Windows Is Under Attack, Microsoft Confirms — Act Now, CISA Warns

Update, May 15, 2025: This story, originally published May 14, has been updated with a new warning from the Cybersecurity and Infrastructure Security Agency along with additional information regarding further confirmed Microsoft Windows vulnerabilities that are not known to be under active exploitation but need to be patched as soon as possible anyway.
It's that time of the month again, when Patch Tuesday is quickly followed by Exploit Wednesday. The former is the monthly rollout of Microsoft's responses to newly discovered vulnerabilities in its services and products, and the latter is when hackers, cybercriminals and state-sponsored actors look to act upon these security disclosures before individuals and organizations have had the opportunity to update their systems. Unfortunately, Exploit Wednesday seems to have preceded Patch Tuesday this month, with Microsoft confirming multiple zero-day vulnerabilities that are known to be under attack before any fix was made available. Make no mistake, with security experts rating the risk prioritization of these exploits as critical, Windows users need to act fast.
It is not uncommon, sadly, for Windows users to find themselves faced with zero-day vulnerabilities that are being exploited by attackers in the wild. In March, for example, six zero-day attacks were confirmed, while there were three such active Windows exploits reported in January.
The latest Microsoft Patch Tuesday security rollout has now dropped, and it doesn't make for very comforting reading at all. So, let's dive straight into the multiple zero-day exploits impacting Windows users, starting with that has got the security professionals very concerned indeed. This memory corruption vulnerability sits within the Windows scripting engine, and a successful exploit can allow an attacker to execute code over the network. Not only does CVE-2025-30397 affect all versions of the Windows operating system, but it is also confirmed by Microsoft as being exploited in the wild. 'Microsoft's severity is rated as important and has CVSS 3.1 of 7.8,' Chris Goettl, vice president of security product management at Ivanti, pointed out, adding that 'risk-based prioritization warrants treating this vulnerability as critical.'
While the official CVE severity-rating scores tend to provide a decent baseline for vulnerability appraisal, in the real world, things are not always that clear-cut. CVE-2025-30397 has a base score of 7.5, and Microsoft says that the attack complexity rating is high. So, what's the issue? 'The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode,' Adam Barnett, lead software engineer at Rapid7 explains, 'and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the 'Allow sites to be reloaded in Internet Explorer' option is enabled.' Barnett warned that as the users most likely to still require this kind of Internet Explorer compatibility are enterprise organizations, and the concept of migration is likely 'buried several layers deep in a dusty backlog,' in Barnett's experience, then the pre-requisite conditions are already conveniently in place on the target asset and 'attack complexity is suddenly nice and low.'
The remaining under-attack zero-day vulnerabilities are:
CVE-2025-32709: an elevation of privilege vulnerability in the Windows ancillary function driver for WinSock that enables an attacker to gain admin privileges locally and impacts Windows Server 12 and later OS versions. Once again. Goettl warned that 'risk-based prioritization warrants treating this vulnerability as critical.'
CVE-2025-32701 and CVE-2025-32706 are a pair of zero-day vulnerabilities in the Windows Common Log File Driver System, and could enable a successful local attacker to gain system privileges. Impacting all versions of Windows, these types of security flaws are being closely monitored for detection by the Microsoft Threat Intelligence Center. 'Since Microsoft is aware of exploitation in the wild,' Barnett said, 'we know that someone else got there first, and there's no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.'
And finally, we come to another elevation of privilege zero-day vulnerability already being exploited by attackers, CVE-2025-30400, which impacts the Windows desktop window manager and affects Windows 10, Server 2016, and later OS versions. Barnett pointed out that this is great proof that such elevation of privileges vulnerabilities will never go out of fashion, what with Exploit Wednesday marking the one-year anniversary of CVE-2024-30051, which also hit the desktop windows manager.
The U.S. Cybersecurity and Infrastructure Security Agency has now joined the chorus of experts warning that these Windows zero-day vulnerabilities need to be addressed as a matter of urgency. A newly published alert has confirmed that CISA has added all five of the Windows zero-days to Known Exploited Vulnerabilities catalog, and that brings not only more than a little gravitas to the security warnings, but an obligation for certain federal agencies to apply the Microsoft patches to fix them no later than June 3rd, 2025. Of course, that is by the by for most readers, but it doesn't mean the CISA alert is meaningless. Indeed, the self-styled America's Cyber Defence Agency has strongly urged 'all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice."
Although it makes sense to highlight the five zero-day vulnerabilities that Microsoft has confirmed are already being exploited in the wild, leaving unpatched Windows users open to attack, this security rollout also includes fixes for another 65 vulnerabilities that cannot be ignored. Mike Walters, co-founder of Action1, has mentioned two Microsoft Office vulnerabilities, for example. CVE-2025-30386 is a remote code execution flaw, and RCE is something that will make any security-aware reader shiver. The shivering is dulled a little by the fact that it is, somewhat oddly, classified as using a local attack vector. 'This vulnerability is considered remote code execution,' Walters explained, 'as it can be triggered by delivering a malicious document. If the affected user has administrative privileges, an attacker could gain full control of the system.' All users, from the enterprise to consumers are at risk, Walters said, adding that the 'ability to trigger exploitation via the Preview Pane further elevates the risk, as users may not even need to open the attachment explicitly.'
The second Microsoft Office vulnerability of note, CVE-2025-30377, is another RCE and similar to the first in that it can be used to execute arbitrary code. 'While the attack scenarios are comparable,' Walters said, 'this vulnerability is considered less likely to be exploited due to additional conditions or complexities in developing a reliable exploit.' As both can result in full system compromise, neither should be underestimated, and patches should be applied as soon as possible.
The advice, therefore, is simple. Act now, and ensure that you update your Windows systems with the latest security patches as a matter of some urgency.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Yahoo

30 minutes ago

• Yahoo

VOO Is a Great Choice for Most, but I Like RSP ETF Better

The Vanguard S&P 500 ETF tracks the performance of the most popular stock market benchmark. It has minimal expenses and has historically been a great way to build wealth over long periods. The S&P 500 has become a little top-heavy, so I prefer an equal-weight approach. 10 stocks we like better than Invesco S&P 500 Equal Weight ETF › The Vanguard S&P 500 ETF (NYSEMKT: VOO), also known by its ticker symbol VOO, is one of the most popular funds in the world. Including Vanguard's mutual fund version of the same index fund, investors have $1.4 trillion in assets invested in it. As the name suggests, this is an index fund that tracks the benchmark S&P 500 (SNPINDEX: ^GSPC) over time. In other words, if the S&P 500 produces a 20% total return for investors over the next two years, this ETF should do the same, net of fees. Speaking of fees, as a Vanguard ETF, the investment expenses of this index fund are extremely low. It has an expense ratio of just 0.03%, which means that for every $1,000 in assets, your annual investment cost will be just $0.30, which will be reflected in the fund's performance over time. The Vanguard S&P 500 ETF is generally thought of as an excellent "core" investment for a stock portfolio. And in full disclosure, I own shares of it in my own retirement portfolio. But if I were to put new money to work today, I may choose to go in a slightly different direction and buy shares of a similar ETF that has one big difference. To be clear, the Vanguard S&P 500 ETF is a great index fund. If you're simply looking for a low-cost way to match the stock market's performance over time, it could be an excellent addition to your portfolio. My biggest issue with investing in the S&P 500 is that it has become rather top-heavy in recent years. With the emergence of trillion-dollar tech companies, the S&P 500 is weighted so that well over one-third of its performance is derived from the 10 largest components. In a nutshell, an S&P 500 index fund has increasingly become a bet on the largest few dozen U.S. companies, and has become less of a broad, diversified way of getting stock market exposure. If I were putting new money to work today, I would take a closer look at the Invesco S&P 500 Equal Weight ETF (NYSEMKT: RSP). It invests in the same 500 companies you'll find in the portfolio of the Vanguard S&P 500 ETF, but with one key difference. Instead of allocating assets based on the size of each component, it invests an equal amount in all 500 companies. Of course, there are day-to-day fluctuations, but there's about 0.2% of the fund's assets invested at any given time. This means that smaller components of the S&P 500 like Dollar General carry the same weight as megacaps like Microsoft. The equal-weight fund does have a somewhat higher 0.20% expense ratio, but this is still on the lower end for a unique ETF. As mentioned, there's absolutely nothing wrong with a traditional S&P 500 index fund. But if you're not too much of a fan of having your investment's performance largely dependent on just a few companies, this equal-weight counterpart could be worth a closer look. Before you buy stock in Invesco S&P 500 Equal Weight ETF, consider this: The Motley Fool Stock Advisor analyst team just identified what they believe are the for investors to buy now… and Invesco S&P 500 Equal Weight ETF wasn't one of them. The 10 stocks that made the cut could produce monster returns in the coming years. Consider when Netflix made this list on December 17, 2004... if you invested $1,000 at the time of our recommendation, you'd have $659,171!* Or when Nvidia made this list on April 15, 2005... if you invested $1,000 at the time of our recommendation, you'd have $891,722!* Now, it's worth noting Stock Advisor's total average return is 995% — a market-crushing outperformance compared to 172% for the S&P 500. Don't miss out on the latest top 10 list, available when you join . See the 10 stocks » *Stock Advisor returns as of June 9, 2025 Matt Frankel has positions in Vanguard S&P 500 ETF. The Motley Fool has positions in and recommends Microsoft and Vanguard S&P 500 ETF. The Motley Fool recommends the following options: long January 2026 $395 calls on Microsoft and short January 2026 $405 calls on Microsoft. The Motley Fool has a disclosure policy. VOO Is a Great Choice for Most, but I Like RSP ETF Better was originally published by The Motley Fool

Yahoo

an hour ago

• Yahoo

SPAC Comeback Draws Renewed Interest from Wall Street

They're SPAC! Just when the market seemed dead and buried, special purpose acquisition companies have risen from the grave. The re-emergence of the once, maybe still, controversial vehicles that let companies go public outside of traditional IPOs is underscored by strong hints this week that one of yesteryear's biggest Wall Street underwriters of the blank check firms is once again ready to make deals after bowing out of the space three years ago. READ ALSO: OpenAI Careens Toward Messy Divorce From Microsoft and Drones Steal the Paris Air Show To remember SPACs is to take a time machine back to their golden age of 2021, when the song of the summer didn't matter because you were at home in pajamas during pandemic lockdowns. That's when these blank-check companies, which list on public markets in order to later merge with a target company and take it public, were all the rage. There was a time when it felt like there were as many celebrity SPACs — Martha Stewart, Jay-Z and Shaquille O'Neal each got in on the craze — as there are celebrity tequila brands. Roughly 600 SPAC deals in 2021 raised a record $163 billion. But a year later, the market froze after interest rates were hiked and the S&P 500 turned in its worst year since the late-2000s financial crisis, falling 19% in 2022. The value of many companies that went public during the SPAC craze crashed, too. They were not helped by the Securities and Exchange Commission stepping in to protect investors. The regulator introduced rules in 2022, finalized two years later, that aligned SPAC disclosure and conflict of interest requirements more closely with the rigorous standards of traditional IPOs. But this year, finally, has marked a mini-comeback of sorts, thanks to maybe the biggest celebrity SPAC figure of all: That, of course, would be President Trump, whose Truth Social went public via SPAC merger in 2022. The expectation that Trump and Paul Atkins, his pick for SEC chair, would focus more on capital formation than clampdown has sparked a return to the vehicles: According to SPACInsider data, there have been 58 SPAC offerings so far this year, one more than the total in all of 2024. In fact, the most active bank on SPAC deals this year, Cantor Fitzgerald, has deep ties to the Trump administration: Commerce Secretary Howard Lutnick is its former CEO and upon taking his job in Trump's Cabinet, he handed control to his sons Brandon and Kyle. However, the fuss has been enough to lure back Wall Street's former titan of the SPAC space: Bloomberg reported earlier this week that Goldman Sachs is prepared to start underwriting SPAC deals again after it largely withdrew from the space in 2022. The Fine Print: Performance among private companies that went public by merging with SPACs this year has not exactly been spectacular. According to data from ListingTrack on 20 such firms, the median return has been a decline of 74%. This post first appeared on The Daily Upside. To receive delivering razor sharp analysis and perspective on all things finance, economics, and markets, subscribe to our free The Daily Upside newsletter. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data

Yahoo

2 hours ago

• Yahoo

This 'reliable' and 'convenient' power bank is 76% off ahead of Amazon Prime Day 2025 — it can 'charge multiple devices' at once

There's nothing more dreadful than being on the go and having your phone almost out of battery — especially if you rely on it for transportation purposes. If you want to prevent this, you might want to invest in a portable power bank. It's an easy way to charge your devices while you're out and about and provide ease of mind. Right now, you can shop the Power Bank Portable Charger for a whopping 76 per cent off ahead of Amazon Prime Day 2025, meaning you'll save a hefty $153. The power bank can charge multiple devices simultaneously — and shoppers say it can juice up a phone numerous times before the bank's battery is depleted. Thousands of shoppers have given this "convenient and reassuring" device a five-star rating. Interested? Scroll onwards for all the details on this must-have deal before it's gone. One shopper says it can take their phone "from 0% to 50% in just a few minutes." This nifty power bank has a fast charger protocol, which means it only takes 30 minutes to charge most phones from 20 per cent to 80 per cent battery. According to the brand, that's three times faster than most power banks on the market. The charger also features an LED digital display to give you an accurate look at how much juice you have left in your phone. It also features four ports, so you can charge multiple gadgets at once. 🛍️ 4,900+ reviews ⭐ 4.4-star average rating 🏅Shoppers say it's "remarkably powerful" as well as "sturdy and durable." According to reviewers, this power bank is "worth every penny" and can take their phone "from 0 per cent to 50 per cent in just a few minutes." Others like that they're "able to simultaneously charge multiple devices" and can charge cellphones "multiple times" before the power bank needs charging. "It's ideal for trips, camping, or even daily use, especially when I'm away from an outlet," says one customer. Shoppers also say that it's "sturdy and durable" but small enough "to fit in a backpack or purse" and that it's "remarkably powerful." They also note that it's "reliable" and is "convenient and reassuring." However, some shoppers note that it's "slightly heavy," so keep that in mind if you prefer to travel light! Shoppers love that this Power Bank Portable Charger can charge multiple devices at once and has enough power to deliver a full charge numerous times. They also like that it's durable and powerful and provides ease of mind, knowing that their phone has a backup source of power. Right now, you can snag the device for a whopping 76 per cent off.