⚠ Actively exploited
Added to CISA KEV on 2025-05-13. Federal agencies required to patch by 2025-06-03. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-32706Improper Input Validation in Microsoft Windows 10 Version 1507

CWE-20Improper Input ValidationCWE-122Heap-based Buffer Overflow16 documents12 sources
Severity
7.8HIGHNVD
EPSS
1.3%
top 20.25%
CISA KEV
KEV
Added 2025-05-13
Due 2025-06-03
Exploit
No known exploits
Affected products
27
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+24 more
Timeline
PublishedMay 13
KEV addedMay 13
KEV dueJun 3
Latest updateJun 10
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages26 packages

NVDmicrosoft/windows< 10.0.14393.8066+5
NVDmicrosoft/windows_10_1507< 10.0.10240.21014
NVDmicrosoft/windows_10_1607< 10.0.14393.8066
NVDmicrosoft/windows_10_1809< 10.0.17763.7314
NVDmicrosoft/windows_10_21h2< 10.0.19044.5854

🔴Vulnerability Details

3
GHSA
GHSA-7492-x955-c45q: Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally2025-05-13
CVEList
Windows Common Log File System Driver Elevation of Privilege Vulnerability2025-05-13
VulnCheck
Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability2025

📋Vendor Advisories

2
Microsoft
Windows Common Log File System Driver Elevation of Privilege Vulnerability2025-05-13
CISA
Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability2025-05-13

🕵️Threat Intelligence

10
Tenable
Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)2025-06-10
Krebs
Patch Tuesday, May 2025 Edition2025-05-14
Krebs
Patch Tuesday, May 2025 Edition2025-05-14
Tenable
Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)2025-05-13
Qualys
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review2025-05-13
CVE-2025-32706 — Improper Input Validation in Microsoft | cvebase