Five New Windows Flaws Discovered — and Hackers Are Already Exploiting Them
While you were working in Excel, someone may have gained administrator access to your PC.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding five new zero-day vulnerabilities in Microsoft Windows. All of these flaws are actively being exploited in the wild and, according to experts, pose a serious threat to any organization operating in a Windows environment.
The most dangerous among them are use-after-free vulnerabilities — memory management errors that occur when a program continues to use memory that has already been freed. These bugs often allow attackers to escalate privileges and gain full control over the system.
The first flaw, CVE-2025-30400, affects the DWM Core Library, which is tied to Windows' graphical user interface. It requires only local access and enables attackers to bypass access controls and elevate privileges within the system.
Two additional use-after-free bugs, CVE-2025-32701 and CVE-2025-32709, impact the CLFS (Common Log File System) and Ancillary Function Driver for WinSock, respectively. Exploiting them allows attackers to gain administrative control and install malware, potentially leading to complete system compromise.
Although ransomware actors haven’t yet been observed exploiting these specific bugs, their real-world use suggests it’s only a matter of time, and organizations should act immediately.
One particularly dangerous vulnerability is CVE-2025-30397, a type confusion flaw in the Windows Scripting Engine. This allows remote code execution if a victim simply clicks a crafted link. It requires no prior access or interaction with the local system, making it highly effective for phishing attacks or malicious websites, especially in organizations that heavily rely on browsers and scripting technologies.
The fifth flaw, CVE-2025-32706, is a buffer overflow vulnerability in the CLFS driver. It enables attackers to inject arbitrary code into memory, elevate privileges, and potentially bypass security mechanisms. Since CLFS handles critical system logging, a successful attack may not only disrupt core processes but also hinder forensic investigation after a breach.
CISA urges organizations to act without delay:
- Install Microsoft’s latest security updates
- Follow Binding Operational Directive BOD 22-01 for cloud and enterprise systems
- If patches are not yet available, temporarily disable or avoid using vulnerable components
These zero-days highlight once again how essential proactive security measures are — and how rapidly threats can evolve.
