HIGHCVSS7.8

Actively Exploited

KB5058379: Windows Server 2025, Windows Server 2022 +4 more Security Update (May 2025)

A local EoP vulnerability in the Desktop Window Manager (DWM) Core Library, exploited in the wild prior to the May 13 2025 disclosure. A local attacker can escalate to SYSTEM via the dwmcore.dll component. Fixed by the May 2025 cumulative update.

Published May 13, 2025 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A low-privilege local user can escalate to SYSTEM-equivalent privileges by exploiting the DWM Core Library. As with the CLFS EoPs, the typical attack path is post-initial-access: the attacker already has unprivileged code execution and uses this flaw as the privilege-escalation step.

How the attack worksNo clicks needed

CVE-2025-30400 is an elevation-of-privilege flaw in the DWM Core Library, the compositor component responsible for rendering and managing the Windows desktop. Flaws in DWM IPC handling allow a local attacker to influence privileged DWM behaviour from a low-privilege context, leading to code execution at the DWM session's elevated integrity level.

Am I affected?Quick check

Probably yes if any of these apply:

●All Windows Server hosts running DWM (default for GUI installs)

●Endpoints with interactive desktops

●Hosts where unprivileged users can execute code

●Running All supported Windows versions prior to the May 13 2025 cumulative update

Affected OS versions

Windows Server 2025Windows Server 2022Windows Server 2019Windows Server 2016Windows 11Windows 10

Fixed inKB5058379, KB5058384, KB5058385, KB5058392, KB5058405, KB5058411, KB5058497, KB5058500 (applies to 21 product versions) — build 10.0.17763.7314, 10.0.19044.5854+

Real-world incidentsWhat we've seen

Microsoft confirmed in-the-wild exploitation of CVE-2025-30400 at the May 13 2025 release. DWM has historically attracted attacker attention because the desktop compositor runs at a higher integrity level than the user session, making it a reliable EoP target.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5058379

Manual remediation steps

⏱ 30–60 minutes including reboot

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Updates

KB5058379 — https://support.microsoft.com/help/5058379

KB5058384 — https://support.microsoft.com/help/5058384

KB5058385 — https://support.microsoft.com/help/5058385

KB5058392 — https://support.microsoft.com/help/5058392

KB5058405 — https://support.microsoft.com/help/5058405

KB5058411 — https://support.microsoft.com/help/5058411

KB5058497 — https://support.microsoft.com/help/5058497

KB5058500 — https://support.microsoft.com/help/5058500

Supersedes: KB5055518, KB5055519, KB5055523, KB5055526, KB5055527, KB5055528

Affected Products

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 10 Version 22H2 for 32-bit Systems

Windows 10 Version 22H2 for ARM64-based Systems

Windows 10 Version 22H2 for x64-based Systems

Windows 11 Version 22H2 for ARM64-based Systems

Windows 11 Version 22H2 for x64-based Systems

Windows 11 Version 23H2 for ARM64-based Systems

Windows 11 Version 23H2 for x64-based Systems

Windows 11 Version 24H2 for ARM64-based Systems

Windows 11 Version 24H2 for x64-based Systems

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server 2022

Windows Server 2022 (Server Core installation)

Windows Server 2022, 23H2 Edition (Server Core installation)

Windows Server 2025

(…1 more product versions)

Fixed Build Numbers

10.0.17763.7314

10.0.19044.5854

10.0.19045.5854

10.0.20348.3630

10.0.20348.3692

10.0.22621.5335

10.0.22631.5335

10.0.25398.1611

10.0.26100.3981

10.0.26100.4061

Installation Methods

Windows Update (recommended)

Settings → Windows Update → Check for updates

The security update is offered if your system is in scope

Restart when prompted — a reboot IS required to complete the install

Microsoft Update Catalog (manual download)

Open https://catalog.update.microsoft.com

Search for KB5058379

Download the package matching your OS architecture and Windows build

Run the .msu installer with administrator privileges

Restart when prompted

WSUS / SCCM / Intune

Approve KB5058379 for the affected products in your update management console.

Microsoft Download Center Links

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058379

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058384

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058385

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058392

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5058405

(…3 more)

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5058379','KB5058384','KB5058385','KB5058392','KB5058405','KB5058411','KB5058497','KB5058500') }

References

Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400

KB article: https://support.microsoft.com/help/5058379

KB article: https://support.microsoft.com/help/5058384

KB article: https://support.microsoft.com/help/5058385

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-30400

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30400

Discovery Credit

Microsoft Threat Intelligence Center

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2025-30400 ↗ MSRC Advisory ↗ NVD ↗ KBKB5058379