freshidea - stock.adobe.com News Microsoft’s April 2025 bumper Patch Tuesday corrects 124 bugs Microsoft is correcting 124 vulnerabilities in its March Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’ By Brian McKenna, Enterprise Applications Editor Published: 09 Apr 2025 18:16 Microsoft’s mighty bundle of 124 April fixes for Common Vulnerabilities and Exposures (CVEs) in its codebase includes 11 that are rated “critical” and two rated “low”, with the rest rated “important” in severity. Dustin Childs of the Zero Day Initiative noted that “only one of these bugs is listed as publicly known or under active attack at the time of release”, but that this will be of little comfort. In a blog post, Childs said of the vulnerability being listed by Microsoft as under active attack: “This privilege escalation bug [CVE-2025-29824] ... allows a threat actor to execute their code with System privileges. These types of bugs are often paired with code execution bugs to take over a system. Microsoft gives no indication of how widespread these attacks are.” Two of the other bugs Childs picked out – CVE-2025-26663 and CVE-2025-26670 – “allow a remote, unauthenticated attacker to execute their code on affected systems just by sending a specially crafted LDAP [Lightweight Directory Access Protocol] message”. He added: “Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable.” Wormable means no human interaction is required for the cyber attack to spread. Of the current crop of Microsoft vulnerabilities being disclosed, Adam Barnett, lead software engineer at Rapid7, said: “The Windows Common Log File System (CLFS) Driver is firmly back on our radar today with CVE-2025-29824, a zero-day local elevation of privilege vulnerability.” This is the vulnerability that Childs put primary focus on in his post. Barnett said: “First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft; the less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn’t be listing CVE-2025-29824 as exploited in the wild. The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be System, because that’s the prize for all the other CLFS [Common Log File System] elevation of privilege zero-day vulnerabilities. “Defenders responsible for an LDAP server – which means almost any organisation with a non-trivial Microsoft footprint – should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker.” He added this further note of caution: “If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE [Remote Code Execution] in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to ‘send specially crafted requests to a vulnerable LDAP server’; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory.” The full list of CVEs released by Microsoft for April 2025 can be found here. The CVEs encompass, according to Childs’ enumeration, Windows and Windows Components, Office and Office Components, Azure, .Net and Visual Studio, BitLocker, Kerberos, Windows Hello, OpenSSH, and Windows Lightweight Directory Access Protocol. Read more Patch Tuesday updates March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days. February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’. January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws. December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol. November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update. October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform. September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy. August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update. July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention. June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update. May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention. April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flaw that impacts all Windows users. March 2024: Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday. February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket, among more than 70 issues. In The Current Issue: Interview: The role of IT innovation at Royal Ballet and Opera ‘Bankenstein’ and a cold calculation means banking crashes will continue Download Current Issue Making America great, but at what cost? – Cliff Saran's Enterprise blog Turning data into gold: the business intelligence story – Data Matters View All Blogs