Urgent Advisory: Five Actively Exploited Windows Zero-Days Threaten Global Systems

I. Executive Summary: Five Windows Zero-Days Demand Immediate Action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert, adding five Windows zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.1 This is not a theoretical exercise; these vulnerabilities are currently being exploited in the wild, presenting an immediate and significant danger to organizations worldwide that rely on Microsoft Windows environments. Time is of the essence, as CISA has mandated that U.S. federal agencies apply the necessary fixes by June 3, 2025.2 This directive serves as a stark warning and a benchmark for all organizations to prioritize remediation.

These newly cataloged zero-days target fundamental and ubiquitous Windows components. The affected areas include the Desktop Window Manager (DWM) Core Library, the Common Log File System (CLFS) Driver—which has been hit with two distinct vulnerabilities—the Ancillary Function Driver (AFD) for WinSock, and the Windows Scripting Engine. The potential consequences of exploitation are severe, primarily leading to Elevation of Privilege (EoP) that grants attackers SYSTEM or administrator-level control. One of the vulnerabilities also allows for Remote Code Execution (RCE), providing a potential initial entry point for attackers.

The specific vulnerabilities are:

• CVE-2025-30400: A use-after-free vulnerability in the DWM Core Library leading to EoP.
• CVE-2025-32701: A use-after-free vulnerability in the CLFS Driver leading to EoP.
• CVE-2025-32709: A use-after-free vulnerability in the AFD for WinSock leading to EoP.
• CVE-2025-30397: A type confusion vulnerability in the Scripting Engine leading to RCE.
• CVE-2025-32706: A heap-based buffer overflow in the CLFS Driver leading to EoP.

Microsoft has released security updates addressing these vulnerabilities as part of its May 2025 Patch Tuesday cycle.3 The immediate and paramount call to action for all organizations is to deploy these patches without delay. The active exploitation of these flaws means that any unpatched system is a potential target.

The recurring nature of vulnerabilities in core Windows components like DWM and CLFS is a significant concern. For instance, CVE-2025-30400 is the third actively exploited EoP in the DWM Core Library since 2023, and Microsoft has addressed 26 EoP flaws in DWM since 2022, with five fixed in April 2025 alone.3 Similarly, CVE-2025-32701 and CVE-2025-32706 represent the seventh and eighth CLFS EoP vulnerabilities exploited since 2022.3 This pattern suggests these components are either inherently complex and prone to such errors or have become a focused area for attacker research due to their critical roles and potential for high-privilege access. Organizations should therefore anticipate future issues in these areas and develop detection strategies that look beyond individual CVEs to behavioral anomalies associated with these core systems.

Furthermore, the inclusion of these zero-days in the KEV catalog, coupled with Microsoft’s rapid patching, underscores the intense pressure on cybersecurity defenders. Even though these flaws were exploited before patches were available, their public disclosure and the subsequent patching cycle occur in an environment where active exploitation is already a reality. This highlights the critically short window for remediation and reinforces the need for highly agile patch management processes and robust incident response capabilities. Organizations are often in a reactive posture against threats that are already weaponized.

Table: High-Level Summary of Actively Exploited Windows Zero-Days (May 2025)

CVE ID	Vulnerability Name (Component & Type)	CVSS v3.1 Score/Severity	Primary Impact	CISA KEV Added Date	CISA KEV Due Date
CVE-2025-30400	Windows DWM Core Library Use-After-Free	7.8 / HIGH	EoP to SYSTEM	2025-05-13	2025-06-03
CVE-2025-32701	Windows CLFS Driver Use-After-Free	7.8 / HIGH	EoP to SYSTEM	2025-05-13	2025-06-03
CVE-2025-32709	Windows Ancillary Function Driver for WinSock Use-After-Free	7.8 / HIGH	EoP to Admin	2025-05-13	2025-06-03
CVE-2025-30397	Windows Scripting Engine Type Confusion	7.5 / HIGH	RCE	2025-05-13	2025-06-03
CVE-2025-32706	Windows CLFS Driver Heap-Based Buffer Overflow	7.8 / HIGH	EoP to SYSTEM	2025-05-13	2025-06-03

II. The Threat Landscape: Unpacking the Exploited Vulnerabilities

This section delves into the specifics of each of the five actively exploited zero-day vulnerabilities, providing a detailed analysis of their scope, risk profile, and potential impact.

A. CVE-2025-30400: Windows DWM Core Library Elevation of Privilege

• Scope & Prevalence:
  This vulnerability resides within the Microsoft Windows Desktop Window Manager (DWM) Core Library. The DWM is a foundational Windows component responsible for rendering the graphical user interface (GUI), managing visual effects like transparency and animations, and enabling high-resolution display support.1 Its ubiquity means that a flaw here has widespread implications. Affected Microsoft products include a significant range of currently supported Windows operating systems: Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 22H2, 23H2, and the forthcoming 24H2; and Windows Server versions 2019, 2022, Server 2022 (23H2 release), and the upcoming Windows Server 2025.2 This broad applicability across both client and server editions underscores the large number of systems potentially at risk globally.
• Risk Profile & Exploitability:
  CVE-2025-30400 is classified as a use-after-free vulnerability, identified under Common Weakness Enumeration CWE-416.1 This type of memory corruption flaw occurs when a program attempts to access a memory location after it has been deallocated (freed). If an attacker can control the data written to this reallocated memory space, or influence how the dangling pointer is used, they can often achieve arbitrary code execution or, as in this case, escalate privileges.
  The attack vector is local (AV:L), meaning an attacker must have already gained some level of access to the target system; this is not a remotely exploitable vulnerability in the sense of an unauthenticated network attack.2 The privileges required for exploitation are low (PR:L), indicating that an attacker starting with a standard user account could leverage this flaw.2 Critically, no user interaction (UI:N) is needed to trigger the exploit once the attacker has code execution capability on the system.2
  Successful exploitation allows the attacker to elevate their privileges to SYSTEM level.1 SYSTEM is the highest level of privilege on a Windows system, granting the attacker complete control over the operating system, including the ability to install software (like malware or backdoors), modify or delete data, create new accounts, and disable security measures.
  This vulnerability is confirmed to be actively exploited in the wild as a zero-day.3 While threat actors possess working exploits, there is no confirmation of publicly available Proof-of-Concept (PoC) code at this time.6 The CVSS v3.1 base score assigned by Microsoft is 7.8 (High).2
  The consistent targeting of DWM for privilege escalation is notable. As mentioned, this is the third DWM Core Library EoP flaw weaponized since 2023, and a significant number of DWM EoP vulnerabilities have been patched by Microsoft since 2022, including five in April 2025 alone.3 This pattern suggests that DWM is a component that attackers have found particularly fruitful for finding privilege escalation vulnerabilities, possibly due to its complexity or its inherent need to interact with various parts of the OS at a privileged level. Security teams should thus maintain heightened awareness for any DWM-related anomalies.
  Because exploitation requires initial local access, the practical risk of CVE-2025-30400 materializes after an attacker has successfully breached the system’s perimeter and established a foothold. This could be achieved through various methods such as phishing campaigns leading to malware execution, exploitation of a separate remote code execution vulnerability, or the use of compromised credentials. This vulnerability then serves as a critical component in an attacker’s chain of actions to achieve full system compromise and deploy their ultimate payload, such as ransomware or data exfiltration tools. This underscores the importance of defense-in-depth strategies; preventing initial access is as crucial as patching this EoP flaw. If an alert for this specific EoP exploit is triggered, it’s a strong indicator of an existing, deeper compromise.
• MITRE ATT&CK Mapping:

• Tactic: Privilege Escalation (TA0004)

• Technique: T1068 – Exploitation for Privilege Escalation.8 This technique directly describes the scenario where an adversary takes advantage of a software bug to gain higher-level permissions.

B. CVE-2025-32701: Windows Common Log File System (CLFS) Driver Elevation of Privilege

• Scope & Prevalence:
  This vulnerability affects the Windows Common Log File System (CLFS) Driver (clfs.sys), an essential logging subsystem within the Windows kernel.1 CLFS provides a high-performance, general-purpose logging service that can be used by kernel-mode drivers and user-mode applications. Its widespread use across numerous Windows versions makes this vulnerability particularly concerning. Affected versions span a broad range, including Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2008 R2 SP1, Windows Server 2012 and R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.11 The sheer number of affected client and server operating systems indicates a vast global attack surface.
• Risk Profile & Exploitability:
  CVE-2025-32701 is another use-after-free vulnerability (CWE-416).1 Similar to CVE-2025-30400, an attacker would exploit a condition where the CLFS driver attempts to use a memory region after it has been deallocated.
  The attack vector is local (AV:L), requiring the attacker to have already established a presence on the target system.10 Exploitation necessitates low privileges (PR:L) and does not require any user interaction (UI:N).10
  A successful exploit allows the attacker to elevate their privileges to SYSTEM level, granting them complete control over the compromised machine.1 This level of access allows for disabling security software, installing persistent malware, accessing or exfiltrating sensitive data, and moving laterally within the network.
  This vulnerability is confirmed to be actively exploited in the wild as a zero-day.3 Microsoft’s own threat intelligence team is credited with its discovery.3 As with the DWM flaw, public PoC exploit code is not confirmed to be available.10 The CVSS v3.1 base score is 7.8 (High).3
  The CLFS driver has unfortunately become a notorious source of privilege escalation vulnerabilities. This CVE, along with CVE-2025-32706 (discussed later), marks the seventh and eighth CLFS EoP flaws to be exploited in the wild since 2022.3 Previous CLFS vulnerabilities, such as CVE-2025-29824 (patched in April 2025), have been actively used by ransomware groups, including those associated with RansomEXX and Play ransomware (potentially via threat actors like Storm-2460 and Balloonfly).3 This consistent targeting by financially motivated cybercriminals strongly suggests that CLFS is a preferred pathway for attackers needing to escalate privileges to deploy widespread, impactful attacks like ransomware. The kernel-level access and its role in system logging make it a high-value target.21 Any CLFS EoP vulnerability should therefore be treated with extreme urgency.
  Technical details regarding the exploitation of CVE-2025-32701 indicate a sophisticated attack. Attackers, after gaining initial local access, trigger specific CLFS log operations such as CreateLogFile or AddLogContainer. These actions are manipulated to cause the premature freeing of a CLFS log stream object’s memory. Subsequently, attackers use heap spraying techniques to reclaim this freed memory and populate it with their own controlled data. The final step involves causing the CLFS driver to dereference the now-corrupted pointer, leading to the execution of arbitrary code with SYSTEM privileges.21 This detailed understanding of the exploit mechanism can aid in developing more specific detection signatures and forensic analysis techniques.
• MITRE ATT&CK Mapping:

• Tactic: Privilege Escalation (TA0004)

• Technique: T1068 – Exploitation for Privilege Escalation.8

C. CVE-2025-32709: Windows Ancillary Function Driver (AFD) for WinSock Elevation of Privilege

• Scope & Prevalence:
  This vulnerability impacts the Windows Ancillary Function Driver (AFD) for WinSock, commonly known by its driver file afd.sys.1 AFD is a core Windows kernel component that supports the Windows Sockets (WinSock) API, facilitating network communication for applications. A flaw in afd.sys can have serious security implications due to its fundamental role in networking. The vulnerability affects a broad spectrum of Windows operating systems, including Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.24 Its presence across such a wide array of client and server versions makes it a widespread concern.
• Risk Profile & Exploitability:
  CVE-2025-32709 is classified as a use-after-free vulnerability (CWE-416).1 The exploitation mechanism involves an attacker manipulating the system to use a pointer to memory within afd.sys after that memory has been deallocated.
  Exploitation requires local access (AV:L) to the target system, meaning an attacker must have already gained an initial foothold.23 The attacker needs only low privileges (PR:L) to launch the exploit, and no user interaction (UI:N) is required.23
  Successful exploitation allows an authenticated attacker to elevate their privileges to the administrator level 1, which can lead to full system control. This includes the ability to install malicious software, access or alter sensitive data, and disable security measures.
  This vulnerability is being actively exploited in the wild as a zero-day.3 Significantly, the threat actor group Lazarus Group has been identified as exploiting CVE-2025-32709.29 An anonymous researcher was credited with reporting this flaw.3 There is no confirmation of publicly available PoC code.23 The CVSS v3.1 base score is 7.8 (High).3
  The attribution of this exploit to the Lazarus Group significantly elevates its threat profile. Lazarus Group is a sophisticated Advanced Persistent Threat (APT) actor linked to North Korea, known for conducting large-scale cyber operations for financial gain and espionage, often targeting financial institutions and cryptocurrency exchanges.30 Their use of this zero-day suggests it is being incorporated into targeted and complex attack campaigns against potentially high-value organizations. This is not just opportunistic exploitation; it implies a calculated use by a resourceful adversary.
  Furthermore, afd.sys has been a consistent target for privilege escalation vulnerabilities. CVE-2025-32709 is the third such EoP flaw in AFD to be abused within the span of a year, following CVE-2024-38193 and CVE-2025-21418.3 As afd.sys is the kernel entry point for the WinSock API 33, gaining SYSTEM privileges through its compromise offers attackers powerful capabilities. This could include manipulating network traffic at a low level, bypassing host-based firewalls, or installing persistent network-related implants or rootkits. The recurring nature of EoP flaws in afd.sys indicates that attackers are actively probing this driver, likely due to the strategic advantages that kernel-level control over networking provides.
• MITRE ATT&CK Mapping:

• Tactic: Privilege Escalation (TA0004)

• Technique: T1068 – Exploitation for Privilege Escalation.8

• Given the involvement of the Lazarus Group 29, their broader Tactics, Techniques, and Procedures (TTPs) become relevant for post-escalation activities. These may include 30:

• Tactic: Defense Evasion (TA0005) (e.g., T1070 – Indicator Removal on Host, T1562.001 – Disable or Modify Tools)
• Tactic: Credential Access (TA0006) (e.g., T1003 – OS Credential Dumping)
• Tactic: Lateral Movement (TA0008) (e.g., T1021.001 – Remote Desktop Protocol)
• Tactic: Impact (TA0040) (e.g., T1486 – Data Encrypted for Impact, T1489 – Service Stop, particularly if financial disruption or data destruction is the goal).

D. CVE-2025-30397: Microsoft Windows Scripting Engine Type Confusion (Remote Code Execution)

• Scope & Prevalence:
  This vulnerability affects the Microsoft Windows Scripting Engine.1 This engine is a legacy component historically associated with Internet Explorer for processing scripts (like JScript and VBScript). While Internet Explorer is largely deprecated, the scripting engine remains relevant due to its use in Internet Explorer (IE) Mode within the Microsoft Edge browser, which allows organizations to run legacy web applications that require IE compatibility. The vulnerability impacts a very broad range of Windows client and server operating systems because the scripting engine, though old, is still a present component.35 Affected versions include Windows 10 (1507, 1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), and various Windows Server editions from 2008 SP2 up to Server 2025.35
• Risk Profile & Exploitability:
  CVE-2025-30397 is a type confusion vulnerability, categorized under CWE-843 (Access of Resource Using Incompatible Type).1 Type confusion occurs when a program allocates or initializes a resource (like a pointer or object) using one type but later accesses that resource using a different, incompatible type. This can lead to memory corruption as the program misinterprets the structure and contents of the memory, potentially allowing an attacker to control execution flow.
  The attack vector is network (AV:N), meaning the exploit can originate from a remote source.34 No prior privileges (PR:N) are required on the target system for an attacker to attempt exploitation.34 However, user interaction (UI:R) is required; the attacker must entice a victim to open a specially crafted URL.1 This typically involves social engineering tactics such as phishing emails or directing users to malicious websites (drive-by downloads). A crucial condition for exploitation is that the target user must be using Microsoft Edge in Internet Explorer (IE) mode.7
  Successful exploitation allows an attacker to execute arbitrary code remotely within the security context of the current user.1 If the compromised user account has administrative privileges, the attacker could gain full system control, enabling them to install malware, steal sensitive data, modify system configurations, and move laterally across the network.3
  This vulnerability is being actively exploited in the wild as a zero-day.3 It was discovered by Microsoft’s own threat intelligence team.3 While some sources indicate a public exploit exists 34, others suggest a PoC has not been publicly disclosed 36; active exploitation by threat actors is certain, but the public availability of an exploit is less clear. The CVSS v3.1 base score is 7.5 (High).3
  The dependency on IE Mode for exploitation is a critical factor. While this might narrow the overall attack surface compared to a vulnerability affecting all Edge or Chrome users, it presents a significant and targeted risk for organizations that still rely on IE Mode for compatibility with legacy web applications. These organizations become prime candidates for attackers leveraging this flaw. This scenario highlights the security debt incurred by maintaining compatibility with outdated technologies.
  The requirement for user interaction—specifically, luring a user to click a malicious URL—means that phishing campaigns and other social engineering techniques are essential precursors to successful exploitation. This underscores the human element in the attack chain. Even with a technical vulnerability present, the attack often hinges on a user’s action, making security awareness training and robust email/web filtering critical defensive layers.
• MITRE ATT&CK Mapping:

• Tactic: Initial Access (TA0001)

• Technique: T1189 – Drive-by Compromise. (Exploitation via a malicious website or URL).
• Technique: T1204 – User Execution

• Sub-technique: T1204.001 – Malicious Link. (User clicks a specially crafted URL delivered via email or other means).

• Tactic: Execution (TA0002)

• Technique: T1203 – Exploitation for Client Execution. (Exploiting the scripting engine vulnerability in the browser).
• If the exploit leverages specific scripting capabilities post-compromise: Technique: T1059 – Command and Scripting Interpreter.

E. CVE-2025-32706: Windows Common Log File System (CLFS) Driver Elevation of Privilege (Heap Overflow)

• Scope & Prevalence:
  This vulnerability, like CVE-2025-32701, targets the Windows Common Log File System (CLFS) Driver (clfs.sys).1 Given its impact on a core Windows logging component, it affects a wide array of Windows client and server operating systems.42 The list of affected versions is extensive, including Windows 10 (1507, 1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025.42 This broad scope indicates a significant number of systems are potentially vulnerable.
• Risk Profile & Exploitability:
  CVE-2025-32706 is a heap-based buffer overflow (CWE-122), which stems from improper input validation (CWE-20) within the CLFS driver.1 Attackers can exploit this by providing carefully crafted input data to the CLFS driver, causing it to write beyond the allocated buffer on the heap. This overwrites adjacent memory, which can be leveraged to corrupt critical data structures or redirect code execution.
  The attack vector is local (AV:L), meaning an attacker must have already gained initial access to the system.41 The exploit requires low privileges (PR:L) and does not need any user interaction (UI:N) to be triggered.41
  Successful exploitation allows an authorized attacker to escalate their privileges to SYSTEM level.1 Beyond gaining full control, a particularly concerning aspect of this vulnerability is that its successful exploitation could hamper forensic investigation after a breach.1 By compromising the CLFS driver itself, attackers might be able to manipulate or erase logs, or interfere with logging mechanisms, thus obscuring their activities. It could also allow attackers to bypass vital security controls.
  This vulnerability is actively being exploited in the wild as a zero-day.3 It was discovered through the collaborative efforts of Benoit Sevens from Google’s Threat Analysis Group and the CrowdStrike Advanced Research Team.3 While some sources suggest a public exploit exists 41, others indicate no public PoC has been confirmed 45; active exploitation by threat actors is definite. The CVSS v3.1 base score is 7.8 (High).3
  The fact that CISA’s alert includes two distinct CLFS zero-days (this one, CVE-2025-32706, a heap overflow, and CVE-2025-32701, a use-after-free) both actively exploited for privilege escalation, dramatically amplifies the risk associated with this Windows component. It suggests that attackers have developed multiple sophisticated methods to achieve the same critical objective (SYSTEM privileges) by targeting CLFS. This implies a rich and vulnerable attack surface within CLFS that is consistently yielding exploitable flaws for various attacker groups.
  The warning that exploitation could “hamper forensic investigation” 1 is a significant secondary effect. If attackers can compromise the Common Log File System at the kernel level, they are in an ideal position to manipulate the very logs that CLFS is designed to manage, or even disable logging functionalities at a fundamental level. This moves beyond simple privilege escalation; it’s an assault on the integrity of the evidentiary trail, making post-exploitation detection and attribution considerably more difficult.
• MITRE ATT&CK Mapping:

• Tactic: Privilege Escalation (TA0004)

• Technique: T1068 – Exploitation for Privilege Escalation.8

• Tactic: Defense Evasion (TA0005)

• Technique: T1070.001 – Clear Windows Event Logs (Implied by the potential to “hamper forensic investigation” through compromise of the CLFS driver 1).
• Technique: T1562.001 – Disable or Modify Tools (Attackers achieving SYSTEM privileges can disable or tamper with security software).

III. Real-World Impact & Targeted Sectors

The active exploitation of these five zero-day vulnerabilities signifies ongoing, real-world attacks.1 For four of the CVEs (CVE-2025-30400, CVE-2025-32701, CVE-2025-32709, CVE-2025-32706), the primary impact is privilege escalation to SYSTEM or administrator levels. This level of access effectively gives attackers complete control over a compromised machine, enabling actions such as ransomware deployment, sensitive data exfiltration, lateral movement within the victim’s network, and the establishment of persistent backdoors.1 The fifth vulnerability, CVE-2025-30397 (Scripting Engine RCE), provides a potential initial access vector, provided the specific conditions of IE Mode usage and user interaction are met.34

The fact that these are “known exploited” vulnerabilities changes the dynamic for defenders. It’s no longer a question of if these flaws can be exploited, but rather acknowledging that they are being exploited. This status should drive immediate prioritization for patching and heighten incident response preparedness. If an organization discovers evidence of these CVEs being exploited on their network, it’s a confirmed breach, not merely a vulnerability scan finding.

• Targeted Industries – Inferences and Knowns:
  While specific, widespread campaigns targeting particular industries for all five CVEs are not fully detailed in the available information, clear patterns and direct attributions allow for strong inferences:

• Financial Sector & Cryptocurrency Exchanges: The confirmed exploitation of CVE-2025-32709 (AFD EoP) by the Lazarus Group makes financial institutions and cryptocurrency-related entities prime targets.29 Lazarus Group has a well-documented history of targeting this sector for large-scale financial theft.
• Information Technology, Financial Services, Real Estate: Previous exploitation of CLFS vulnerabilities (like CVE-2025-29824, which is analogous in component to CVE-2025-32701 and CVE-2025-32706) by ransomware operators such as RansomEXX (associated with Storm-2460) and Play (associated with Balloonfly) has specifically impacted these sectors in the U.S., Venezuela, and Saudi Arabia.3 This history strongly suggests that these sectors remain at high risk from attacks leveraging the current CLFS EoP flaws, likely for ransomware deployment.
• Organizations Dependent on Internet Explorer Mode: CVE-2025-30397 (Scripting Engine RCE) poses a direct threat to any organization still using IE Mode in Microsoft Edge for legacy web applications.18 This dependency can be found across various sectors, including government, healthcare, manufacturing, and finance, where older internal applications might not have been modernized.
• Broad Risk to All Windows Users: Given that these vulnerabilities affect core Windows components present in numerous versions of the operating system, virtually any industry using Windows systems is at potential risk. The privilege escalation vulnerabilities are particularly dangerous once any initial foothold is gained, regardless of the industry. Organizations with slower patching cadences or gaps in their defense-in-depth strategies are at increased risk.

• Why These Industries?

• Financial Sector: The motivation is often direct financial gain through theft or extortion via ransomware. APT groups like Lazarus have demonstrated sophisticated capabilities in this area.30
• Information Technology: Compromising IT service providers or software companies can enable supply chain attacks, providing access to a much wider array of downstream victims.
• Real Estate: This sector may hold sensitive financial and personal data and could be perceived by attackers as having less mature cybersecurity defenses compared to, for example, large financial institutions, making them attractive targets for ransomware.
• Critical Infrastructure: While not explicitly named for these specific May 2025 CVEs, ransomware groups frequently target critical infrastructure sectors. The CLFS exploits, by facilitating privilege escalation, are key enablers for such disruptive attacks.19

• Urgency & Real-World Cases:
  The highest level of urgency is warranted because all five CVEs were confirmed to be actively exploited in the wild before Microsoft released patches.1 Their inclusion in CISA’s KEV catalog 2, with a remediation deadline of June 3, 2025, for U.S. federal agencies, further underscores the confirmed threat and provides a tangible timeline for action that all organizations should consider. Patch adoption rates in the days and weeks following the May 2025 Patch Tuesday will be critical, as attackers historically move quickly to exploit newly disclosed vulnerabilities against still-unpatched systems.
  While specific, named high-profile incidents directly attributed to these exact five CVEs are not yet detailed beyond the general “active exploitation” status, the strong linkage of similar past CLFS vulnerabilities to significant ransomware campaigns (Play, RansomEXX) 3 serves as a potent indicator of the potential for severe operational and financial impact. The confirmed involvement of the Lazarus Group with CVE-2025-32709 29 also implies that sophisticated, targeted attacks are currently underway.
  The nature of these vulnerabilities, particularly the four EoP flaws, points to their likely use in chained attacks. These EoP vulnerabilities are most potent when combined with an initial access vector. The RCE vulnerability (CVE-2025-30397) can serve as that initial access, but it has specific preconditions. Attackers are almost certainly using these EoP flaws in conjunction with other vulnerabilities, phishing campaigns, or stolen credentials to achieve full system compromise. Therefore, defenses must be multi-layered, focusing on preventing initial access as much as patching these specific EoP flaws.
  The convergence of TTPs between financially motivated cybercrime groups and sophisticated APTs is also evident. The fact that a major APT like Lazarus Group is exploiting one of these zero-days (CVE-2025-32709), while ransomware groups are highly likely to be leveraging the CLFS EoP flaws (CVE-2025-32701, CVE-2025-32706), demonstrates that diverse threat actors are quick to adopt effective exploits for critical Windows components. This means organizations cannot assume they are safe from one type of actor if they are vulnerable; a widely exploitable zero-day can be utilized by various groups with differing end goals.

IV. Comprehensive Defense: Mitigation and Detection Strategies

A multi-faceted approach is essential to defend against these actively exploited zero-day vulnerabilities. This includes immediate patching, implementing compensating controls where patching is delayed, enhancing detection capabilities, and reinforcing user awareness.

• A. Immediate Patching – The First Line of Defense:
  The most critical action is to apply the May 2025 security updates released by Microsoft, as these updates address all five zero-day vulnerabilities.1 Given the active exploitation status, these patches must be prioritized for deployment. Organizations should follow their standard patching and testing procedures but aim to expedite the rollout for these specific updates.14 The CISA directive requiring federal agencies to apply mitigations by June 3, 2025, per Binding Operational Directive (BOD) 22-01, serves as a strong benchmark for all entities.1
• B. Compensating Controls & Workarounds (If Patching is Delayed):
  While patching is paramount, some compensating controls can be considered if immediate deployment is not feasible:

• For CVE-2025-30397 (Scripting Engine RCE):

• The primary workaround is to disable or severely restrict the use of Internet Explorer (IE) mode in Microsoft Edge, especially if it’s not essential for business-critical applications.4 This is a key mitigating factor as the known exploit path relies on IE Mode.7
• For organizations where IE Mode is indispensable, it is crucial to accelerate migration plans for legacy applications that necessitate its use.4

• For General EoP Vulnerabilities (CVE-2025-30400, CVE-2025-32701, CVE-2025-32709, CVE-2025-32706):

• Strictly enforce the principle of least privilege for all user accounts. While this will not prevent an attacker who has already gained low-privilege access from attempting to exploit these EoP flaws, it can limit the initial actions an unprivileged account can perform and potentially slow down an attacker.29
• Where possible, restrict access to highly sensitive systems. However, this is challenging for vulnerabilities in ubiquitous OS components.4
• Specifically for CVE-2025-32706 (CLFS EoP heap overflow), if patching is significantly delayed, organizations could consider restricting write permissions to the %SystemRoot%\System32\LogFiles\CLFS directory and closely auditing logs for any unauthorized modifications or access attempts.22 This is a temporary measure and may have operational impacts.

• Product Discontinuation (Extreme Cases): CISA advises that if effective mitigations are unavailable, organizations should consider discontinuing the use of the affected products until a fix can be applied.1 This is a drastic step usually reserved for situations where no other viable mitigation exists and the risk is exceptionally high.

• C. Detection Guidance & Endpoint Monitoring:
  Effective detection relies on robust endpoint monitoring and behavioral analysis, as signature-based detection for kernel-level exploits can be challenging.

• General EDR/Endpoint Monitoring Recommendations:

• Continuously monitor for unusual system activity, particularly processes attempting to elevate privileges, execute unexpected commands, or make suspicious API calls.4
• Scrutinize anomalous parent-child process relationships. For instance, cmd.exe or powershell.exe spawning from unexpected critical system processes like winlogon.exe or services.exe could be an indicator of successful exploitation, particularly for CLFS flaws like CVE-2025-32706.22
• Leverage Endpoint Detection and Response (EDR) solutions to identify behavioral patterns associated with use-after-free 46, type confusion 48, and heap-based buffer overflow exploits.50 However, generic queries for these complex bug classes often require tuning and may be less effective without specific Indicators of Compromise (IOCs) or highly specific behavioral rules.

• Specifics for CVE-2025-30400 (DWM Core Library EoP):

• Monitor for anomalous behavior related to dwm.exe (Desktop Window Manager). This could include unexpected crashes of dwm.exe followed by suspicious activity, or other processes injecting into or manipulating dwm.exe in unusual ways, especially if followed by privilege escalation. (General inference, as specific EDR queries beyond highlighting exploitation 3 are not provided).

• Specifics for CVE-2025-32701 & CVE-2025-32706 (CLFS Driver EoP):

• Monitor for anomalous interactions between svchost.exe (Service Host process, which hosts many system services) and clfs.sys.21
• Audit system logs for unexpected or suspicious CLFS API usage patterns, such as frequent calls to CreateLogFile or AddLogContainer by non-standard processes or in unusual sequences.21
• Look for unexpected modifications to log files within CLFS-managed directories or attempts to inject code into SYSTEM-level processes originating from CLFS activity.22
• Given that CLFS exploits can potentially undermine forensic data 1, ensuring that EDR and critical system logs are streamed to a secure, off-host SIEM in real-time is vital for preserving evidence.

• Specifics for CVE-2025-32709 (AFD WinSock EoP):

• Monitor for suspicious local privilege escalation attempts that involve afd.sys or unusual network socket operations initiated by low-privilege processes that then gain higher privileges.29 (General inference based on AFD’s function in networking 33).
• Due to the Lazarus Group’s involvement 29, organizations in potentially targeted sectors (e.g., finance, cryptocurrency) should proactively hunt for broader TTPs associated with this APT group following any signs of privilege escalation.

• Specifics for CVE-2025-30397 (Scripting Engine RCE):

• Monitor for Microsoft Edge processes (msedge.exe) that spawn child iexplore.exe processes (indicative of IE Mode) which then access unusual URLs or exhibit suspicious network behavior or file system activity.7
• Implement robust web filtering to block known malicious URLs and categorize untrusted websites.
• Utilize advanced endpoint protection solutions capable of inspecting browser activity and detecting/blocking exploit attempts originating from web content.36

• IDS/IPS Rules:

• While specific IDS/IPS rules for these zero-days are not detailed in the provided information, general network security monitoring may detect some aspects. For CVE-2025-30397 (RCE), IDS/IPS systems might identify malicious script patterns or connections to known command-and-control servers if the crafted URL is delivered via network channels. For the local EoP flaws, IDS/IPS visibility is limited unless the exploit involves subsequent network communication for staging payloads or C2.

• D. User Training & Awareness:

• Phishing and Malicious Links: This is particularly crucial for mitigating the risk from CVE-2025-30397, which relies on a user clicking a specially crafted URL.1 Organizations must continuously train users to identify and avoid suspicious emails, messages, and links, especially those that might prompt opening content in a browser or specifically in IE Mode.
• Reporting Suspicious Activity: Foster a security-aware culture where users feel empowered and are encouraged to promptly report any suspicious emails, browser behavior, or system anomalies to the security team.

• E. Adherence to CISA’s Binding Operational Directive (BOD) 22-01:
  While BOD 22-01 is a directive for U.S. federal agencies, its principles offer a strong framework for all organizations to effectively manage known exploited vulnerabilities. It emphasizes the importance of timely patching, risk assessment, and mitigation.1
  The difficulty in reliably detecting kernel-level exploits once initial access is achieved underscores a critical point: prevention through patching is by far the most effective defense against these types of threats. Detection often shifts to post-exploitation behavioral anomalies, which means the attacker has already achieved a significant objective.
  For CVE-2025-30397, the reliance on IE Mode creates a “legacy trap.” Organizations using it due to critical old applications face a persistent risk. Attackers are aware of this dependency and will continue to target such legacy components because they know some organizations cannot easily disable them. The long-term solution is application modernization, but short-term, these organizations need heightened vigilance, strict controls around IE Mode usage, and targeted user training.
  The CLFS driver vulnerabilities (especially CVE-2025-32706) introduce another layer of concern: the potential for the exploit to directly undermine forensic investigations by allowing attackers to tamper with logs.1 This necessitates a defense strategy that includes robust, tamper-evident logging solutions, such as shipping logs to a secure, centralized, and immutable storage system.

V. Key Takeaways & Actionable Recommendations for Security Briefings

The emergence of these five actively exploited zero-day vulnerabilities demands immediate and coordinated action from security teams and leadership.

• Immediate, Coordinated Threat: Five distinct Windows zero-day vulnerabilities—CVE-2025-30400 (DWM Core Library EoP), CVE-2025-32701 (CLFS Driver EoP), CVE-2025-32709 (AFD WinSock EoP), CVE-2025-30397 (Scripting Engine RCE), and CVE-2025-32706 (CLFS Driver EoP)—are confirmed to be actively exploited in ongoing attacks. This situation requires urgent and prioritized attention.1
• Critical Impact – Privilege Escalation and Remote Code Execution: The majority of these flaws (four out of five) allow attackers who have already gained an initial foothold on a system to escalate their privileges to SYSTEM or Administrator levels. This grants them complete control over the compromised machine. The fifth vulnerability (CVE-2025-30397) enables Remote Code Execution if users operating in Internet Explorer Mode are lured into clicking malicious links, providing a potential entry point for attackers.1
• Patch Now – Non-Negotiable Priority: Microsoft released patches for all five vulnerabilities in its May 2025 security updates. The immediate deployment of these patches is the single most effective defense. CISA has set a deadline of June 3, 2025, for U.S. federal agencies to apply these mitigations; this timeline should serve as a benchmark for all organizations to expedite their patching processes.2
• Recurring Weaknesses in Core Components: Key Windows components such as the Desktop Window Manager (DWM), Common Log File System (CLFS), and Ancillary Function Driver (AFD) are proving to be recurrent targets for attackers. The CLFS driver, in particular, has become a favored target for ransomware groups seeking to escalate privileges for broader impact. Organizations should anticipate future vulnerabilities in these areas and bolster defenses accordingly.3
• Diverse Threat Actors – Nation-State and Cybercrime: The sophisticated APT group Lazarus is confirmed to be exploiting CVE-2025-32709. Concurrently, ransomware operators are highly likely to be leveraging the CLFS vulnerabilities. This indicates that a diverse range of capable adversaries are actively weaponizing these flaws.3

The attacker’s toolkit is evolving rapidly, often outpacing traditional defensive patching cycles. The zero-day nature of these vulnerabilities means attackers possessed and used these exploits before patches were available. While patching is a critical and immediate necessity, a security strategy reliant solely on patching is insufficient. Robust detection of anomalous behavior, rapid and practiced incident response, and proactive threat hunting are essential elements of a resilient cybersecurity posture.

Furthermore, the interconnectedness of these vulnerabilities must be understood. The Elevation of Privilege flaws become significantly more dangerous when chained with an initial access vector. Conversely, the Remote Code Execution vulnerability (CVE-2025-30397) serves as a potential gateway to exploit these EoP flaws. Security assessments and defensive strategies must consider these chained attack scenarios, rather than viewing each CVE in isolation.

• Actionable Recommendations:

1. Patch Urgently and Comprehensively: Deploy the May 2025 Microsoft security updates across all affected Windows systems as the top priority. Verify successful patch installation.
2. Review and Restrict Internet Explorer Mode Usage: In response to CVE-2025-30397, conduct an immediate assessment of IE Mode usage within Microsoft Edge. Disable or strictly limit its use to only essential legacy applications. Accelerate plans to migrate away from IE-dependent applications.4
3. Enhance Endpoint and Network Monitoring: Focus EDR and SIEM detection capabilities on:

• Anomalous behaviors related to dwm.exe, clfs.sys (paying close attention to svchost.exe interactions and unusual CLFS API calls such as CreateLogFile), and afd.sys.21
• Suspicious processes (e.g., cmd.exe, powershell.exe) spawning from critical system processes like winlogon.exe, which could indicate CLFS exploitation.22
• For organizations in sectors targeted by the Lazarus Group, proactively hunt for TTPs associated with this actor, especially if CVE-2025-32709 is a concern.

1. Reinforce User Awareness Training: Conduct immediate refreshers on identifying and reporting phishing attempts and malicious links. This is particularly vital for users who may operate applications in IE Mode, given the exploit mechanism of CVE-2025-30397.4
2. Enforce Principle of Least Privilege: Rigorously apply and audit least privilege access controls for all user and service accounts to limit the potential impact should an attacker gain initial access.29
3. Review and Test Incident Response Plan: Ensure the organization’s incident response plan is up-to-date and specifically addresses scenarios involving rapid privilege escalation and potential tampering with forensic evidence (particularly relevant for CLFS exploits).1 Conduct tabletop exercises or simulations if possible.
4. Secure Logging Infrastructure: Given the potential for CLFS exploits to hamper forensic investigations, ensure critical system and security logs are aggregated to a secure, centralized, and preferably immutable logging solution (SIEM) in real-time.

VI. References

• https://www.redlegg.com/blog/critical-vulnerability-patch-tuesday-may-2025-0 4
• https://thehackernews.com/2025/05/microsoft-fixes-78-flaws-5-zero-days.html 3
• https://www.wiz.io/vulnerability-database/cve/cve-2025-30400 6
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30400 54
• https://gbhackers.com/cisa-alerts-on-five-active-zero-day-windows-vulnerabilities/ 1
• https://www.cvedetails.com/cve/CVE-2025-30400/ 2
• https://securityvulnerability.io/vulnerability/CVE-2025-32701 12
• https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-may-2025/ 14
• https://nvd.nist.gov/vuln/detail/cve-2025-32701 11
• https://www.sans.org/newsletters/at-risk/xxv-2/ 56
• https://www.cvedetails.com/cve/CVE-2025-32701/ 13
• https://www.wiz.io/vulnerability-database/cve/cve-2025-32701 10
• (https://www.cve.org/CVERecord?id=CVE-2025-32709) 26
• https://www.cvedetails.com/cve/CVE-2025-32709/ 24
• (https://nvd.nist.gov/vuln/detail/CVE-2025-32709/change-record?changeRecordedOn=05/16/2025T12:29:34.783-0400) 25
• https://nvd.nist.gov/vuln/detail/CVE-2025-30397 37
• https://www.wiz.io/vulnerability-database/cve/cve-2025-32709 23
• https://www.tenable.com/cve/CVE-2025-32709 28
• https://access.redhat.com/security/cve/cve-2025-30397 57
• (https://www.cve.org/CVERecord?id=CVE-2025-30397) 38
• https://nvd.nist.gov/vuln/detail/cve-2025-30379 58
• https://nvd.nist.gov/vuln/detail/CVE-2024-30397 59
• https://www.wiz.io/vulnerability-database/cve/cve-2025-30397 34
• https://www.cvedetails.com/cve/CVE-2025-30397/ 35
• https://access.redhat.com/security/cve/cve-2025-32706 60
• (https://www.cve.org/CVERecord?id=CVE-2025-32706) 43
• (https://nvd.nist.gov/vuln/detail/CVE-2025-32706/change-record?changeRecordedOn=05/16/2025T12:25:33.433-0400) 61
• https://cvepremium.circl.lu/vuln/CVE-2025-32706 62
• https://www.cvedetails.com/cve/CVE-2025-32706/ 42
• https://www.wiz.io/vulnerability-database/cve/cve-2025-32706 41
• https://nvd.nist.gov/vuln/detail/CVE-2025-30400 5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32701 63
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32709 64
• https://nvd.nist.gov/vuln/detail/CVE-2025-32709 27
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-30397 65
• https://attackerkb.com/topics/PPsWQu3kq3/cve-2025-30397 39
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32706 66
• https://nvd.nist.gov/vuln/detail/CVE-2025-32706 44
• https://www.tenable.com/blog/microsofts-may-2025-patch-tuesday-addresses-71-cves-cve-2025-32701-cve-2025-32706 7
• https://krebsonsecurity.com/tag/cve-2025-32701/ 67
• https://feedly.com/cve/CVE-2025-32709 29
• https://feedly.com/cve/CVE-2025-30397 36
• https://www.reddit.com/r/crowdstrike/comments/1knuyrv/does_cs_detect_exploitation_of_cve202530397_if/ 40
• https://feedly.com/cve/CVE-2025-32706 45
• https://www.crn.com/news/security/2025/microsoft-patch-tuesday-release-fixes-unusual-number-of-office-bugs-researcher 68
• https://www.hipaajournal.com/windows-clfs-flaw-being-actively-exploited-by-ransomware-group/ 15
• https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/ 16
• https://www.ibm.com/think/x-force/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock 33
• https://www.avertium.com/flash-notices/actively-exploited-windows-zero-days 32
• https://www.scworld.com/news/microsoft-fixes-75-vulnerabilities-11-critical-in-may-patch-tuesday 17
• https://www.helpnetsecurity.com/2025/05/13/patch-tuesday-microsoft-fixes-5-actively-exploited-zero-days/ 18
• https://www.techrepublic.com/article/news-microsoft-patch-tuesday-may-2025/ 69
• https://outpost24.com/blog/microsoft-patch-tuesday-may-2025/ 70
• https://www.hipaajournal.com/microsoft-fortinet-ivanti-active-exploitation-vulnerabilities/ 71
• https://krebsonsecurity.com/2025/05/patch-tuesday-may-2025-edition/ 72
• https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2025/ 73
• (https://attack.mitre.org/techniques/T1068/) 8
• (https://center-for-threat-informed-defense.github.io/mappings-explorer/attack/attack-10.1/domain-enterprise/techniques/T1068/) 9
• https://www.tripwire.com/state-of-security/may-2025-patch-tuesday-analysis 52
• https://zeropath.com/blog/windows-clfs-zero-day-cve-2025-32701 21
• https://zeropath.com/blog/windows-clfs-driver-cve-2025-32706 22
• https://www.huntandhackett.com/blog/improving_afd_socket_visibility 53
• https://learn.snyk.io/lesson/use-after-free/ 46
• https://www.fortect.com/how-to-guides/use-after-free/ 47
• https://www.oligo.security/blog/airborne 48
• (https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-41033.html) 49
• https://whiteknightlabs.com/2025/03/31/windows-kernel-buffer-overflow/ 50
• https://www.geeksforgeeks.org/buffer-overflow-attack-with-example/ 51
• https://www.vectra.ai/threat-hunting/threat-actors/lazarus 30
• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations 31
• https://www.security.com/threat-intelligence/play-ransomware-zero-day 19
• https://www.securityweek.com/second-ransomware-group-caught-exploiting-windows-flaw-as-zero-day/ 20
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400 74
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32701 75
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709 76
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397 77
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706 78

Works cited

1. CISA Alerts on Five Active Zero-Day Windows Vulnerabilities Being …, accessed May 18, 2025, https://gbhackers.com/cisa-alerts-on-five-active-zero-day-windows-vulnerabilities/
2. CVE-2025-30400 : Use after free in Windows DWM allows an …, accessed May 18, 2025, https://www.cvedetails.com/cve/CVE-2025-30400/
3. Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server – The Hacker News, accessed May 18, 2025, https://thehackernews.com/2025/05/microsoft-fixes-78-flaws-5-zero-days.html
4. Patch Tuesday – May 2025 – RedLegg, accessed May 18, 2025, https://www.redlegg.com/blog/critical-vulnerability-patch-tuesday-may-2025-0
5. CVE-2025-30400 Detail – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-30400
6. CVE-2025-30400 Impact, Exploitability, and Mitigation Steps | Wiz, accessed May 18, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2025-30400
7. Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE …, accessed May 18, 2025, https://www.tenable.com/blog/microsofts-may-2025-patch-tuesday-addresses-71-cves-cve-2025-32701-cve-2025-32706
8. Exploitation for Privilege Escalation, Technique T1068 – Enterprise | MITRE ATT&CK®, accessed May 18, 2025, https://attack.mitre.org/techniques/T1068/
9. ATT&CK Technique T1068 – Mappings Explorer – GitHub Pages, accessed May 18, 2025, https://center-for-threat-informed-defense.github.io/mappings-explorer/attack/attack-10.1/domain-enterprise/techniques/T1068/
10. CVE-2025-32701 Impact, Exploitability, and Mitigation Steps | Wiz, accessed May 18, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2025-32701
11. cve-2025-32701 – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/cve-2025-32701
12. Elevation of Privilege Vulnerability in Windows Common Log File System Driver CVE-2025-32701, accessed May 18, 2025, https://securityvulnerability.io/vulnerability/CVE-2025-32701
13. CVE-2025-32701 : Use after free in Windows Common Log File System Driver allows an authorized att – CVE Details, accessed May 18, 2025, https://www.cvedetails.com/cve/CVE-2025-32701/
14. Microsoft Patch Tuesday: May 2025 – Arctic Wolf, accessed May 18, 2025, https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-may-2025/
15. Windows CLFS Flaw Being Actively Exploited by Ransomware Group, accessed May 18, 2025, https://www.hipaajournal.com/windows-clfs-flaw-being-actively-exploited-by-ransomware-group/
16. Windows CLFS zero-day exploited in ransomware attacks – Cybersecurity Dive, accessed May 18, 2025, https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/
17. Microsoft fixes 75 vulnerabilities, 11 critical, in May Patch Tuesday …, accessed May 18, 2025, https://www.scworld.com/news/microsoft-fixes-75-vulnerabilities-11-critical-in-may-patch-tuesday
18. Patch Tuesday: Microsoft fixes 5 actively exploited zero-days – Help …, accessed May 18, 2025, https://www.helpnetsecurity.com/2025/05/13/patch-tuesday-microsoft-fixes-5-actively-exploited-zero-days/
19. Ransomware Attackers Leveraged Privilege Escalation Zero-day, accessed May 18, 2025, https://www.security.com/threat-intelligence/play-ransomware-zero-day
20. Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day – SecurityWeek, accessed May 18, 2025, https://www.securityweek.com/second-ransomware-group-caught-exploiting-windows-flaw-as-zero-day/
21. Windows CLFS Driver Zero-Day CVE-2025-32701: Privilege Escalation in the Wild, accessed May 18, 2025, https://zeropath.com/blog/windows-clfs-zero-day-cve-2025-32701
22. Windows CLFS Driver Strikes Again: Privilege Escalation via CVE-2025-32706 – ZeroPath, accessed May 18, 2025, https://zeropath.com/blog/windows-clfs-driver-cve-2025-32706
23. CVE-2025-32709 Impact, Exploitability, and Mitigation Steps | Wiz, accessed May 18, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2025-32709
24. CVE-2025-32709 : Use after free in Windows Ancillary Function …, accessed May 18, 2025, https://www.cvedetails.com/cve/CVE-2025-32709/
25. Vulnerability Change Records for CVE-2025-32709 – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-32709/change-record?changeRecordedOn=05/16/2025T12:29:34.783-0400
26. CVE Record: CVE-2025-32709 – Microsoft Corporation, accessed May 18, 2025, https://www.cve.org/CVERecord?id=CVE-2025-32709
27. CVE-2025-32709 Detail – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-32709
28. CVE-2025-32709 | Tenable®, accessed May 18, 2025, https://www.tenable.com/cve/CVE-2025-32709
29. CVE-2025-32709 – Exploits & Severity – Feedly, accessed May 18, 2025, https://feedly.com/cve/CVE-2025-32709
30. Is Your Organization Safe from Lazarus Attacks? – Vectra AI, accessed May 18, 2025, https://www.vectra.ai/threat-hunting/threat-actors/lazarus
31. A Look into the Lazarus Group’s Operations | Trend Micro (US), accessed May 18, 2025, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
32. Flash Notice: Actively Exploited Windows Zero-Days – Avertium, accessed May 18, 2025, https://www.avertium.com/flash-notices/actively-exploited-windows-zero-days
33. Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours | IBM, accessed May 18, 2025, https://www.ibm.com/think/x-force/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock
34. CVE-2025-30397 Impact, Exploitability, and Mitigation Steps | Wiz, accessed May 18, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2025-30397
35. CVE-2025-30397 : Access of resource using incompatible type …, accessed May 18, 2025, https://www.cvedetails.com/cve/CVE-2025-30397/
36. CVE-2025-30397 – Exploits & Severity – Feedly, accessed May 18, 2025, https://feedly.com/cve/CVE-2025-30397
37. CVE-2025-30397 Detail – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-30397
38. CVE-2025-30397 – CVE Record, accessed May 18, 2025, https://www.cve.org/CVERecord?id=CVE-2025-30397
39. CVE-2025-30397 | AttackerKB, accessed May 18, 2025, https://attackerkb.com/topics/PPsWQu3kq3/cve-2025-30397
40. Does CS detect exploitation of CVE-2025-30397 if unpatched? : r …, accessed May 18, 2025, https://www.reddit.com/r/crowdstrike/comments/1knuyrv/does_cs_detect_exploitation_of_cve202530397_if/
41. CVE-2025-32706 Impact, Exploitability, and Mitigation Steps | Wiz, accessed May 18, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2025-32706
42. CVE-2025-32706 : Improper input validation in Windows Common …, accessed May 18, 2025, https://www.cvedetails.com/cve/CVE-2025-32706/
43. CVE-2025-32706 – CVE Record, accessed May 18, 2025, https://www.cve.org/CVERecord?id=CVE-2025-32706
44. CVE-2025-32706 Detail – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-32706
45. CVE-2025-32706 – Exploits & Severity – Feedly, accessed May 18, 2025, https://feedly.com/cve/CVE-2025-32706
46. Use after free vulnerability | Tutorial & Examples – Snyk Learn, accessed May 18, 2025, https://learn.snyk.io/lesson/use-after-free/
47. How to Detect and Fix “Use After Free” (UAF) bug on Windows – Fortect, accessed May 18, 2025, https://www.fortect.com/how-to-guides/use-after-free/
48. Airborne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security, accessed May 18, 2025, https://www.oligo.security/blog/airborne
49. CVE-2022-41033: Type confusion in Windows COM+ Event System Service | 0-days In-the-Wild, accessed May 18, 2025, https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-41033.html
50. Windows Kernel Buffer Overflow – White Knight Labs, accessed May 18, 2025, https://whiteknightlabs.com/2025/03/31/windows-kernel-buffer-overflow/
51. Buffer Overflow Attack with Example – GeeksforGeeks, accessed May 18, 2025, https://www.geeksforgeeks.org/buffer-overflow-attack-with-example/
52. May 2025 Patch Tuesday Analysis | Tripwire, accessed May 18, 2025, https://www.tripwire.com/state-of-security/may-2025-patch-tuesday-analysis
53. Improving AFD Socket Visibility for Windows Forensics & Troubleshooting – Hunt & Hackett, accessed May 18, 2025, https://www.huntandhackett.com/blog/improving_afd_socket_visibility
54. CVE-2025-30400 – Mitre, accessed May 18, 2025, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30400
55. CVE-2025-32701 Detail – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-32701
56. The Consensus Security Vulnerability Alert – SANS Institute, accessed May 18, 2025, https://www.sans.org/newsletters/at-risk/xxv-2/
57. CVE-2025-30397 – Red Hat Customer Portal, accessed May 18, 2025, https://access.redhat.com/security/cve/cve-2025-30397
58. CVE-2025-30379 Detail – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/cve-2025-30379
59. CVE-2024-30397 Detail – NVD – National Institute of Standards and Technology, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2024-30397
60. CVE-2025-32706 – Red Hat Customer Portal, accessed May 18, 2025, https://access.redhat.com/security/cve/cve-2025-32706
61. Vulnerability Change Records for CVE-2025-32706 – NVD, accessed May 18, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-32706/change-record?changeRecordedOn=05/16/2025T12:25:33.433-0400
62. cvelistv5 – CVE-2025-32706, accessed May 18, 2025, https://cvepremium.circl.lu/vuln/CVE-2025-32706
63. CVE-2025-32701 – Mitre, accessed May 18, 2025, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32701
64. CVE-2025-32709 – Mitre, accessed May 18, 2025, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32709
65. CVE-2025-30397, accessed May 18, 2025, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-30397
66. CVE-2025-32706 – Mitre, accessed May 18, 2025, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32706
67. CVE-2025-32701 – Krebs on Security, accessed May 18, 2025, https://krebsonsecurity.com/tag/cve-2025-32701/
68. Microsoft Patch Tuesday Release Fixes ‘Unusual’ Number Of Office Bugs: Researcher, accessed May 18, 2025, https://www.crn.com/news/security/2025/microsoft-patch-tuesday-release-fixes-unusual-number-of-office-bugs-researcher
69. Patch Tuesday: Microsoft Patches 78 Vulnerabilities, 5 Zero-Day …, accessed May 18, 2025, https://www.techrepublic.com/article/news-microsoft-patch-tuesday-may-2025/
70. Microsoft Patch Tuesday – May 2025 – Outpost24, accessed May 18, 2025, https://outpost24.com/blog/microsoft-patch-tuesday-may-2025/
71. Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities, accessed May 18, 2025, https://www.hipaajournal.com/microsoft-fortinet-ivanti-active-exploitation-vulnerabilities/
72. Patch Tuesday, May 2025 Edition – Krebs on Security, accessed May 18, 2025, https://krebsonsecurity.com/2025/05/patch-tuesday-may-2025-edition/
73. May 2025 Patch Tuesday: Updates and Analysis | CrowdStrike, accessed May 18, 2025, https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2025/
74. Security Update Guide – Microsoft Security Response Center, accessed May 18, 2025, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400
75. Security Update Guide – Microsoft Security Response Center, accessed May 18, 2025, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32701
76. Security Update Guide – Microsoft Security Response Center, accessed May 18, 2025, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709
77. Security Update Guide – Microsoft Security Response Center, accessed May 18, 2025, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397
78. Security Update Guide – Microsoft Security Response Center, accessed May 18, 2025, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706

Continuing Professional Education (CPE) Credit

Earn CPE credits for reading this Security Blotter article. All Security Blotter articles that come with a Deep Dive section are eligible to earn free CPEs for you, the reader.  Our articles include all issues, incidents, and bulletins to relevant Infosec standards and best practices. We have documented your CPE submission below for your convenience and because we love you (in a platonic way).

Continuing Professional Education (CPE) Credit

Earn CPE credits for reading this Security Blotter article. This piece provides practical and technical insight into zero-day vulnerabilities, privilege escalation, and remote code execution threats targeting core Windows components. It is suitable for professionals maintaining credentials in cybersecurity, risk management, and incident response.

 

Article Overview

• Word Count: 8,707

• URL: https://securityblotter.com/windows-zero-day-may2025/

• Estimated Read Time: 44 minutes

• CPE Total: 0.75

• Publisher: Security Blotter

• Author: Jonathan R. Brennan (ISC2 ID: 2398741)

---

CPE Submission Details

---

Additional Notes

• This article qualifies as self-directed learning under ISC2, ISACA, and EC-Council CPE policies.

• Retain this record and the article URL for your audit trail.

• You are responsible for logging the CPEs in your certification portal.

• Partial credits are acceptable per governing body rules; round to the nearest 0.25.