CVE-2025-30400 – Windows DWM Core Library Zero-Day

Overview

CVE-2025-30400 is a zero-day elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library. It was actively exploited in the wild and patched by Microsoft in April 2025.

This vulnerability is part of a series of DWM elevation of privilege bugs, which have been increasingly targeted by threat actors in recent years.

Technical Details

Vulnerability Type: Elevation of Privilege (EoP)
Affected Component: DWM Core Library
Attack Vector: Local
Impact: Allows a standard user to escalate privileges to SYSTEM
Exploitation: Used in targeted attacks, often as part of multi-stage exploit chains
Patch Date: April 2025 (Patch Tuesday)

Exploitation

CVE-2025-30400 was exploited in the wild, following a trend of DWM zero-days being used for privilege escalation. It was one of five DWM Core Library vulnerabilities patched in April 2025.

Previous DWM zero-days, such as CVE-2024-30051 (2024) and CVE-2023-36033 (2023), were also exploited as zero-days, indicating a persistent interest by attackers in this component.

Affected Systems

Windows 10
Windows 11
Windows Server (multiple versions)

Patch Information

Microsoft released security updates for this vulnerability as part of the April 2025 Patch Tuesday. Users and administrators are strongly advised to apply the update immediately to prevent exploitation.

For systems that cannot be patched, Microsoft recommends monitoring for suspicious activity and restricting user privileges where possible.

References

The Hacker News: Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server