Microsoft has confirmed that risk actors are actively exploiting two important vulnerabilities within the Home windows Frequent Log File System (CLFS) driver to achieve SYSTEM-level privileges on compromised techniques.
The vulnerabilities, tracked as CVE-2025-32706 and CVE-2025-32701, have been addressed within the Might 2025 Patch Tuesday safety replace launched on Might 13, 2025.
Important Vulnerabilities Underneath Lively Exploitation
Each vulnerabilities enable approved attackers to raise their privileges regionally to the SYSTEM degree, giving them full management over affected techniques.
CVE-2025-32706 stems from improper enter validation within the Home windows CLFS driver, whereas CVE-2025-32701 is classed as a use-after-free vulnerability in the identical part.
Safety researchers from Microsoft Risk Intelligence Heart (MSTIC) found and reported CVE-2025-32701, whereas CVE-2025-32706 was recognized by means of collaborative efforts between Benoit Sevens of Google Risk Intelligence Group and the CrowdStrike Superior Analysis Group.
“These vulnerabilities are significantly harmful as a result of they supply attackers with the best degree of system privileges,” mentioned a Microsoft safety engineer aware of the matter. “As soon as exploited, risk actors can successfully carry out any motion on the compromised system, together with deploying ransomware or exfiltrating delicate knowledge.”
This isn’t the primary time the Home windows CLFS driver has been focused. In April 2025, Microsoft fastened one other CLFS vulnerability (CVE-2025-29824) that was additionally being actively exploited in ransomware campaigns.
In line with safety specialists, CLFS vulnerabilities have turn into more and more widespread targets for attackers, with 32 such vulnerabilities patched since 2022, averaging 10 annually.
“The Frequent Log File System part continues to be a horny goal for risk actors resulting from its kernel-level entry and ubiquitous presence throughout Home windows techniques,” famous a safety researcher from Microsoft.
Connection to Ransomware Assaults
Earlier CLFS exploits have been linked to ransomware operations. In April, Microsoft reported that exploitation of a CLFS zero-day vulnerability led to ransomware deployment in opposition to organizations in a number of sectors, together with data know-how and actual property in the USA, monetary establishments in Venezuela, a Spanish software program firm, and retail companies in Saudi Arabia.
The exploitation chain usually begins with attackers gaining preliminary entry to a system, then utilizing these CLFS vulnerabilities to raise their privileges earlier than deploying ransomware or different malicious payloads.
Safety specialists strongly advise organizations to right away apply the Might 2025 Patch Tuesday updates to deal with these important vulnerabilities.
“Elevation of privilege vulnerabilities are essential parts in trendy assault chains,” mentioned a spokesperson from Microsoft’s Safety Response Heart. “Prioritizing these patches provides a significant layer of protection in opposition to ransomware assaults, even when risk actors handle to achieve preliminary entry to your techniques.”
Organizations also needs to implement further safety measures, together with enhanced monitoring for suspicious actions, limiting administrative privileges, and sustaining up-to-date backups to mitigate the potential impacts of profitable assaults.
Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar
