Patching Microsoft systems for 5 zero-day exploits

Five zero-day vulnerabilities in Windows systems could allow attackers to achieve remote code execution or SYSTEM privileges on targeted systems. Windows systems should be patched as soon as possible after needed testing.

Five zero-day exploits have been found in Windows systems that could allow remote code execution (RCE) or attackers to gain SYSTEM privileges.

One of the five actively-exploited vulnerabilities can be used to perform remote code execution. Four of the vulnerabilities can allow an attack to elevate user privileges to SYSTEM. When exploitation of these vulnerabilities is combined with other attack techniques, threat actors can take full control of Windows systems, establish persistence, steal sensitive data, etc.

Threats from these vulnerabilities include possible remote code execution (RCE) and elevation of attacker privileges to SYSTEM. IA is aware of active exploitation of these vulnerabilities.

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Apply the May 2025 Security Updates as soon as possible after any necessary testing.

Five zero-day exploits have been found in Windows systems:

• CVE-2025-30397 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability
• CVE-2025-30400 (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability
• CVE-2025-32701 (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability
• CVE-2025-32706 (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability
• CVE-2025-32709 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

• MiWorkspace engineers deployed a Microsoft cumulative update that patches this vulnerability on 5/23. However, the update isn't fully installed until a restart occurs.
• If you have Windows installed on your own devices that are not managed by the university, please update them as soon as possible. Note that the update isn't fully installed until a restart occurs.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• May 2025 Patch Tuesday: Five Zero-Days and Five Critical Vulnerabilities Among 72 CVEs (CrowdStrike Blog, 5/14/2025)
• Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (The Hacker News, 5/14/2025)
• Windows Zero-Day Bug Exploited for Browser-Led RCE (Dark Reading, 5/13/2025)
• Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2025-32701)