CVE-2025-30400

What is the Windows Desktop Window Manager (DWM)?

The Desktop Window Manager (DWM) is the Windows compositing window manager responsible for rendering the visual presentation of all application windows on screen. dwm.exe runs as a SYSTEM-level process that handles window animations, transparency effects, Aero glass, and hardware-accelerated rendering via DwmCore.dll. Because DWM runs with elevated privileges and processes inputs from lower-privileged applications (window messages, surface handles, composition requests), use-after-free vulnerabilities in DWM are exploitable by any local user to escalate to SYSTEM.

DWM has been exploited before: CVE-2023-36033 was a similar DWM UAF zero-day used by North Korean APT actors in late 2023.

Overview

CVE-2025-30400 is a use-after-free (CWE-416) in the Windows DWM Core Library (DwmCore.dll) that allows a locally authenticated low-privilege attacker to escalate to SYSTEM. Disclosed as a zero-day in the May 2025 Patch Tuesday, it was one of three simultaneously patched Windows LPE zero-days (alongside CVE-2025-32706 and CVE-2025-32701). CISA added it to the KEV catalog on patch day.

Affected Versions

Technical Details

The use-after-free (CWE-416) occurs within DwmCore.dll in the DWM window composition processing path. DWM allocates kernel/user-mode objects to track window surfaces and composition state. An attacker creates and destroys window objects in a specific sequence that causes DWM to retain a stale reference to a freed object. When DWM subsequently dereferences this pointer during compositing work, the attacker's controlled data in the recycled memory region is processed, enabling code execution in the SYSTEM context of the DWM process.

The Low attack complexity (AC:L) indicates the exploit was reliably reproducible before the patch. The vulnerability is accessible from any desktop session — any logged-on user, including RDP sessions with standard user rights.

Discovery

Microsoft Threat Intelligence identified active exploitation before May 2025 Patch Tuesday. Three Windows LPE zero-days patched simultaneously is unusual, suggesting sustained investment in Windows LPE research across multiple vulnerability classes.

Exploitation Context

Confirmed zero-day exploitation before May 13, 2025. DWM has been targeted before by both financially motivated and state-sponsored actors (North Korean actors exploited a similar DWM UAF in 2023). The combination with CLFS zero-days in the same Patch Tuesday indicates threat actors are maintaining a portfolio of Windows LPE exploits that can be combined and rotated as individual CVEs are patched.

Remediation

1. Apply the May 2025 cumulative update for your Windows version. The CISA deadline was June 3, 2025.
2. Apply all three May 2025 LPE patches from the same cumulative update: CVE-2025-30400 (DWM), CVE-2025-32706 (CLFS heap), CVE-2025-32701 (CLFS UAF).
3. Restrict desktop session access — LPE via DWM requires a Windows desktop session; disabling unnecessary RDP and local console access reduces the available attack surface.
4. Enable Windows Defender Exploit Guard settings including Control Flow Guard for DWM-related processes.
5. Monitor for signs of exploitation: unexpected DWM process crashes or restarts before the patch was applied may indicate exploitation attempts.