As the calendar turns, the familiar rhythm of cybersecurity unfolds, with Patch Tuesday swiftly followed by Exploit Wednesday. This month, however, the sequence has taken an alarming twist, as Microsoft has confirmed the existence of multiple zero-day vulnerabilities that are actively being targeted by malicious actors prior to the release of any fixes. With security experts categorizing these exploits as critical, it is imperative for Windows users to take immediate action.
Windows CVE-2025-30397 Zero-Day Explained
It is an unfortunate reality for Windows users to encounter zero-day vulnerabilities that are exploited in the wild. Just this year, six such attacks were confirmed in March alone, following three in January. The latest Patch Tuesday security update from Microsoft reveals a troubling landscape, particularly concerning the memory corruption vulnerability identified as CVE-2025-30397. This flaw resides within the Windows scripting engine, allowing an attacker to execute code over the network. Alarmingly, this vulnerability affects all versions of the Windows operating system and has been confirmed as actively exploited.
Chris Goettl, vice president of security product management at Ivanti, notes that Microsoft has rated the severity of this vulnerability as important, assigning it a CVSS 3.1 score of 7.8. He emphasizes that the risk-based prioritization of this exploit warrants treating it as critical. While the official CVE severity ratings provide a useful framework for assessing vulnerabilities, real-world scenarios often present a more complex picture. CVE-2025-30397 has a base score of 7.5, with Microsoft indicating a high attack complexity rating.
Adam Barnett, lead software engineer at Rapid7, elaborates on the exploit’s prerequisites: successful exploitation requires an attacker to prepare the target to use Edge in Internet Explorer Mode and entice the user to click a malicious link. Notably, there is no indication that the user must actively reload the page in Internet Explorer Mode, suggesting that merely having the ‘Allow sites to be reloaded in Internet Explorer’ option enabled could suffice. Barnett warns that enterprise organizations, which often still rely on this compatibility, may find themselves particularly vulnerable, as the necessary conditions for exploitation are likely already in place.
Windows Under Attack: CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 and CVE-2025-30400
In addition to CVE-2025-30397, several other zero-day vulnerabilities are currently under attack:
- CVE-2025-32709: This elevation of privilege vulnerability within the Windows ancillary function driver for WinSock allows an attacker to gain local admin privileges, affecting Windows Server 12 and later OS versions. Goettl reiterates that this vulnerability should also be treated as critical.
- CVE-2025-32701 and CVE-2025-32706: These two vulnerabilities in the Windows Common Log File Driver System could enable a local attacker to gain system privileges. Affecting all versions of Windows, these flaws are under close scrutiny by the Microsoft Threat Intelligence Center. Barnett highlights that, given Microsoft’s awareness of exploitation in the wild, the threat landscape remains active and evolving.
- CVE-2025-30400: Another elevation of privilege vulnerability impacting the Windows desktop window manager, this flaw affects Windows 10, Server 2016, and later OS versions. Barnett notes that such vulnerabilities continue to be a favored target for attackers, marking a year since the previous similar exploit, CVE-2024-30051.
The message is clear: prompt action is essential. Windows users are urged to update their systems with the latest security patches without delay, ensuring they are protected against these emerging threats.
