Windows Common Log File System 0-Day Vulnerability Actively Exploited in the Wild

Microsoft has confirmed that threat actors are actively exploiting two critical vulnerabilities in the Windows Common Log File System (CLFS) driver to gain SYSTEM-level privileges on compromised systems.

The vulnerabilities, tracked as CVE-2025-32706 and CVE-2025-32701, were addressed in the May 2025 Patch Tuesday security update released on May 13, 2025.

Critical Vulnerabilities Under Active Exploitation

Both vulnerabilities allow authorized attackers to elevate their privileges locally to the SYSTEM level, giving them complete control over affected systems.

CVE-2025-32706 stems from improper input validation in the Windows CLFS driver, while CVE-2025-32701 is classified as a use-after-free vulnerability in the same component.

Security researchers from Microsoft Threat Intelligence Center (MSTIC) discovered and reported CVE-2025-32701, while CVE-2025-32706 was identified through collaborative efforts between Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team.

“These vulnerabilities are particularly dangerous because they provide attackers with the highest level of system privileges,” said a Microsoft security engineer familiar with the matter. “Once exploited, threat actors can effectively perform any action on the compromised system, including deploying ransomware or exfiltrating sensitive data.”

This isn’t the first time the Windows CLFS driver has been targeted. In April 2025, Microsoft fixed another CLFS vulnerability (CVE-2025-29824) that was also being actively exploited in ransomware campaigns.

According to security experts, CLFS vulnerabilities have become increasingly popular targets for attackers, with 32 such vulnerabilities patched since 2022, averaging 10 each year.

“The Common Log File System component continues to be an attractive target for threat actors due to its kernel-level access and ubiquitous presence across Windows systems,” noted a security researcher from Microsoft.

Connection to Ransomware Attacks

Previous CLFS exploits have been linked to ransomware operations. In April, Microsoft reported that exploitation of a CLFS zero-day vulnerability led to ransomware deployment against organizations in multiple sectors, including information technology and real estate in the United States, financial institutions in Venezuela, a Spanish software company, and retail businesses in Saudi Arabia.

The exploitation chain typically begins with attackers gaining initial access to a system, then using these CLFS vulnerabilities to elevate their privileges before deploying ransomware or other malicious payloads.

Security experts strongly advise organizations to immediately apply the May 2025 Patch Tuesday updates to address these critical vulnerabilities.

“Elevation of privilege vulnerabilities are crucial components in modern attack chains,” said a spokesperson from Microsoft’s Security Response Center. “Prioritizing these patches adds a vital layer of defense against ransomware attacks, even if threat actors manage to gain initial access to your systems.”

Organizations should also implement additional security measures, including enhanced monitoring for suspicious activities, restricting administrative privileges, and maintaining up-to-date backups to mitigate the potential impacts of successful attacks.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar

The post Windows Common Log File System 0-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.