The Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding multiple Microsoft Patch Tuesday vulnerabilities and a critical zero-day flaw in SAP NetWeaver. These vulnerabilities have been actively exploited in the wild, posing severe security threats to organizations relying on Windows, Azure cloud services, and SAP enterprise applications.
With the June 3, 2025 deadline approaching for Federal Civilian Executive Branch (FCEB) agencies to patch these vulnerabilities under Binding Operational Directive (BOD) 22-01, enterprises across the globe are urged to apply fixes immediately and implement proactive threat mitigation strategies to prevent exploitation.
1. Microsoft Patch Tuesday Vulnerabilities Added to KEV
Microsoft’s May 2025 Patch Tuesday contained critical vulnerabilities, including five zero-days that have been actively exploited by cybercriminals. These flaws enable remote code execution (RCE), privilege escalation, and unauthorized system control, making them high-priority threats.
Zero-Day Vulnerabilities Under Active Exploitation
1️⃣ CVE-2025-30400 – Windows Desktop Window Manager (DWM) Privilege Escalation
- CVSS Score: 7.8 (High)
- Affected Component: Windows Desktop Window Manager (DWM)
- Impact: Allows attackers to gain SYSTEM privileges via a use-after-free flaw, leading to full control of targeted devices.
- Exploitation: Confirmed in targeted cyberattacks, particularly in corporate environments.
2️⃣ CVE-2025-32701 – Windows Common Log File System (CLFS) Privilege Escalation
- CVSS Score: 7.8 (High)
- Affected Component: Windows CLFS Driver
- Impact: Enables local attackers to escalate privileges and execute malicious payloads with SYSTEM privileges.
- Exploitation: Actively used in malware campaigns, enabling ransomware operators to compromise endpoint security.
3️⃣ CVE-2025-32706 – Windows CLFS Privilege Escalation
- CVSS Score: 7.8 (High)
- Affected Component: Windows CLFS Driver
- Impact: Enables unauthorized privilege escalation, allowing cybercriminals to bypass security controls.
4️⃣ CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Privilege Escalation
- CVSS Score: 7.8 (High)
- Affected Component: Windows Ancillary Function Driver (AFD)
- Impact: Allows unauthenticated remote attackers to execute arbitrary code, giving them administrative access.
- Exploitation: Used in nation-state cyberattacks, targeting enterprise Windows networks.
5️⃣ CVE-2025-30397 – Microsoft Scripting Engine Remote Code Execution (RCE)
- CVSS Score: 7.5 (High)
- Affected Component: Microsoft Scripting Engine
- Impact: Allows attackers to execute malicious code when victims interact with compromised web content.
- Exploitation: Observed in phishing campaigns, where HTML email payloads exploit JavaScript flaws.
2. SAP NetWeaver Zero-Day (CVE-2025-31324) Added to KEV
SAP’s NetWeaver platform, a critical component in enterprise resource planning (ERP) environments, is facing a severe security risk with CVE-2025-31324, which has been actively exploited since March 2025.
Key Details
- Vulnerability Type: Unrestricted File Upload (CWE-434)
- CVSS Score: 10.0 (Critical)
- Affected Component: SAP NetWeaver Visual Composer Metadata Uploader
- Impact: Remote Code Execution (RCE)
- Exploitation Status: Confirmed in active cyberattacks targeting SAP enterprise systems
How the Exploit Works
🚨 Attackers are exploiting Visual Composer’s metadata uploader feature to install JSP-based webshells, granting long-term backdoor access to SAP NetWeaver servers.
🚨 These malicious webshells allow remote attackers to execute commands, steal sensitive enterprise data, and pivot into corporate IT networks.
🚨 Multiple threat groups are leveraging this vulnerability to breach ERP systems, targeting industries such as finance, manufacturing, retail, and government agencies.
3. Indicators of Compromise (IoCs)
Organizations should monitor their Windows and SAP systems for signs of exploitation related to these vulnerabilities:
Microsoft IoCs
🔹 Unexpected privilege escalations in Windows event logs
🔹 Unauthorized execution of administrative tasks in CLFS and DWM logs
🔹 Inbound connections from unknown IP addresses targeting AFD and scripting engine APIs
SAP NetWeaver IoCs
🔸 Unauthorized file uploads to /developmentserver/metadatauploader
🔸 Suspicious JSP execution from unknown locations
🔸 Unusual outbound connections from compromised SAP servers to attacker-controlled IP addresses
4. Mitigation Strategies
A. Apply Security Updates Immediately
✅ Microsoft has released patches for affected Windows vulnerabilities. Enterprises should update Windows and Azure deployments ASAP.
✅ SAP has released an emergency patch via Security Note #3594142. IT teams must upgrade SAP NetWeaver immediately.
B. Restrict Access to Vulnerable Components
🔹 Disable Windows CLFS and AFD drivers if not mission-critical.
🔹 Disable Visual Composer in SAP NetWeaver if not required.
🔹 Implement firewall rules blocking unauthorized requests to SAP metadata uploader endpoints.
C. Monitor for Exploitation Attempts
🔸 Deploy Intrusion Detection Systems (IDS) and Endpoint Detection & Response (EDR) solutions.
🔸 Audit logs for unauthorized file uploads and privilege escalations.
🔸 Activate alert mechanisms for unusual outbound traffic from ERP and cloud infrastructures.
5. Compliance Requirements & Federal Mandates
Binding Operational Directive (BOD) 22-01
📢 Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by June 3, 2025.
📢 Organizations failing to patch may face regulatory penalties and security audits.
6. Conclusion
🚨 The addition of Microsoft zero-days and SAP NetWeaver CVE-2025-31324 to CISA’s KEV Catalog underscores the urgent need for patching and proactive defense.
🚨 Organizations using Windows and SAP ERP solutions must deploy security fixes, harden endpoint protection, and monitor for exploitation attempts.
🚨 Failure to address these vulnerabilities may result in data breaches, ransomware infections, and operational disruptions.
🔗 CISA Advisory: Read more
