CVE-2025-30400

HIGH KEV

Windows 10/11, Server 2019/2022/2025 - Use-After-Free in DWM

Title source: llm

Exploitation Summary

CVE-2025-30400 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 13, 2025. EIP tracks 1 public exploit from researchers including encrypter15.

AI-analyzed exploit summary This repository contains a conceptual Python-based proof-of-concept for CVE-2025-30400, a Use-After-Free (UAF) vulnerability in Microsoft Windows Desktop Window Manager (DWM) Core Library. It models memory management, UAF exploitation, and privilege escalation to SYSTEM, with educational intent and no actual exploit code.

Description

Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.

Exploits (1)

nomisec WORKING POC

by encrypter15 · poc

https://github.com/encrypter15/CVE-2025-30400

View Code ZIP pw:eip

This repository contains a conceptual Python-based proof-of-concept for CVE-2025-30400, a Use-After-Free (UAF) vulnerability in Microsoft Windows Desktop Window Manager (DWM) Core Library. It models memory management, UAF exploitation, and privilege escalation to SYSTEM, with educational intent and no actual exploit code.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Microsoft Windows Desktop Window Manager (DWM) Core Library

No auth needed

Prerequisites: Vulnerable version of Microsoft Windows DWM Core Library · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30400

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400

Scores

CVSS v3 7.8

EPSS 0.0091

EPSS Percentile 76.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-05-13

VulnCheck KEV 2025-05-13

ENISA EUVD EUVD-2025-14444

CWE

CWE-416

Status published

Products (10)

microsoft/windows_10_1809 < 10.0.17763.7314 (2 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.5854

microsoft/windows_10_22h2 < 10.0.19045.5854

microsoft/windows_11_22h2 < 10.0.22621.5335

microsoft/windows_11_23h2 < 10.0.22631.5335

microsoft/windows_11_24h2 < 10.0.26100.3981

microsoft/windows_server_2019 < 10.0.17763.7314

microsoft/windows_server_2022 < 10.0.20348.3692

microsoft/windows_server_2022_23h2 < 10.0.25398.1611

microsoft/windows_server_2025 < 10.0.26100.3981

Published May 13, 2025

KEV Added May 13, 2025

Tracked Since Feb 18, 2026