Introduction
Windows environments worldwide are under active attack due to a critical use-after-free vulnerability (CVE-2025-30400) in the Desktop Window Manager (DWM). Exploited as a zero-day, this flaw grants attackers SYSTEM-level privileges, enabling complete control over affected systems.
Affected Systems and Versions
The vulnerability specifically affects the Desktop Window Manager (DWM) component in the following Windows versions:
- Windows 10 (all supported versions)
- Windows 11 (all supported versions)
- Windows Server 2025 (all supported versions)
Systems running these versions without the May 2025 security updates are vulnerable.
Technical Information
CVE-2025-30400 is rooted in a use-after-free (UAF) flaw within the dwmcore.dll library, integral to the DWM's graphical rendering process. The vulnerability occurs when DWM improperly handles memory references during window rendering, allowing attackers to exploit freed memory pointers.
Attackers exploit this vulnerability locally by executing specially crafted API calls to the DWM compositor. This corrupts kernel-mode memory structures, enabling attackers to escalate privileges from standard user to NT AUTHORITY\SYSTEM. Observed exploitation methods include injecting malicious code into dwm.exe processes, facilitating stealthy persistence and evading traditional detection mechanisms.
Patch Information
Microsoft has released critical patches addressing this vulnerability:
- Windows 10: Update to KB5036893
- Windows 11/Server 2025: Update to KB5036894
These updates should be applied immediately. Organizations should ensure automatic updates are enabled or manually deploy these patches from the Microsoft Update Catalog.
Detection Methods
To detect potential exploitation, monitor for suspicious activities involving dwm.exe, such as unexpected code injections or process hollowing. Endpoint detection tools configured to alert on unusual dwm.exe behavior can provide early warnings. Additionally, reviewing Windows Event Logs for anomalies related to privilege escalation attempts can help identify exploitation attempts.
Vendor Security History
Microsoft has previously encountered similar vulnerabilities in the DWM and other critical Windows components. Notably, CVE-2024-30051 was another actively exploited DWM vulnerability, highlighting recurring challenges in memory management and privilege escalation. Microsoft's consistent patching response is commendable, but ongoing exploitation underscores the need for vigilance.
