Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from May that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-3928
CVE-2025-3928 describes a high-severity vulnerability in the Commvault Web Server affecting both Windows and Linux platforms. The issue allows remote, authenticated attackers to compromise the system by creating and executing webshells—effectively enabling them to gain unauthorized control of the server. The exact technical details of the flaw remain undisclosed, but the vulnerability was confirmed by Commvault and addressed in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217.
This flaw was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on April 28, 2025, after being actively leveraged in cyber operations. According to CISA and public reporting, threat actors used the vulnerability to deploy malicious webshells in attacks that primarily targeted Commvault’s SaaS-based cloud application, Metallic. Although Commvault has publicly stated that no customer backup data was impacted in the breach, the vulnerability’s inclusion in KEV underscores its potential impact on confidentiality, integrity, and availability.
The CVSS v3 base score of 8.8 and v4 score of 8.7 reflect the risk posed by this vulnerability, given the low complexity required for exploitation and the high impact it can have once accessed. Organizations using vulnerable versions of Commvault Web Server are strongly urged to apply the vendor’s patches without delay. The use of webshells by authenticated attackers highlights the importance of maintaining strict access controls and monitoring for anomalous post-authentication activity.
CVE-2025-5063
CVE-2025-5063 is a high-severity use-after-free vulnerability affecting the Compositing component of Google Chrome. This flaw, which impacts versions prior to 137.0.7151.55, allows a remote attacker to induce heap corruption by enticing a user to visit a maliciously crafted HTML page. If successfully exploited, this issue could lead to arbitrary code execution in the context of the logged-in user, making it a serious concern for both consumer and enterprise environments.
The vulnerability arises from incorrect memory handling during compositing operations. When a resource is freed but later accessed again by the browser, it opens the door for attackers to manipulate memory in a way that subverts normal execution flow. This type of flaw is particularly dangerous in browsers due to their exposure to untrusted content.
The CVSS v3 score of 8.8 reflects the attack’s low complexity, remote vector, and lack of required privileges. While user interaction is necessary—specifically, visiting a malicious page—the risk is still high because the exploit could be delivered through compromised websites, malicious ads, or phishing campaigns.
Google addressed this vulnerability in the Chrome 137.0.7151.55 update, released in late May 2025. The issue was also tracked in Chromium’s public issue tracker and reported through coordinated vulnerability disclosure channels. Chrome users should verify that they are running the latest version, as outdated installations remain susceptible to attacks leveraging this and other recent flaws.
CVE-2025-32701
CVE-2025-32701 describes a use-after-free vulnerability in the Windows Common Log File System (CLFS) driver that allows an attacker with local access and existing privileges to elevate their access level on the affected machine. The flaw stems from the CLFS driver’s mishandling of memory allocation and deallocation, which could be exploited to execute arbitrary code with elevated permissions. This issue is particularly dangerous in post-exploitation scenarios, where initial access has already been achieved and the attacker is seeking lateral movement or privilege escalation within the system.
This vulnerability was addressed by Microsoft as part of the May 2025 Patch Tuesday release, which included patches for 71 vulnerabilities—seven of which were zero-day issues, and five confirmed as being exploited in the wild. CVE-2025-32701 was among the zero-days that had already seen exploitation activity prior to the patch being issued. Its presence in the Known Exploited Vulnerabilities (KEV) catalog and its inclusion in threat advisories reflect active use by attackers, likely in targeted campaigns.
The CVSS v3 score of 7.8 highlights the severity of the vulnerability, especially due to its low attack complexity, lack of user interaction, and high impact on confidentiality, integrity, and availability. Although the attack requires local access, once exploited, it can give adversaries SYSTEM-level control—effectively allowing full control over the affected host. Organizations running Windows systems with unpatched CLFS drivers should apply Microsoft’s security updates immediately and audit for any unusual local privilege escalation behavior, particularly in environments that are targets for advanced persistent threats or ransomware groups.
CVE-2024-30400
CVE-2025-30400 describes a high-severity vulnerability in the Windows Desktop Window Manager (DWM) component. The flaw is categorized as a use-after-free condition, which allows an authenticated attacker to elevate privileges on the local system. Exploitation of this vulnerability enables the attacker to execute code with higher privileges, potentially gaining SYSTEM-level access depending on the attack scenario.
This vulnerability was patched by Microsoft in May 2025 as part of their monthly security updates and was one of several zero-day vulnerabilities addressed that month. The issue was formally documented in Microsoft’s vulnerability guide and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog shortly after disclosure, confirming its exploitation in the wild.
The CVSS v3 base score of 7.8 reflects the serious nature of the flaw, particularly due to its potential use in post-exploitation phases of an attack. Although exploitation requires local access and authenticated privileges, the low attack complexity and lack of user interaction make it a valuable target for threat actors already present on a system or network.
Organizations running Windows environments should prioritize this update, especially in systems that are accessible to multiple users or exposed to lateral movement from compromised endpoints. Systems should also be monitored for unusual access patterns and privilege escalation attempts, as exploitation of DWM vulnerabilities has been associated with ransomware and persistence mechanisms in past campaigns.
CVE-2025-32432
CVE-2025-32432 is a critical remote code execution vulnerability affecting Craft CMS, a content management system widely used for building customizable digital experiences. The flaw is present in multiple versions across Craft CMS 3, 4, and 5—specifically from 3.0.0-RC1 through versions prior to 3.9.15, from 4.0.0-RC1 through versions prior to 4.14.15, and from 5.0.0-RC1 through versions prior to 5.6.17. This issue was disclosed in late April 2025 as a follow-up fix to CVE-2023-41892, indicating that the original vulnerability was either not fully addressed or that a related attack vector was discovered and exploited.
The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without any user interaction. Given that the attack vector is classified as high impact and low complexity, it poses a substantial threat—especially to public-facing CMS installations that have not yet applied the available patches. The flaw is considered especially dangerous in environments where Craft CMS is used to manage e-commerce, membership portals, or sensitive web applications, as exploitation could result in full compromise of the server and downstream systems.
Craft CMS maintainers released patched versions—3.9.15, 4.14.15, and 5.6.17—that address this vulnerability. Organizations using affected versions are strongly urged to upgrade immediately. The EPSS score of 0.7728 indicates a high probability of exploitation in the wild. Any publicly accessible instance running outdated Craft CMS versions should be treated as potentially compromised and examined for indicators of webshell deployment or other signs of unauthorized activity.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
