���ϳԹ���

Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.

Windows Common Log File System Driver Elevation of Privilege CVE-2025-32701 & CVE-2025-32706

High on the list of patches to apply sooner rather than later are a pair of CVEs in the Windows Common Log File System Driver. Don’t be fooled by the score dropping in at a relatively low 7.8; these are being actively exploited in the wild by threat actors, according to Microsoft, Google and Crowdstrike. 

The patch notes don't provide technical details on how this is being exploited, and no Indicators of Compromise (IOCs) are shared, meaning the only mitigation security teams have is to apply these patches immediately. The average time from public disclosure to exploitation at scale is less than five days, with threat actors, ransomware groups, and affiliates quick to leverage these vulnerabilities. 

These specific vulnerabilities are a Privilege Escalation vulnerability, meaning that an attacker must already have initial access to a compromised host, typically through a phishing attack or by using stolen credentials. But if that access already exists, attackers will almost always look to gain higher levels of access, resulting in SYSTEM level access. With that they can disable security tooling or even gain domain administration level permissions using credential harvesting tools.

CVE-2025-30400 - 7.8 - Microsoft DWM Core Library Elevation of Privilege Vulnerability

Another privilege escalation high on the list to patch is CVE-2025-30400, a privilege escalation vulnerability in the Desktop Window Manager. If exploited, it would allow attackers to gain SYSTEM-level permission on the affected host. With this level of privilege, attackers would be able to gain full control over the host, including any security tools and user accounts, potentially allowing for domain-level access to be compromised. 

This CVE is marked as “Exploitation Detected” by the Microsoft team, meaning patches should be applied immediately as threat groups, including ransomware affiliates, will be quick to leverage this once more details become public. 

Once more details are public security teams and threat hunting teams should retroactively review their systems for any shared Indictors Of Compromise to ensure that in the window between patches being applied and threat actors having access to the zero day as Microsoft does not disclose when these were exploited or at what scale. 

Microsoft SharePoint Server CVE-2025-29976 & CVE-2025-30382

Network administrators running SharePoint services, especially any public-facing services, are advised to apply a pair of patches to the Microsoft SharePoint servers. Flagged by Microsoft as “Exploitation More Likely” this pair of vulnerabilities covers a remote code execution bug and an elevation of privilege vulnerability. 

SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made. 

A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization. 

While not being actively exploited in the wild, a proactive approach for key assets is worth the investment in time, considering how quickly threat actors are known to research new patches with an aim to weaponize them before organizations can apply patches. 

CVE-2025-30397 - 7.5 - Scripting Engine Memory Corruption Vulnerability

CVE-2025-30397 is a vulnerability in the scripting engine that has been observed being exploited in the wild by attackers. A scripting engine memory corruption vulnerability occurs when the Microsoft scripting engine mishandles objects in memory, in this case leading to an elevation of privilege being performed by an attacker. 

This specific vulnerability exists within the Microsoft Scripting Engine and involves access to a resource using (‘type confusion’) which allows attackers to execute code over a network. Type confusion in this context occurs when a program mistakenly treats a piece of data as a different type than it actually is, which leads to undefined and unpredictable behavior, allowing the attacker to execute arbitrary code and elevate their privileges. 

With potentially SYSTEM privileges on the machine, an attacker could access sensitive data, and potentially find opportunities to pivot to other, more lucrative areas of the network to achieve their objectives.

CVE-2025-32709 - 7.8 - Windows Ancillary Function driver for Winsoc Elevation of Privilege Vulnerability

A low complexity vulnerability in the Ancillary driver for Winsock has been detected as exploited in the wild. The Ancillary Function Driver for WinSock, also known as AFD.sys, is a core Windows kernel-mode driver that provides support for network socket operations. It acts as a bridge between WinSock (Windows Sockets API) in user space and the lower-level network drivers in the kernel.

A use-after-free (UAF) occurs when memory that has been freed (deallocated) is still accessed—potentially allowing an attacker to inject controlled data into that memory and influence program behavior. What this means is that an authorized attacker can allocate data to memory after that memory has been freed by the operating system, and they use this memory to gain local elevation of privilege on the machine. 

Local privilege escalation allows an attacker to have near complete control over the machine they have access to, potentially accessing sensitive data and looking for opportunities to pivot to other machines in the network and further elevate their privileges from there to achieve total compromise of the environment.

CVE-2025-29966 and CVE-2025-26697 - 8.8 - Remote Desktop Client Remote Code Execution Vulnerability

With this latest Patch Tuesday review, more critical vulnerabilities have been identified in the Microsoft Remote Desktop Client, in this case the low complexity vulnerability involves a heap-based buffer overflow in the remote desktop gateway that allows an attacker to gain code execution over a network.

If a victim is using a remote desktop client vulnerable to this heap-based buffer overflow vulnerability, and they were to connect to the attackers remote server, they’d be triggering a remote code execution to their machine, which the attacker can leverage to take full control of the machine in the context of the current user, regardless if the victim is a normal user or an Administrator.

An attacker executing commands through a remote code execution session into the victims machine would be reasonably difficult to detect aside from the potential record of an outbound connection from the victims machine to the attackers server, but by then, the attacker will already have control and will be able to exploit the target further. They could enumerate the machine and network with their new user context, pivot to other machines with more lucrative data, or elevate their privileges to carry out more damaging attacks.