Cybersecurity professionals and network defenders, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five newly identified Windows 0-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
These vulnerabilities, currently exploited in the wild, present significant risks for organizations relying on Microsoft Windows environments.
The CISA urges all stakeholders to prioritize immediate mitigation efforts to protect against potential attacks and unauthorized access.
Among the newly cataloged flaws, several revolve around “use-after-free” vulnerabilities-serious programming errors that can lead to privilege escalation attacks.
The first, CVE-2025-30400, affects the Microsoft Windows Desktop Window Manager (DWM) Core Library.
This vulnerability, classified under CWE-416, allows a locally authorized attacker to elevate their privileges on a targeted system, making it possible for them to operate with higher permissions than originally granted.
Similarly, CVE-2025-32701 and CVE-2025-32709 target Windows’ Common Log File System (CLFS) Driver and the Ancillary Function Driver for WinSock, respectively.
Both exploit use-after-free conditions that an attacker could leverage to attain administrative-level access, potentially leading to system takeover or additional malicious activity.
Although, as of this alert, CISA has not confirmed the use of these vulnerabilities in ransomware campaigns, the risk remains substantial.
Exploitability in the wild means active threats exist and organizations should not delay.
Scripting Engine Type Confusion
Another high-impact vulnerability, CVE-2025-30397, was found in the Microsoft Windows Scripting Engine.
This bug enables type confusion-categorized as CWE-843-wherein an attacker can execute arbitrary code remotely by enticing a victim to follow a specially crafted URL.
Unlike the previously mentioned vulnerabilities, this flaw does not require local access or privileges, drastically increasing its potential impact in widespread, automated attacks.
A successful exploit could grant attackers the ability to run malicious code, install software, or manipulate data across a network.
This vector is particularly dangerous in the context of phishing campaigns, drive-by downloads, or targeted spear phishing.
As organizations increasingly rely on browser-based and script-driven workflows, vulnerabilities in the scripting engine pose a serious threat to enterprise security.
Buffer Overflow Threatens File System Drivers
The final warning involves CVE-2025-32706, a heap-based buffer overflow in the Windows CLFS driver (classified as CWE-122).
Buffer overflows are a classic and severe category of vulnerabilities that can lead to unexpected code execution or system crashes.
By carefully crafting input data, an attacker could exploit this flaw to escalate privileges and potentially bypass vital security controls.
Given the CLFS driver’s crucial role in system operations and logging, successful exploitation could hamper forensic investigation after a breach and further the attacker’s foothold within the network.
CISA strongly advises organizations to take prompt action in addressing these vulnerabilities. Recommended steps include:
- Applying Mitigations: Follow Microsoft and vendor-specific guidance to patch or mitigate these vulnerabilities immediately.
- Reference BOD 22-01: Adhere to Binding Operational Directive 22-01 for cloud services and other applicable environments.
- Product Discontinuation: If mitigations are unavailable, consider discontinuing use of affected products until a fix is released.
While the exploitation of these vulnerabilities in ransomware campaigns remains unconfirmed, the attack potential is high.
Organizations should prioritize updates, monitor the KEV catalog, and enhance their vulnerability management frameworks to counter rapidly evolving threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
