Microsoft on Tuesday introduced software enhancements to address at least 70 vulnerabilities in Windows and associated products, including five zero-day weaknesses that are currently being actively exploited. Contributing to the urgency of this month’s patch release from Redmond are resolutions for two additional flaws that now have public proof-of-concept exploits accessible.
Microsoft, along with several cybersecurity firms, has revealed that attackers are taking advantage of a pair of vulnerabilities in the Windows Common Log File System (CLFS) driver that permit attackers to boost their privileges on a compromised device. The Windows CLFS is an essential Windows element accountable for logging services, widely utilized by Windows system services and third-party applications for recording logs. Identified as CVE-2025-32701 & CVE-2025-32706, these vulnerabilities affect all supported iterations of Windows 10 and 11, including their server counterparts.
Kev Breen, senior director of threat research at Immersive Labs, mentioned that privilege escalation vulnerabilities presume that an attacker already has initial access to a compromised system, often via a phishing scheme or through stolen credentials. However, if that access is already obtained, Breen stated, attackers can access the significantly more potent Windows SYSTEM account, which can disable security measures or even acquire domain administration-level permissions using credential harvesting techniques.
“The patch notes do not provide technical specifics on how this is being exploited, and no Indicators of Compromise (IOCs) are provided, meaning the only defense security teams have is to implement these patches without delay,” he noted. “The average period from public revelation to widespread exploitation is fewer than five days, with threat actors, ransomware groups, and affiliates quickly exploiting these vulnerabilities.”
Two additional zero-days addressed by Microsoft today also pertain to privilege escalation flaws: CVE-2025-32709, which involves afd.sys, the Windows Ancillary Function Driver that allows Windows applications to access the Internet; and CVE-2025-30400, a weakness in the Desktop Window Manager (DWM) library for Windows. As Adam Barnett at Rapid7 highlights, tomorrow commemorates the one-year anniversary of CVE-2024-30051, a past zero-day privilege escalation vulnerability in this same DWM component.
The fifth zero-day addressed today is CVE-2025-30397, a flaw in the Microsoft Scripting Engine, a crucial component utilized by Internet Explorer and Internet Explorer mode in Microsoft Edge.
Chris Goettl at Ivanti notes that the updates for Windows 11 and Server 2025 incorporate several new AI functionalities that bring substantial baggage and amount to roughly 4 gigabytes. This baggage includes new artificial intelligence (AI) features, such as the contentious Recall function, which continuously captures screenshots of users’ activities on Windows CoPilot-enabled devices.
Microsoft went back to the drawing board concerning Recall following an avalanche of negative feedback from security experts, who cautioned that it would present an appealing target and a potential treasure trove for attackers. Microsoft seems to have made some efforts to prevent Recall from collecting sensitive financial details, but concerns over privacy and security still persist. Former Microsoft employee Kevin Beaumont has a thorough analysis on Microsoft’s updates to Recall.
In any event, windowslatest.com reports that Windows 11 version 24H2 is available for downloads, even if you aren’t interested.
“It will now automatically appear for ‘download and install’ if you navigate to Settings > Windows Update and select Check for updates, but only when your device does not have a compatibility hold,” the publication reported. “Even if you don’t check for updates, Windows 11 24H2 will automatically download eventually.”
Apple users likely have their own updates to manage. On May 12, Apple unveiled security updates addressing at least 30 vulnerabilities in iOS and iPadOS (the updated version is 18.5). TechCrunch reports that iOS 18.5 also extends emergency satellite capabilities to iPhone 13 users for the first time (previously available only to iPhone 14 and later models).
Apple has also rolled out updates for macOS Sequoia, macOS Sonoma, macOS Ventura, WatchOS, tvOS, and visionOS. Apple indicated no signs of active exploitation for any of the vulnerabilities resolved this month.
As always, ensure you back up your device and/or important data before proceeding with any updates. Additionally, feel free to share in the comments if you encounter any issues applying any of these fixes.