CVE-2025-30400 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-13 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply Microsoft security updates immediately to patch the DWM vulnerability
Monitor for unusual privilege escalation activities and unauthorized administrative access
Review system access controls and audit privileged account usage
Implement endpoint detection and response (EDR) to detect post-exploitation activities
Patch priority: HIGH for all affected Windows systems due to active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-30400 is a critical elevation of privilege vulnerability residing in the Microsoft Windows Desktop Window Manager (DWM) Core Library?id=CVE-2025-30400?kagi_q=CVE-2025-30400.

Overview and Impact

Vulnerability Type: Use-After-Free (UAF) memory management flaw ^[3].
Impact: Successful exploitation allows an authenticated local attacker to escalate their privileges to SYSTEM level ^[1] ^[2].

Exploitation Details

Active Exploitation: The vulnerability was identified as being actively exploited in the wild as a zero-day prior to its disclosure in May 2025 ^[1] ^[4].
Attack Requirements:

* Local Access: Exploitation requires the attacker to already have local access to the target system ^[3]. * Authentication: The attacker must be an authorized (authenticated) user on the machine ^[5].

Threat Actor Usage: While it was confirmed as an actively exploited zero-day, specific threat actor attributions were not widely publicized in initial reports, though such privilege escalation flaws are commonly utilized in targeted attacks to gain full control of a system after an initial foothold is established.

Proof-of-Concept and Availability

Publicly available proof-of-concept (PoC) code exists, including Python-based implementations designed to demonstrate the UAF privilege escalation impact ^[1].

Patch and Mitigation Status

Status: Microsoft addressed this vulnerability as part of the May 2025 Patch Tuesday updates ^[4].
Recommendation: Because this was an actively exploited zero-day, administrators were urged to apply the relevant security updates immediately upon release to mitigate the risk of privilege escalation ^[2].

Sources

encrypter15/CVE-2025-30400
This repository features the CVE-2025-30400 Concept, a Python program designed to illustrate the impact of a Use-After-Free (UAF) privilege escalation zero-day ... This repository features the CVE-2025-30400 Concept, a Python program designed to illustrate the impact of a Use-After-Free (UAF) privil…
Windows DWM Under Siege: CVE-2025-30400 Use-After- ...
An actively exploited use-after-free vulnerability in Windows DWM (CVE-2025-30400) enables attackers to escalate privileges to SYSTEM. Immediate patching is ... An actively exploited use-after-free vulnerability in Windows DWM (CVE-2025-30400) enables attackers to escalate privileges to SYSTEM. Imme…
CVE-2025-30400 Detail - NVD
CVE-2025-30400 Detail Description Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
May 2025 Patch Tuesday: Updates and Analysis
Actively Exploited Zero-Day Vulnerability in Microsoft DWM Core Library. CVE-2025-30400 is an Important elevation of privilege vulnerability ...
CVE-2025-30400 - Use-After-Free in Windows DWM Allows Local Privilege ...
Summary: A newly disclosed vulnerability—CVE-2025-30400—in the Windows Desktop Window Manager (DWM) allows a local, authenticated user to escalate privileges via a "use-after-free" flaw. This post gives a clear explanation of how the bug works, sample code, mitigation advice, and more. The details h…

🟢 CVE-2025-30400