Arbitrary Code Execution,
Memory Leak

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe Substance 3D Modeler

1.21.0 and earlier

5/13/2025

 Arbitrary Code Execution

Critical Priority 3: Update at admins discretion

Multiple CVE's

Adobe ColdFusion

2025 Update 1,
2023 Update 13 and earlier,
2021 Update 19 and earlier

5/13/2025

 Arbitrary Code Execution,
Arbitrary File System Read,
Privilege Escalation

Critical Priority 3: Update at admins discretion

Multiple CVE's

Apple macOS Ventura

Before 13.7.5

5/12/2025

 Arbitrary Code Execution,
Information Leak,
Memory Corruption,
Out of Bounds Read,
Privilege Escalation,
Security Feature Bypass,
System Termination,
Unauthorized Access,
Use After Free		 Update after testing

Multiple CVE's

Apple macOS Sonoma

Before 14.7.6

5/12/2025

 Arbitrary Code Execution,
Information Leak,
Memory Corruption,
Out of Bounds Read,
Privilege Escalation,
Security Feature Bypass,
System Termination,
Unauthorized Access,
Use After Free		 Update after testing

Multiple CVE's

Apple macOS Sequoia

Before 15.5

5/12/2025

 Arbitrary Code Execution,
Information Leak,
Memory Corruption,
Out of Bounds Read,
Privilege Escalation,
Security Feature Bypass,
System Termination,
Unauthorized Access,
Use After Free		 Update after testing

Multiple CVE's

Apple Safari

Before 18.5

5/12/2025

 Application Crash,
Memory Corruption,
Type Confusion		 Update after testing

Multiple CVE's

Apple iOS

iOS/iPadOS before 18.5

5/12/2025

 Application Termination,
Arbitrary Code Execution,
Denial of Service,
Information Disclosure,
Out of Bounds Read,
Security Feature Bypass,
Spoofing,
Type Confusion,
Unauthorized Access,
Use After Free		 Update after testing

Multiple CVE's

Apple watchOS

before 11.5

5/12/2025

 Application Termination,
Arbitrary Code Execution,
Denial of Service,
Information Disclosure,
Memory Leak,
Out of Bounds Read,
Privilege Escalation,
Security Feature Bypass,
Type Confusion,
Use After Free		 Update ASAP

Multiple CVE's

Google
Chrome

Before 136.0.7103.113 (Linux)

Before 137.0.7151.40/.41 (Windows/Mac)

5/21/2025

 Inappropriate Implementation,
Incorrect Handle,
Insufficient Policy Enforcement,
Use After Free		 Update ASAP

Multiple CVE's

Mozilla Thunderbird

Before 138.0.2

5/20/2025

 Out of Bounds,
Spoofing,
User Confusion

Update after testing

Multiple CVE's

Mozilla Thunderbird ESR

Before 128.11

5/27/2025

 Arbitrary Code Execution,
Clickjacking,
Cross Origin Leaks,
Double Free,
Out of Bounds,
Spoofing

Update after testing

Multiple CVE's

Mozilla Firefox

Before 139

5/27/2025

 Arbitrary Code Execution,
Clickjacking,
Cross Origin Leaks,
Double Free,
Out of Bounds

Update after testing

Multiple CVE's

Mozilla Firefox ESR

Before 128.11

5/27/2025

 Arbitrary Code Execution,
Clickjacking,
Cross Origin Leaks,
Double Free,
Out of Bounds

Update after testing

Multiple CVE's

Mozilla Firefox for iOS

Before 139

5/20/2025

 Spoofing

Update after testing

CVE-2025-46785

Zoom Workplace Apps for Windows

Desktop App before 6.4

VDI Client before 6.3.10 (except 6.1.17 & 6.2.13)

Rooms Controller before 6.4.0

Rooms Client before 6.4.0

Meeting SDK before 6.4.0

5/13/2025

 Denial of Service

Update after testing

Multiple CVE's

Zoom Workplace Apps for Windows

Desktop App before 6.4

VDI Client before 6.3.10 (except 6.1.17 & 6.2.13)

Rooms Controller before 6.4.0

Rooms Client before 6.4.0

Meeting SDK before 6.4.0

5/13/2025

 Denial of Service

Update after testing

Multiple CVE's

Zoom Workplace Apps

Desktop App for Windows/macOS/Linux before 6.4.0

Workplace App for iOS/Android before 6.4.0

Workplace VDI Client for Windows before 6.3.10

Rooms Controller for Windows/macOS/Linux/Android before 6.4.0

Rooms Client for Windows/macOS/Android/iPad before 6.4.0

Meeting SDK for Windows/iOS/Android/macOS/Linux before 6.4.0

5/13/2025
App Integrity,
Denial of Service,
Denial of Service,
Privilege Escalation,
Race Condition

Update after testing

Thanks as always for reading and best wishes on security,

Randy Franklin Smith

Follow randyfsmith on Twitter Subscribe to Randy Franklin Smith on Facebook

Click here to unsubscribe

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.

9450 SW Gemini Drive #53822, Beaverton, OR 97008

Note: We do our best to provide quality information and expert commentary but use all information at your own risk.

Unsubscribe