CVE-2025-30400
published 2025-05-13CVE-2025-30400: Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-03
Exploited in the wild
EPSS
1.76%
75.2th percentile
Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1809 | < 10.0.17763.7314 | 10.0.17763.7314 |
| microsoft | windows_10_21h2 | < 10.0.19044.5854 | 10.0.19044.5854 |
| microsoft | windows_10_22h2 | < 10.0.19045.5854 | 10.0.19045.5854 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.7314 | 10.0.17763.7314 |
| microsoft | windows_10_version_21h2 | >= 10.0.19044.0 < 10.0.19044.5854 | 10.0.19044.5854 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.5854 | 10.0.19045.5854 |
| microsoft | windows_11_22h2 | < 10.0.22621.5335 | 10.0.22621.5335 |
| microsoft | windows_11_23h2 | < 10.0.22631.5335 | 10.0.22631.5335 |
| microsoft | windows_11_24h2 | < 10.0.26100.3981 | 10.0.26100.3981 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.5335 | 10.0.22621.5335 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.5335 | 10.0.22631.5335 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.5335 | 10.0.22631.5335 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.4061 | 10.0.26100.4061 |
| microsoft | windows_server_2019 | < 10.0.17763.7314 | 10.0.17763.7314 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.7314 | 10.0.17763.7314 |
| microsoft | windows_server_2022 | < 10.0.20348.3692 | 10.0.20348.3692 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.3692 | 10.0.20348.3692 |
| microsoft | windows_server_2022_23h2 | < 10.0.25398.1611 | 10.0.25398.1611 |
| microsoft | windows_server_2025 | < 10.0.26100.3981 | 10.0.26100.3981 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.4061 | 10.0.26100.4061 |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is Use-After-Free in Windows DWM Core Library (dwmcore.dll); monitor for unexpected privilege escalation to SYSTEM originating from DWM-related processes. ↗
- →Exploitation has been detected in the wild (per Microsoft); treat any unpatched Windows system as actively at risk and prioritize detection of local privilege escalation to SYSTEM via DWM. ↗
- →Successful exploitation results in SYSTEM-level privileges; hunt for processes spawning with SYSTEM integrity level as children of DWM or DWM-adjacent processes. ↗
- →CISA KEV-listed with remediation due 2025-06-03; flag unpatched Windows hosts in vulnerability management and correlate with any local privilege escalation alerts on those hosts. ↗
- ·No public proof-of-concept or technical write-up was available in the provided sources; no file hashes, network IOCs, or exploit-specific signatures can be extracted at this time. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vvr8-g6jj-jwrw: Use after free in Windows DWM allows an authorized attacker to elevate privileges locally
ghsa_unreviewed·2025-05-13
CVE-2025-30400 [HIGH] CWE-416 GHSA-vvr8-g6jj-jwrw: Use after free in Windows DWM allows an authorized attacker to elevate privileges locally
Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
VulnCheck
Microsoft Windows DWM Core Library Use-After-Free Vulnerability
vulncheck·2025·CVSS 7.8
CVE-2025-30400 [HIGH] CWE-416 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
Microsoft Windows DWM Core Library Use-After-Free Vulnerability
Microsoft Windows DWM Core Library contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2025-May; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerabili
Microsoft
Microsoft DWM Core Library Elevation of Privilege Vulnerability
vendor_msrc·2025-05-13·CVSS 7.8
CVE-2025-30400 [HIGH] CWE-416 Microsoft DWM Core Library Elevation of Privilege Vulnerability
Microsoft DWM Core Library Elevation of Privilege Vulnerability
Description: Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Windows DWM: Windows DWM
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058392
Reference: https://support.microsoft.com/help/5058392
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058385
Reference: http
CISA
Microsoft Windows DWM Core Library Use-After-Free Vulnerability
cisa·2025-05-13·CVSS 7.8
CVE-2025-30400 [HIGH] CWE-416 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
Vulnerability: Microsoft Windows DWM Core Library Use-After-Free Vulnerability
Affected: Microsoft Windows
Microsoft Windows DWM Core Library contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30400 ; https://nvd.nist.gov/vuln/detail/CVE-2025-30400
Remediation Due Date: 2025-06-03
No detection rules found.
No public exploits indexed.
Krebs
Patch Tuesday, May 2025 Edition
blogs_krebs·2025-05-14·CVSS 7.8
[HIGH] Patch Tuesday, May 2025 Edition
Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation . Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available.
Microsoft and several security firms have disclosed that attackers are exploiting a pair of bugs in the Windows Common Log File System (CLFS) driver that allow attackers to elevate their privileges on a vulnerable device. The Windows CLFS is a critical Windows component responsible for logging services, and is widely used by Windows system services and third-party applications for logging. Tracked as CVE-2025-32701 & CVE-2025-32706 , the
Krebs
Patch Tuesday, May 2025 Edition
blogs_krebs·2025-05-14·CVSS 7.8
[HIGH] Patch Tuesday, May 2025 Edition
Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available.
Microsoft and several security firms have disclosed that attackers are exploiting a pair of bugs in the Windows Common Log File System (CLFS) driver that allow attackers to elevate their privileges on a vulnerable device. The Windows CLFS is a critical Windows component responsible for logging services, and is widely used by Windows system services and third-party applications for logging. Tracked as CVE-2025-32701 & CVE-2025-32706, these
Tenable
Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)
blogs_tenable·2025-05-13·CVSS 7.8
[HIGH] Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review
blogs_qualys·2025-05-13
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for May 2025
Adobe Patches for May 2025
Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response withPatch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Audit
Qualys Monthly Webinar Series
Microsoft’s May 2025 Patch Tuesday rolls out critical security updates, addressing multiple vulnerabilities across Windows, Office, and other key products. Here’s a quick breakdown of what you need to know.
## Microsoft Patch Tuesday for May 2025
In this month’s Patch Tuesday, Ma
Qualys
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review | Qualys
blogs_qualys·2025-05-13
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for May 2025
- Adobe Patches for May 2025
- Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response withPatch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Audit
- Qualys Monthly Webinar Series
Microsoft’s May 2025 Patch Tuesday rolls out critical security updates, addressing multiple vulnerabilities across Windows, Office, and other key products. Here’s a quick breakdown of what you need to know.
## Microsoft Patch Tuesday for May 2025
In this month’s Patc
Talos
Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-05-13·CVSS 8.8
CVE-2025-30397 [HIGH] Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”.
Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2025-30397 is a remote code execution vulnerability in the Microsoft Scripting Engine. There were also four elevation of privilege vulnerabilities being actively exploited, CVE-2025-32709, CVE-2025-30400, CVE-2025-32701 and CVE-2025-32706 affecting the Ancillary Function Driver for WinSock, the DWM Core Library and the Windows Common Log File System Driver.
The eleven "critical” entries consist of five remote code execution (RCE) vulnerabilities, four elevation of privilege vulnerabilities, one information disclosure
Talos
Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-05-13·CVSS 8.8
CVE-2025-30397 [HIGH] Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for May 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for May of 2025 which includes 78 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”.
Microsoft noted five vulnerabilities that have been observed to be exploited in the wild. CVE-2025-30397 is a remote code execution vulnerability in the Microsoft Scripting Engine. There were also four elevation of privilege vulnerabilities being actively exploited, CVE-2025-32709 , CVE-2025-30400 , CVE-2025-32701 and CVE-2025-32706 affecting the Ancillary Function Driver for WinSock, the DWM Core Library and the Windows Common Log File System Driver.
The eleven "critical” entries consist of five remote code execution (RCE) v
Bleepingcomputer
Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws
blogs_bleepingcomputer·2025-05-13·CVSS 7.8
[HIGH] Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws
## Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws
## Lawrence Abrams
Today is Microsoft's May 2025 Patch Tuesday, which includes security updates for 72 flaws, including five actively exploited and two publicly disclosed zero-day vulnerabilities.
This Patch Tuesday also fixes six "Critical" vulnerabilities, five being remote code execution vulnerabilities and another an information disclosure bug.
The number of bugs in each vulnerability category is listed below:
17 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
28 Remote Code Execution Vulnerabilities
15 Information Disclosure Vulnerabilities
7 Denial of Service Vulnerabilities
2 Spoofing Vulnerabilities
This count does not include Azure, Dataverse, Mariner, and Microsof
Crowdstrike
May 2025 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2025 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2025-05-13
Published
2025-05-13
Added to CISA KEV
Exploited in the wild