Microsoft Confirms Windows Is Under Attack — You Must Act Now

Multiple zero-day vulnerabilities are being exploited by attackaers, Microsoft warns.
It's that time of the month again, when Patch Tuesday is quickly followed by Exploit Wednesday. The former is the monthly rollout of Microsoft's responses to newly discovered vulnerabilities in its services and products, and the latter is when hackers, cybercriminals and state-sponsored actors look to act upon these security disclosures before individuals and organizations have had the opportunity to update their systems. Unfortunately, Exploit Wednesday seems to have preceded Patch Tuesday this month, with Microsoft confirming multiple zero-day vulnerabilities that are known to be under attack before any fix was made available. Make no mistake, with security experts rating the risk prioritization of these exploits as critical, Windows users need to act fast.
It is not uncommon, sadly, for Windows users to find themselves faced with zero-day vulnerabilities that are being exploited by attackers in the wild. In March, for example, six zero-day attacks were confirmed, while there were three such active Windows exploits reported in January.
The latest Microsoft Patch Tuesday security rollout has now dropped, and it doesn't make for very comforting reading at all. So, let's dive straight into the multiple zero-day exploits impacting Windows users, starting with that has got the security professionals very concerned indeed. This memory corruption vulnerability sits within the Windows scripting engine, and a successful exploit can allow an attacker to execute code over the network. Not only does CVE-2025-30397 affect all versions of the Windows operating system, but it is also confirmed by Microsoft as being exploited in the wild. 'Microsoft's severity is rated as important and has CVSS 3.1 of 7.8,' Chris Goettl, vice president of security product management at Ivanti, pointed out, adding that 'risk-based prioritization warrants treating this vulnerability as critical.'
While the official CVE severity-rating scores tend to provide a decent baseline for vulnerability appraisal, in the real world, things are not always that clear-cut. CVE-2025-30397 has a base score of 7.5, and Microsoft says that the attack complexity rating is high. So, what's the issue? 'The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode,' Adam Barnett, lead software engineer at Rapid7 explains, 'and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the 'Allow sites to be reloaded in Internet Explorer' option is enabled.' Barnett warned that as the users most likely to still require this kind of Internet Explorer compatibility are enterprise organizations, and the concept of migration is likely 'buried several layers deep in a dusty backlog,' in Barnett's experience, then the pre-requisite conditions are already conveniently in place on the target asset and 'attack complexity is suddenly nice and low.'
The remaining under-attack zero-day vulnerabilities are:
CVE-2025-32709: an elevation of privilege vulnerability in the Windows ancillary function driver for WinSock that enables an attacker to gain admin privileges locally and impacts Windows Server 12 and later OS versions. Once again. Goettl warned that 'risk-based prioritization warrants treating this vulnerability as critical.'
CVE-2025-32701 and CVE-2025-32706 are a pair of zero-day vulnerabilities in the Windows Common Log File Driver System, and could enable a successful local attacker to gain system privileges. Impacting all versions of Windows, these types of security flaws are being closely monitored for detection by the Microsoft Threat Intelligence Center. 'Since Microsoft is aware of exploitation in the wild,' Barnett said, 'we know that someone else got there first, and there's no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.'
And finally, we come to another elevation of privilege zero-day vulnerability already being exploited by attackers, CVE-2025-30400, which impacts the Windows desktop window manager and affects Windows 10, Server 2016, and later OS versions. Barnett pointed out that this is great proof that such elevation of privileges vulnerabilities will never go out of fashion, what with Exploit Wednesday marking the one-year anniversary of CVE-2024-30051, which also hit the desktop windows manager.
The advice, therefore, is simple. Act now, and ensure that you update your Windows systems with the latest security patches as a matter of some urgency.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

WIRED

16 minutes ago

• WIRED

How to Convert an Analog Bike to an Electric Bike

Michael Venutolo-Mantovani You can save yourself thousands of dollars on an electric bike by upgrading your current ride. Let us walk (or cycle!) you through it. Courtesy of Science Photo Library via Getty Images All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Say you want to get a bicycle up and down hills with a minimal amount of pedal power. What do you do? The first option is simple: buy an electric bike. However, ebikes aren't cheap. These days, the least expensive but still reliable ebike you can buy is Aventon Soltera 2.5, which costs around $1,200. You can rent an ebike, or find a city bike program that uses them, or, if you're really lucky, find an ebike in a lending library. Or you can just make your regular bike into an electric bike. That is, you can slap an aftermarket unit on your traditional bike, creating a motor-assisted ebike with little more than your bicycle and any of a variety of aftermarket power sources. What used to be a very niche field with only a small handful of offerings has become a cottage industry full of contenders and pretenders, and any number of startups offering a readymade conversion for your bike. So how do you turn your traditional bike into an ebike? And what are some of the best offerings out there? We'll walk you through it. If you don't see anything you like, make sure you check out our guides to the Best Electric Bikes or the Best Electric Scooters. Hot to Throt Well, first, you need to decide what kind of conversion you want. There are two basic kinds of ebikes, pedal-assist and throttle, with many newer models boasting some combination of both. Pedal assist is a mechanism that provides an added boost of electric power when you're pedaling. Via the use of cadence and/or torque sensors (how fast your pedals are rotating and the power that's being applied to them, respectively), pedal-assist units kick on at a certain point, making pedaling easier. Sometimes pedal assist can be so minimal, it's difficult to tell just how much work you're doing versus how much of the load your bike is handling. Throttle units act more like a motorcycle or moped, allowing the rider to either twist a tube mounted near the handgrip or use a thumb-based knob to deliver immediate power to the wheels. Throttle-based ebikes can be ridden without pedaling. When it comes to ebike conversions, where your power comes from and how it's delivered can look several different ways. Some mechanisms deliver power to either your bicycle's rear or front hub. Others are situated in the bottom bracket (that is, where the cranks meet the bike frame). And some newer conversion kits act something like a treadmill mounted to your bike, using rollers to help propel your wheel forward. Roll the Clip Photograph: Stephanie Pearson Having said all that, it's important to consider your level of bicycle know-how when it comes to what kind of ebike conversion you want to undertake. If you're a wrencher, the conversion process is generally straightforward, regardless of the type of unit. If you can change a tire or swap out your cassette, you'll probably be fine with a bit of trial and error and the help of YouTube tutorials. If you're asking yourself, 'What's a cassette?' it's probably best to visit your local bike shop and have a pro handle the work. Those 'treadmill' style conversion kits—such as the Rubbee X, Livall PikaBoost 2 rear-wheel units, or the Clip front-wheel unit—are typically the easiest to install, as you simply need to fix the machine to either your bike's seatpost frame or its fork, make sure its rollers are contacting your tire, and off you go. However, that 'contacting your tire' bit is a bit of a rub (pun intended), as the added contact with your rubber might lead to some extra wear. As disc brakes are becoming ever more the norm (as opposed to a traditional rim brake), Skarper offers a conversion unit that is equally as simple to install to your bike's disc-brake mounts and can be done by almost anyone who knows how to use an Allen wrench. The cool thing about each of these aforementioned units is the ease with which they can be attached and removed, meaning your ebike conversion isn't permanent. With them, you can use your road bike as a commuter during the week, yet keep on with your weekend group rides on the weekend. Hub It Out If you're looking for something more permanent (and way more powerful), units such as the Bafang M-Series replace your traditional bottom bracket with a motor that can deliver up to 1,000 watts of added power to the crank arms of your bike. However, as replacing a bottom bracket is one of the more involved things you can do on a bike, this isn't something you'll want to swap in and out. Somewhere in between the clip-on ease of units like the PikaBoost and the more permanent solution the M-Series offers, are the aforementioned hub-based power units, which tuck motors into the hubs of your wheels. Many of these units also offer battery packs that are meant to be attached to your bike's existing bottle cage mounts. Among the many options for hub-based power units, it's hard to beat the Zehus, which requires nothing more than replacing your existing rear wheel with a Zehus-outfitted wheel. Similarly, Cytronex, one of the earliest and longest-standing ebike brands around, offers a hub-based conversion kit that, while a bit more involved, should take no more than a few minutes of setup. With the explosion in popularity in ebikes, this list is barely scratching the surface. For each of the units mentioned here, there are a dozen or more aftermarket competitors offering similar products. Do your research, talk to the experts at your local bike shop, and decide which unit is right for you and your needs. Once you do that, keep the rubber side down! Power up with unlimited access to WIRED . Get best-in-class reporting that's too important to ignore for just $2.50 $1 per month for 1 year. Includes unlimited digital access and exclusive subscriber-only content. Subscribe Today .

Forbes

24 minutes ago

• Forbes

AI Is Behind 50% Of Spam — And Now It's Hacking Your Accounts

AI is taking over the spam and phishing sectors. getty Artificial Intelligence is, I admit with a certain amount of begrudging respect, impressive to put it mildly. At least when it is used to help make work more efficient and leisure more, erm, leisurely. However, when AI is misused or employed for nefarious purposes, it becomes a concern for all of us. We've already seen this when the first big story broke as an AI attack on Gmail users went viral in 2024. Things have changed since then, and not for the better, as the latest research reveals. Now, half of your spam is generated by AI, and cyberattacks are increasingly using AI-powered methods. Here's what you need to know. It's official: more than half of the spam that you receive has been created using AI tools. That's the finding of newly published research, a collaboration between Barracuda and researchers from Columbia University and the University of Chicago, which found that, in April 2025, the actual number was 51%. This isn't altogether surprising. After all, AI does a better job, for the most part, in producing less spelling and grammatical errors, ensuring that linguistically the messages are understandable across geographies, and can be tweaked to have just the right tone to convince the reader to respond. And that, dear reader, is concerning. Not from the perspective of spamming in the broader sense, but rather when it comes to cybersecurity implications, as such techniques are applied to phishing attacks. The same report found that, already, 14% of the business email compromise attacks analyzed were AI-generated. Extrapolate that across all phishing attack scenarios, and I'm sorry to say, the situation will soon become untenable. Wei Hao, a PhD student at Columbia University, and one of the researchers behind the report, said that 'spam showed the most frequent use of AI-generated content in attacks, outpacing use in other attack types significantly over the past year.' What the research also found was that AI-generated emails didn't differ significantly from human-generated attack emails, at least not in terms of engendering a sense of urgency. It appears that AI, like human attackers, recognises the effectiveness of this method in persuading a recipient to act and become a victim. 'Urgency is a deliberate tactic commonly used to exert pressure and elicit an unthinking response from the recipient,' Hao said, which suggested 'attackers are primarily using AI to refine their emails and possibly their English rather than to change the tactics of their attacks.'

CNET

27 minutes ago

• CNET

Act Quickly to Nab a Pair of Our Favorite Headphones With 20% Off

We'd all like to own some of the best headphones, because why wouldn't you want better music or audiobooks? They can be pricey, especially if you're looking for things like high-quality noise-cancelling or other features. You can find deals that offset that though. Right now, there's a deal on that knocks 20% off the Edifier W830NB headphones as long as you use the on-page coupon. That brings the price down to $64, and given that these headphones are on two of our "best of" lists, that's an excellent price. The W830NB headphones look sleek, which is always a nice bonus for over-ear headphones. They offer a frankly absurd 94 hour battery life, and have some of the best noise cancelling we've tested, especially at this price. They even manage to squeeze in spatial audio, and an impressive sound quality as well. They're great whether you're listening to music, podcasts or even making calls. You can even fold them away when not in use for easier storage and better portability. Hey, did you know? CNET Deals texts are free, easy and save you money. There's no doubt in our minds that these headphones are worth it. Given how good they are and the fact that the discount is decent too, this is definitely one of the best headphone deals going on right now. Why this deal matters We review a lot of headphones here at CNET, so it takes a lot to truly stand out. The fact that these ones do so then, is worth paying attention too. We think these are incredible headphones at full price, so saving 20% is a no-brainer.