Microsoft on Tuesday released security patches covering at least 70 vulnerabilities across the Windows OS and software stack and called urgent attention to five zero-days marked in the “exploitation detected” category.
As part of the scheduled batch of Patch Tuesday updates, Redmond’s security response team warned that malicious hackers are already exploiting bugs in the Microsoft Scripting Engine and the oft-targeted Windows Common Log File System (CLFS) Driver.
The five zero-days marked for immediate attention:
- CVE-2025-30397 — Scripting Engine Memory Corruption Vulnerability (remote code execution). Access of resource using incompatible type (‘type confusion’) in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network. This attack requires an authenticated client to click a link so that an unauthenticated attacker can initiate remote code execution.
- CVE-2025-32709 — Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This is a use-after-free memory corruption bug that allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain administrator privileges.
- CVE-2025-32706 — Windows Common Log File System Driver Elevation of Privilege Vulnerability. Microsoft describes this as an improper input validation flaw in Windows Common Log File System Driver that allows an authorized attacker to elevate privileges locally.
- CVE-2025-32701 — Windows Common Log File System Driver Elevation of Privilege Vulnerability. This is a use-after-free memory corruption bug that allows an authorized attacker to elevate privileges locally.
- CVE-2025-30400 –Microsoft DWM Core Library Elevation of Privilege Vulnerability. Described as a use-after-free in Windows DWM that allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
The company did not publish indicators of compromise (IOCs) or telemetry data to help defenders hunt for infections. Information on the targeting and victims of the zero-days remain a mystery.
Microsoft has struggled to keep pace with attackers exploiting bugs in the CLFS and has been experimenting with a major new security mitigation to thwart a surge in cyberattacks from APT and ransomware threat actors.
The company has been adding Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS log files and cover one of the most attractive Windows OS attack surfaces.
In all, Microsoft documented at least 70 security vulnerabilities across the Windows OS and software components, with six bulletins marked as “critical.”
The critical-severity bugs, which all carry remote code execution risk, affect the Windows Remote Desktop Services (an unauthorized attacker to execute code over a network); Microsoft Office (use-after-free allows an unauthorized attacker to execute code locally); and the Microsoft Virtual Machine Bus VMBUS (race condition that allows an authorized attacker to execute code over a network).
Related: Microsoft Intros HMAC-Based Mitigation for Windows Logfile Flaws
Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers
Related: Microsoft Raises Alert for Under-Attack Windows Flaw
Related: Anatomy of a BlackCat Attack Through the Eyes of Incident Response
Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
