Current events · 4 MIN READ · BEN NAHORNEY AND MATT JASTRAM · MAY 13, 2025 · TAGS: vulnerability prioritization
TL;DR
- This month, we’re covering a vulnerability in SAP NetWeaver first identified in March, and then again repeatedly in April
- Microsoft released 79 new CVEs for Patch Tuesday, including five that have already been reported in the wild
- This blog can help you manage your immediate, tech-stack specific vulnerabilities
It’s time once again for our monthly Patch Tuesday blog!
This month, Microsoft has released 79 CVEs, five of which have already been exploited and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. We’re also highlighting CVE-2025-31324, a vulnerability in SAP NetWeaver, a software stack used to support many of SAP’s business applications.
So without further adieu, let’s jump in!
Patch Tuesday: May 13, 2025
There are five critical vulnerabilities included in this month’s release, all of which reside in cloud-based services. Microsoft has addressed these, and there’s no action for the user. With that in mind, these are the vulnerabilities we think should be at the top of your remediation prioritization list:
- Scripting Engine Memory Corruption Vulnerability (CVE-2025-30397): This vulnerability lies in the Microsoft Scripting Engine, but it is given a high attack complexity rating. To successfully exploit it, an attacker must first figure out a way to enable Internet Explorer mode in Edge, through means such as social engineering, since this can’t be achieved remotely. Once this is done, the vulnerability itself can be exploited by using a specially crafted URL, leading to code execution.
- Windows Common Log File System Driver Elevation of Privilege Vulnerabilities (CVE-2025-32701) and (CVE-2025-32706): These two CVEs could result in an attacker gaining SYSTEM privileges on a vulnerable system. There are two ways that an attacker can achieve this when attempting to exploit the Common Log File System (CLFS) driver. For the first vulnerability, this is done through a “use after free” condition, where the driver continues to access memory after it’s finished using it. The second is the result of improper input validation, where instructions aren’t properly checked and processed safely. In both cases, an attacker can elevate their privileges on compromised systems. There are 37 Windows server versions impacted by this CVE.
- Microsoft DWM Core Library Elevation of Privilege Vulnerability (CVE-2025-30400): This is another “use after free” vulnerability, this time in the Desktop Windows Manager (DWM) core library, which manages the appearance of the Windows GUI. This vulnerability can lead to elevation of privileges that Microsoft says it has already seen used in attacks in the wild.
- Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2025-32709): Our final “use after free” vulnerability resides in the Windows Ancillary Function driver used to support the WinSock API. The successful exploitation of this vulnerability can lead to gaining administrator privileges. This CVE has also been seen in the wild.
- Kernel Streaming Service Driver Elevation of Privilege Vulnerability (CVE-2025-24063): This is a heap-based buffer overflow vulnerability—that if successfully exploited—allows an attacker to gain SYSTEM privileges. This CVE does however, require the attacker to have already gained access to an authenticated account to elevate their privileges.
- Visual Studio Remote Code Execution Vulnerability (CVE-2025-32702): Impacting Visual Studio, this arbitrary code execution (ACE) vulnerability allows unauthorized attackers to run code locally. An attack using this vulnerability could be carried out by convincing a user to download and run a specially crafted file containing code that exploits this ACE vulnerability.
Exploit tales: SAP NetWeaver
CVE-2025-31324 has been in the news several times in the last month, because it’s been used in zero-day attacks and is rather simple to exploit. It’s an arbitrary file upload vulnerability, meaning all a bad actor has to do is upload a malicious file to a vulnerable NetWeaver Visual Composer development server. The Metadata Uploader on the vulnerable server is missing a necessary authorization check, opening the doors for attackers to upload malicious files (such as webshells) to vulnerable hosts.
SAP’s Onapsis Research Labs released a YARA rule designed to identify access to webshells implanted on vulnerable NetWeaver servers. In addition to this, Onapsis also released an IOC scanner in partnership with Mandiant that can detect active, in-the-wild exploitation of the vulnerability. These tools are great assets for defenders to identify if they’ve been impacted.
We recommend patching this immediately. The vulnerability has a CVSS score of 10, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on April 29. However, exploitation started as early as March 18. The webshell deployed allows an attacker to run arbitrary commands, or drop any malware they want.
When we began seeing exploitation in early April, we were alerted to the presence of a webshell on compromised NetWeaver hosts. These webshells were successfully uploaded to vulnerable hosts, thanks to the missing authorization check, and subsequently accessed remotely by bad actors. Since webshells perform predictable behavior, we were able to respond quickly, despite the vulnerability being new to defenders.
We managed to stop each attack in fairly short order—the quickest of which only took 13 minutes. This naturally limits the volume of activity we observed. However, in one of the instances, the attackers ran several powershell commands, hoping to learn more about the environment they found themselves in. This included:
- powershell.exe /c systeminfo
- powershell.exe /c nltest /domain_trusts
- powershell.exe /c whoami
- powershell.exe /c net localgroup administrators”
- powershell.exe /c route print”
- powershell.exe /c ipconfig /all”
- powershell.exe /c nltest /dclist:”
- powershell.exe /c net group “domain computers” /dom
- powershell.exe /c net group “domain admins” /dom
These network discovery commands can uncover a variety of useful information a bad actor could use to further their attacks, such as information about the compromised system, the network, administrative users, domains, and domain controllers.
Arbitrary file upload vulnerabilities like this can be a field day for attackers hoping to utilize tools like webshells. Monitoring for the execution of commands like the ones above can be helpful in identifying and reacting to webshell activity. Preventing the execution of such commands would help, but at the very least, their use should be limited to a small number of administrators.
And as always, patching is critical in these cases. Expel’s Vulnerability Prioritization can help identify high-priority vulnerabilities like this. Scheduling time to take high-use, high-availability systems like SAP’s Netweaver offline to apply patches can be challenging. But it’s critical in addressing vulnerabilities that are trivial to exploit.
That’s it for this month’s Patch Tuesday. If you’d like to learn more about Expel Vulnerability Prioritization, which can provide further context for your environment, drop us a line. See you next month!
