Microsoft’s latest Patch Tuesday dropped with urgency, revealing five exploited zero-day vulnerabilities and at least 70 new security fixes across its Windows ecosystem. These critical updates come amid growing concerns about the increasing pace and sophistication of attacks targeting core Windows components.
Among the most alarming disclosures are active exploits in both the Microsoft Scripting Engine and the heavily targeted Windows Common Log File System (CLFS) Driver. These vulnerabilities, flagged under the “exploitation detected” category, show clear signs of being weaponized in the wild.
Zero-Days Under Active Exploitation
Here are the five zero-day flaws demanding immediate attention:
- CVE-2025-30397: A memory corruption bug in the Microsoft Scripting Engine allows attackers to execute code remotely. It uses a type confusion error triggered when an authenticated user clicks a malicious link. Once clicked, an unauthenticated attacker can gain remote access and control.
- CVE-2025-32709: This WinSock driver vulnerability uses a use-after-free flaw to escalate local privileges. A successful exploit grants attackers administrator-level access on the targeted machine.
- CVE-2025-32706 and CVE-2025-32701: Both of these flaws affect the CLFS Driver, a long-time favorite for threat actors. One stems from improper input validation, while the other is another use-after-free issue—each giving attackers a path to elevate privileges locally.
- CVE-2025-30400: This bug in the Desktop Window Manager (DWM) Core Library can also be exploited via use-after-free, offering a route to SYSTEM-level access—the highest permission tier in Windows.
Despite flagging these threats, Microsoft hasn’t released any indicators of compromise (IOCs) or detailed telemetry. That means defenders are left in the dark about how these exploits are being used or who the targets are.
CLFS Bugs Still Under Siege
Microsoft continues to battle ongoing attacks on its Common Log File System, a component that has proven incredibly attractive to advanced persistent threats (APTs) and ransomware gangs. In response, Microsoft has started rolling out Hash-based Message Authentication Codes (HMAC), a new security measure aimed at stopping tampering with CLFS log files.
This marks one of the company’s most aggressive moves yet to secure a system-level logging feature long known to be vulnerable.
Beyond the five zero-days, six other vulnerabilities were labeled as critical, most involving remote code execution (RCE) risks. These include:
Final Thoughts
This month’s Patch Tuesday reinforces how zero-day threats continue to slip through defenses, especially when targeting legacy components like CLFS. While Microsoft is rolling out mitigations, attackers remain a step ahead in some areas. Until more details emerge, defenders should prioritize these patches, especially those involving the scripting engine, CLFS, and DWM.
