🟢 CVE-2025-32701

CVE-2025-32701 is a local privilege escalation vulnerability in the Windows Common Log File System Driver affecting all Windows versions. Despite being on CISA KEV due to active exploitation, this is a local-only vulnerability requiring existing access to the system to exploit.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-13 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-32701 is a high-severity security vulnerability affecting the Windows Common Log File System (CLFS) driver [5] [8]. It was disclosed and patched by Microsoft in May 2025 [6].

Key Details
FeatureDescription
Vulnerability TypeUse-After-Free (UAF) in the Windows CLFS Driver [1]
CVSS Score7.8 (Important) [5]
StatusPatched (May 2025) [6]
ExploitationConfirmed active exploitation in the wild as a zero-day [1] [8]
Exploitation and Impact
  • Attack Method: The vulnerability is a local privilege escalation (LPE) flaw [7]. It requires an attacker to already have low-level, authenticated access to the system to trigger the exploit [4].
  • Impact: Successful exploitation allows an attacker to escalate their privileges to SYSTEM level [1]. This grants the attacker complete control over the affected system, enabling unauthorized code execution, data manipulation, and potential malware deployment [4].
  • Threat Actor Usage: While the vulnerability was actively exploited in the wild, specific details regarding the threat actors or specific ransomware campaigns utilizing this exploit have not been publicly attributed in detail, as is common with zero-day disclosures to allow for patching time [3]. However, it is officially listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog [5].
Mitigation and Status
  • Patch Status: Microsoft released a patch for this vulnerability on May 13, 2025 [6].
  • Affected Versions: The vulnerability affects multiple versions of Windows, ranging from Windows Server 2008 through Windows Server 2025 [2].
  • Recommendation: Organizations should ensure all systems are updated with the May 2025 security updates. For legacy systems like Windows Server 2008/2008 R2, specific out-of-band patches may be required [2]. Detection can be aided by monitoring for anomalous `svchost.exe` interactions with `clfs.sys` [1].

Sources

  1. Windows CLFS Driver Zero-Day CVE-2025-32701 - ZeroPath

    An actively exploited use-after-free vulnerability in Windows CLFS driver (CVE-2025-32701) allows attackers to escalate privileges to SYSTEM-level. ... An actively exploited use-after-free vulnerability in Windows CLFS driver (CVE-2025-32701) allows attackers to escalate privileges to SYSTEM-level.

  2. May 2025 Patch Tuesday: 10 Critical Vulnerabilities Amid 78 CVEs

    The vulnerability affects multiple Windows versions from Server 2008 through Server 2025, with special out-of-band patches required for Windows Server 2008/2008 R2 systems that must be applied separately from the May 2025 updates. Given the high-severity impact enabling complete system compromise th…

  3. CVE-2025-32701: Windows vulnerability and zero trust - LinkedIn

    Microsoft's staying tight-lipped on exploit details to buy patching time, but delays aren't an option with zero-days in play. This is the ...

  4. CVE-2025-32701 - Exploits & Severity - Feedly

    Impact. An authenticated attacker with low-level system access can exploit this vulnerability to escalate privileges to SYSTEM level. ... Impact An authenticated attacker with low-level system access can exploit this vulnerability to escalate privileges to SYSTEM level. This could enable complete sy…

  5. NVD - CVE-2025-32701

    This CVE is in CISA's Known Exploited Vulnerabilities Catalog.Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability. 05/13/2025. 06/03/2025. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the pro…

  6. May 2025 Patch Tuesday: Updates and Analysis | CrowdStrike

    CVE-2025-32706 is an Important elevation of privilege vulnerability affecting the Windows Common Log File System and has a CVSS score of 7.8. ... This zero-day vulnerability was discovered in late April 2025 by CrowdStrike Counter Adversary Operations, which responsibly disclosed the vulnerability t…

  7. CVE-2025-32701 Detail - NVD

    CVE-2025-32701 Detail Description Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

  8. Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs... | Tenable

    CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is as…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed