Microsoft Confirms Windows Is Under Attack — You Must Act Now
It's that time of the month again, when Patch Tuesday is quickly followed by Exploit Wednesday. The former is the monthly rollout of Microsoft's responses to newly discovered vulnerabilities in its services and products, and the latter is when hackers, cybercriminals and state-sponsored actors look to act upon these security disclosures before individuals and organizations have had the opportunity to update their systems. Unfortunately, Exploit Wednesday seems to have preceded Patch Tuesday this month, with Microsoft confirming multiple zero-day vulnerabilities that are known to be under attack before any fix was made available. Make no mistake, with security experts rating the risk prioritization of these exploits as critical, Windows users need to act fast.
It is not uncommon, sadly, for Windows users to find themselves faced with zero-day vulnerabilities that are being exploited by attackers in the wild. In March, for example, six zero-day attacks were confirmed, while there were three such active Windows exploits reported in January.
The latest Microsoft Patch Tuesday security rollout has now dropped, and it doesn't make for very comforting reading at all. So, let's dive straight into the multiple zero-day exploits impacting Windows users, starting with that has got the security professionals very concerned indeed. This memory corruption vulnerability sits within the Windows scripting engine, and a successful exploit can allow an attacker to execute code over the network. Not only does CVE-2025-30397 affect all versions of the Windows operating system, but it is also confirmed by Microsoft as being exploited in the wild. 'Microsoft's severity is rated as important and has CVSS 3.1 of 7.8,' Chris Goettl, vice president of security product management at Ivanti, pointed out, adding that 'risk-based prioritization warrants treating this vulnerability as critical.'
While the official CVE severity-rating scores tend to provide a decent baseline for vulnerability appraisal, in the real world, things are not always that clear-cut. CVE-2025-30397 has a base score of 7.5, and Microsoft says that the attack complexity rating is high. So, what's the issue? 'The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode,' Adam Barnett, lead software engineer at Rapid7 explains, 'and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the 'Allow sites to be reloaded in Internet Explorer' option is enabled.' Barnett warned that as the users most likely to still require this kind of Internet Explorer compatibility are enterprise organizations, and the concept of migration is likely 'buried several layers deep in a dusty backlog,' in Barnett's experience, then the pre-requisite conditions are already conveniently in place on the target asset and 'attack complexity is suddenly nice and low.'
The remaining under-attack zero-day vulnerabilities are:
CVE-2025-32709: an elevation of privilege vulnerability in the Windows ancillary function driver for WinSock that enables an attacker to gain admin privileges locally and impacts Windows Server 12 and later OS versions. Once again. Goettl warned that 'risk-based prioritization warrants treating this vulnerability as critical.'
CVE-2025-32701 and CVE-2025-32706 are a pair of zero-day vulnerabilities in the Windows Common Log File Driver System, and could enable a successful local attacker to gain system privileges. Impacting all versions of Windows, these types of security flaws are being closely monitored for detection by the Microsoft Threat Intelligence Center. 'Since Microsoft is aware of exploitation in the wild,' Barnett said, 'we know that someone else got there first, and there's no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.'
And finally, we come to another elevation of privilege zero-day vulnerability already being exploited by attackers, CVE-2025-30400, which impacts the Windows desktop window manager and affects Windows 10, Server 2016, and later OS versions. Barnett pointed out that this is great proof that such elevation of privileges vulnerabilities will never go out of fashion, what with Exploit Wednesday marking the one-year anniversary of CVE-2024-30051, which also hit the desktop windows manager.
The advice, therefore, is simple. Act now, and ensure that you update your Windows systems with the latest security patches as a matter of some urgency.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
26 minutes ago
- Yahoo
4CE Engineering Group Launches with Mission to Modernize Civil Infrastructure Through Strategic Acquisitions
Backed by leading private equity firm Quad-C, new engineering platform aims to unite top regional firms and drive industry-wide progress GREENVILLE, S.C., Aug. 11, 2025 /PRNewswire/ -- Today marks the official launch of 4CE Engineering Group, a new engineering firm formed to modernize the civil infrastructure industry by uniting best-in-class engineering firms across the country. Pronounced "Force," 4CE is backed by middle-market private equity firm Quad-C Management, Inc., and led by industry veteran Wes Kingery, former Chief Operating Officer and Chief Revenue Officer of industry leader Vortex Companies. 4CE Engineering Group is on a mission to bring a new kind of energy to engineering; one rooted in collaboration, growth, and purpose. The group is actively seeking to partner with small to mid-sized firms in the water / wastewater, stormwater, transportation, aviation, and civil infrastructure markets that: Value their people and culture, Are regional leaders aiming to grow without losing control, and Believe in the power of collaboration to move the industry forward. "We built Vortex into the number one brand in trenchless infrastructure, scaling 15X in eight years and expanding the team from 150 to 1400 in that time, resulting in a world class organization," said Wes Kingery, Founder and CEO of 4CE. "Now, we're bringing that same velocity and vision to engineering with a platform that empowers firms to grow without sacrificing who they are." The name 4CE reflects a double meaning: "Force Civil Engineers," a nod to the company's civil focus and bold intent to drive change, and a tribute to Quad-C as well as Wes Kingery's four children. At its core, 4CE represents the strength, energy, and unity required to move the industry forward, connecting asset owners, engineers, contractors, and manufacturers in new ways. "4CE will be more than a holding company - we plan to build a coalition of high-performance firms committed to better outcomes, smarter infrastructure, and long-term impact," said Matt Trotta, Principal at Quad-C. "We're proud to support this effort and the leadership behind it." 4CE's growth strategy centers on acquiring engineering firms with strong regional footprints, cultural alignment, and expertise in core infrastructure disciplines. The firm will provide strategic support, operational resources, and capital investment to help partner firms scale, innovate, and retain their unique identities. About 4CE Engineering Group4CE is an engineering growth platform designed to partner with select civil infrastructure firms to bring about meaningful, sustainable progress. With deep industry roots and financial backing from Quad-C, 4CE empowers firms to scale smartly, serve better, and remain true to their mission. and on LinkedIn. About Quad-CFounded in 1989 and headquartered in Charlottesville, Virginia, Quad-C is a middle market private equity firm focused on investing in well-established services and industrial companies. In its 35-year history, Quad-C has invested over $4 billion of equity across more than 85 companies. The Quad-C team is committed to partnering with entrepreneurs and management teams to accelerate growth and create long-term value. and on LinkedIn. Corporate Contact:Wes KingeryFounder & CEO, 4CE Engineering Group355 S. Main Street, Suite 2288Greenville, SC 29601 Media Contact: Jackie Herrera Email: Phone: 713-791-8284 View original content to download multimedia: SOURCE 4CE Engineering Group Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
CNET
27 minutes ago
- CNET
Limited Time Best Buy Sale Lops Up to 58% Off Chromebook Models, Just in Time for Back-to-School Season
If you've been waiting for a chance to get your hands on a Chromebook but you don't like the prices that are normally involved, then today could be a very good day for you. After all, it's not often a bunch of great options get discounted all at the same time. Best Buy has just kicked off a massive sale that knocks up to 58% off a range of different Chromebook options. It means that you can snag budget options and even more expensive ones with some hefty savings, with prices starting at just $169. These deals won't last for long though, so make sure you grab the one you want quickly. There are a total of 10 on sale at the moment, so we'll quickly cover the cheapest and most expensive options. The Lenovo IdeaPad Slim 3 has a 14-inch screen, 4GB of RAM, and 64GB of storage. It'll get the job done for most low-lift tasks, and it's currently $230 off, dropping it to just $169. On the high end, you've got the Asus ExpertBook CX54 with a 2K, 14-inch screen, 16GB of RAM and a 256GB SSD. This thing'll cover pretty much everything you can do on a Chromebook, and it's $180 off, meaning it's down to $649. There are plenty of options between these two, so it's best to have a look at them with a clear view of your budget and needs. Hey, did you know? CNET Deals texts are free, easy and save you money. Given the wealth of options here, along with the size of some of the discounts, these are easily some of the best Chromebook deals going on at the moment. Make sure you grab the option you want quickly though, as the sale is due to end Sunday, Aug. 17. Why this deal matters With back-to-school season upon us, many parents are looking to upgrade the daily carry of their kids. Chromebooks offer an affordable alternative to regular Windows or Mac laptops, and if the browser-based nature suits the type of work your kids will be doing, these are some of the best offers going right now.
CNET
27 minutes ago
- CNET
This iOS 26 Toggle 'Fixes' a Camera App Redesign Issue You Might Have Noticed
Apple released the second public beta of iOS 26 on Thursday, and the beta brings a new Liquid Glass design, call screening and more features to the iPhones of developers and beta testers. The beta also introduces a redesigned Camera app that simplifies some aspects of the app. The Camera app revamp also inverts how you switch between different camera modes, like video, and it's horrible. After years of swiping in one direction to get to a photo mode, imagine my surprise when I swiped and was sent in the opposite direction. "I want to go to portrait mode, iPhone!" I would say while using the beta. "Well, that's too damn bad!" I imagined my iPhone responding as it sent me to video mode instead. CNET senior writer Jeff Carlson thinks the change is due to the Liquid Glass redesign. "If you hold the lozenge and move it left or right, it's the glass element that is being shifted and the modes (which change everything on the screen) go with it," he said. "I can see the intent behind the design choice, even though it reverses years of learned behavior on the part of users." Apple introduced a toggle in the iOS 26 beta called Classic Mode Switching. It lets you undo Apple's decision so you can swipe between Camera modes like you did prior to the iOS 26 beta. Remember, Apple is still beta testing iOS 26. That means the update might be buggy for you, and your device's battery life may be affected, so it's best to keep potential troubles off your primary device. If you want to try out the beta, I recommend downloading it on a secondary device. It's also possible that Apple could adjust or remove certain features currently in the iOS 26 betas, including the Classic Mode Switching option, before the stable version of iOS 26 is released this fall. Here's where to find Classic Mode Switching to revert your Camera swipe direction. How to 'fix' your Camera app's swiping direction 1. Tap Settings. 2. Tap Camera. 3. Tap the Classic Mode Switching toggle near the bottom of the menu. Apple/Screenshot by CNET Once enabled, you can change between camera modes like you did before! It's a simple quality-of-life change that I can see a lot of people looking for once they update to iOS 26. Apple's decision to invert the way we swipe to different camera modes might be a byproduct of Liquid Glass like Carlson suggested. But at least the tech giant also gave us the freedom to nullify this with the Classic Mode Switching toggle. For more on iOS 26, here are my first impressions of the iOS version, how to enable call screening in the beta and all the other new features Apple said the update will bring to your device later this year.
