Do Son 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding five newly identified zero-day vulnerabilities in Windows—all of which are actively exploited in the wild. According to experts, these flaws pose a significant threat to any organization operating within the Microsoft ecosystem.
Among the most severe are use-after-free vulnerabilities—memory management flaws that occur when a program continues to access memory that has already been freed. Such bugs can allow threat actors to escalate privileges and assume control of the system with administrative rights.
The first of these, CVE-2025-30400, affects the DWM Core Library, a component integral to the Windows graphical interface. Exploitation of this vulnerability requires only local access and can be used to bypass access controls and elevate privileges within the system.
Two additional vulnerabilities of the same type—CVE-2025-32701 and CVE-2025-32709—impact the Common Log File System (CLFS) drivers and the Ancillary Function Driver for WinSock. Successful exploitation can grant attackers administrative control, enabling the deployment of malicious payloads and potentially resulting in full system compromise.
While CISA has not yet observed these vulnerabilities being exploited in ransomware campaigns, their confirmed use in real-world attacks underscores an urgent and tangible threat—one that demands immediate attention.
Particularly alarming is CVE-2025-30397, a type confusion flaw in the Windows Scripting Engine. This vulnerability allows remote code execution if a victim clicks on a specially crafted link. It is especially dangerous in phishing campaigns or on malicious websites, as it requires no elevated privileges or interaction with the local system—making it a potent threat to organizations heavily reliant on browsers and scripting technologies.
The final entry, CVE-2025-32706, is a buffer overflow vulnerability in the CLFS driver. It allows an attacker to inject malicious code into memory, achieve privilege escalation, and circumvent built-in security mechanisms. Given that CLFS is responsible for system-level logging, a successful attack could not only disrupt critical processes but also hinder post-incident forensic analysis.
CISA urges all organizations to immediately implement recommended mitigations: apply Microsoft’s security patches, comply with Directive BOD 22-01 for cloud and enterprise systems, and, in the absence of available fixes, temporarily disable or isolate vulnerable components.
Donate