Actively Exploited Zero-Day Vulnerabilities in Windows Common Log File System
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
CVE-2025-30400 is an Important elevation of privilege vulnerability affecting the Microsoft Desktop Windows Manager (DWM) Core Library and has a CVSS score of 7.8. An attacker can exploit this vulnerability by convincing a user to open a specially crafted file or website, enabling the attacker to run arbitrary code with the user’s privileges. Although a public proof-of-concept has not been released, Microsoft has confirmed this vulnerability is currently being exploited in the wild.
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Important | 7.8 | CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Actively Exploited Zero-Day Vulnerability in Windows Ancillary Function Driver for WinSock
CVE-2025-29966 and CVE-2025-29967 are Critical remote code execution (RCE) vulnerabilities affecting the Microsoft Windows Remote Desktop Services, and both have a CVSS score of 8.8. A heap-based buffer overflow vulnerability has been discovered in Windows Remote Desktop. It could allow remote attackers with control of a Remote Desktop Server to trigger remote code execution on a RDP Client machine that connects to the malicious server. This is a client-side vulnerability that does not require authentication or interaction, potentially leading to complete system takeover.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Actively Exploited Zero-Day Vulnerability in Microsoft DWM Core Library
CVE-2025-29833 is a Critical RCE vulnerability affecting Windows Virtual Machine Bus and has a CVSS score of 7.1. A time-of-check time-of-use (TOCTOU) race condition vulnerability exists in Windows Virtual Machine Bus that allows attackers to execute arbitrary code over a network. TOCTOU is a specific type of race condition vulnerability that occurs when there’s a time gap between checking a resource’s state and using that resource.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
Actively Exploited Zero-Day Vulnerability in Microsoft Scripting Engine
CVE-2025-32709 is an Important elevation of privilege vulnerability affecting the Windows Ancillary Function Driver for WinSock and has a CVSS score of 7.8. An attacker could exploit this vulnerability by persuading a user to open a specifically crafted file or malicious website, potentially allowing the attacker to execute code with the user’s permissions. A public proof-of-concept has not been released, but Microsoft has verified this vulnerability is being actively exploited in the wild.
| Severity | CVSS Score | CVE | Description |
| Important | 7.5 | CVE-2025-30397 | Microsoft Scripting Engine Memory Corruption Vulnerability |
Critical Vulnerabilities in Windows Remote Desktop Services
CVE-2025-32701 is an Important elevation of privilege vulnerability affecting the Windows Common Log File System and has a CVSS score of 7.8. This is a use-after-free vulnerability which, if successfully exploited, could allow an attacker to escalate privileges on the affected system.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2025-29966 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Critical | 8.8 | CVE-2025-29967 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Office Products
This zero-day vulnerability was discovered in late April 2025 by CrowdStrike Counter Adversary Operations, which responsibly disclosed the vulnerability to Microsoft through private channels. Microsoft subsequently validated the issue and released a patch to address it today (May 13, 2025).
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-30377 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2025-30386 | Microsoft Office Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Virtual Machine Bus
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.1 | CVE-2025-29833 | Microsoft Virtual Machine Bus (VMBus) |
Patch Tuesday Dashboard in the Falcon Platform
CVE-2025-32706 is an Important elevation of privilege vulnerability affecting the Windows Common Log File System and has a CVSS score of 7.8. This flaw allows a local authenticated attacker to execute code with elevated system privileges due to improper input validation.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
While this vulnerability proof-of-concept has not been disclosed, Microsoft confirmed it has been actively exploited in the wild. Windows Common Log File System vulnerabilities have been addressed many times in previous Patch Tuesday rollouts (April 2023, November 2023, December 2024, April 2025).
CVE-2025-30377 and CVE-2025-30386 are Critical RCE vulnerabilities affecting Microsoft Office, and both have a CVSS score of 8.4. These are use-after-free vulnerabilities that require an attacker to convince a victim to open a specially crafted file, with the Preview Pane serving as an additional attack vector. Preview Pane has been seen many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025).
CVE-2025-30397 is an Important memory corruption vulnerability affecting the Microsoft Scripting Engine and has a CVSS score of 7.5. This could allow a remote attacker to execute code if a user clicks a malicious link while using Microsoft Edge Internet Explorer mode. The attack requires user interaction and has a high attack complexity. While this vulnerability proof-of-concept has not been disclosed, Microsoft confirmed it has been actively exploited in the wild.
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Learn More
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
About CVSS Scores
Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.
