Multiple zero-day vulnerabilities are being exploited by attackaers, Microsoft warns.<\/p>\n
SOPA Images\/LightRocket via Getty Images <\/p>\n
Update, May 15, 2025: This story, originally published May 14, has been updated with a new warning from the Cybersecurity and Infrastructure Security Agency along with additional information regarding further confirmed Microsoft Windows vulnerabilities that are not known to be under active exploitation but need to be patched as soon as possible anyway. <\/p>\n
It\u2019s that time of the month again, when Patch Tuesday is quickly followed by Exploit Wednesday. The former is the monthly rollout of Microsoft\u2019s responses to newly discovered vulnerabilities<\/a> in its services and products, and the latter is when hackers, cybercriminals and state-sponsored actors look to act upon these security disclosures before individuals and organizations have had the opportunity to update their systems. Unfortunately, Exploit Wednesday seems to have preceded Patch Tuesday this month, with Microsoft confirming multiple zero-day vulnerabilities that are known to be under attack before any fix was made available. Make no mistake, with security experts rating the risk prioritization of these exploits as critical, Windows users need to act fast.<\/p>\n ForbesNew Warning \u2014 Microsoft Copilot AI Can Access Restricted PasswordsBy Davey Winder<\/a><\/p>\n Windows CVE-2025-30397 Zero-Day Explained<\/p>\n It is not uncommon, sadly, for Windows users to find themselves faced with zero-day vulnerabilities<\/a> that are being exploited by attackers in the wild. In March, for example, six zero-day attacks<\/a> were confirmed, while there were three such active Windows exploits reported<\/a> in January.<\/p>\n The latest Microsoft Patch Tuesday security rollout<\/a> has now dropped, and it doesn\u2019t make for very comforting reading at all. So, let\u2019s dive straight into the multiple zero-day exploits impacting Windows users, starting with that has got the security professionals very concerned indeed. This memory corruption vulnerability sits within the Windows scripting engine, and a successful exploit can allow an attacker to execute code over the network. Not only does CVE-2025-30397 affect all versions of the Windows operating system, but it is also confirmed by Microsoft as being exploited in the wild. \u201cMicrosoft\u2019s severity is rated as important and has CVSS 3.1 of 7.8,\u201d Chris Goettl, vice president of security product management at Ivanti, pointed out, adding that \u201crisk-based prioritization warrants treating this vulnerability as critical.\u201d<\/p>\n While the official CVE severity-rating scores tend to provide a decent baseline for vulnerability appraisal, in the real world, things are not always that clear-cut. CVE-2025-30397 has a base score of 7.5, and Microsoft says that the attack complexity rating is high. So, what\u2019s the issue? \u201cThe advisory FAQ for CVE-2025-30397<\/a> explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode,\u201d Adam Barnett, lead software engineer at Rapid7 explains, \u201cand then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the \u2018Allow sites to be reloaded in Internet Explorer\u2019 option is enabled.\u201d Barnett warned that as the users most likely to still require this kind of Internet Explorer compatibility are enterprise organizations, and the concept of migration is likely \u201cburied several layers deep in a dusty backlog,\u201d in Barnett\u2019s experience, then the pre-requisite conditions are already conveniently in place on the target asset and \u201cattack complexity is suddenly nice and low.\u201d<\/p>\n ForbesCritical 10\/10 Microsoft Cloud Security Vulnerability ConfirmedBy Davey Winder<\/a><\/p>\n Windows Under Attack: CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 and CVE-2025-30400<\/p>\n The remaining under-attack zero-day vulnerabilities are:<\/p>\n CVE-2025-32709: an elevation of privilege vulnerability in the Windows ancillary function driver for WinSock that enables an attacker to gain admin privileges locally and impacts Windows Server 12 and later OS versions. Once again. Goettl warned that \u201crisk-based prioritization warrants treating this vulnerability as critical.\u201d<\/p>\n CVE-2025-32701 and CVE-2025-32706 are a pair of zero-day vulnerabilities in the Windows Common Log File Driver System, and could enable a successful local attacker to gain system privileges. Impacting all versions of Windows, these types of security flaws are being closely monitored for detection by the Microsoft Threat Intelligence Center. \u201cSince Microsoft is aware of exploitation in the wild,\u201d Barnett said, \u201cwe know that someone else got there first, and there\u2019s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.\u201d<\/p>\n And finally, we come to another elevation of privilege zero-day vulnerability already being exploited by attackers, CVE-2025-30400, which impacts the Windows desktop window manager and affects Windows 10, Server 2016, and later OS versions. Barnett pointed out that this is great proof that such elevation of privileges vulnerabilities will never go out of fashion, what with Exploit Wednesday marking the one-year anniversary of CVE-2024-30051, which also hit the desktop windows manager.<\/p>\n ForbesRemote Windows Network Crash Attack \u2014 No Microsoft Fix AvailableBy Davey Winder<\/a> The U.S. Cybersecurity and Infrastructure Security Agency has now joined the chorus of experts warning that these Windows zero-day vulnerabilities need to be addressed as a matter of urgency. A newly published alert<\/a> has confirmed that CISA has added all five of the Windows zero-days to Known Exploited Vulnerabilities catalog, and that brings not only more than a little gravitas to the security warnings, but an obligation for certain federal agencies to apply the Microsoft patches to fix them no later than June 3rd, 2025. Of course, that is by the by for most readers, but it doesn\u2019t mean the CISA alert is meaningless. Indeed, the self-styled America\u2019s Cyber Defence Agency has strongly urged \u201call organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice.”<\/p>\n
\nCybersecurity and Infrastructure Security Agency Says Act Before June 3 To Prevent Windows Exploits<\/p>\n