Microsoft has launched safety fixes to handle an enormous set of 125 flaws affecting its software program merchandise, together with one vulnerability that it mentioned has been actively exploited within the wild.
Of the 125 vulnerabilities, 11 are rated Essential, 112 are rated Vital, and two are rated Low in severity. Forty-nine of those vulnerabilities are labeled as privilege escalation, 34 as distant code execution, 16 as data disclosure, and 14 as denial-of-service (DoS) bugs.
The updates are apart from the 22 flaws the corporate patched in its Chromium-based Edge browser for the reason that launch of final month’s Patch Tuesday replace.
The vulnerability that has been flagged as beneath lively assault is an elevation of privilege (EoP) flaw impacting the Home windows Frequent Log File System (CLFS) Driver (CVE-2025-29824, CVSS rating: 7.8) that stems from a use-after-free state of affairs, permitting a certified attacker to raise privileges regionally.
CVE-2025-29824 is the sixth EoP vulnerability to be found in the identical element that has been exploited within the wild since 2022, the others being CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-49138 (CVSS scores: 7.8).
“From an attacker’s perspective, post-compromise exercise requires acquiring requisite privileges to conduct follow-on exercise on a compromised system, comparable to lateral motion,” Satnam Narang, senior employees analysis engineer at Tenable, mentioned.
“Due to this fact, elevation of privilege bugs are usually common in focused assaults. Nonetheless, elevation of privilege flaws in CLFS have develop into particularly common amongst ransomware operators through the years.”
Mike Walters, president and co-founder of Action1, mentioned the vulnerability permits privilege escalation to the SYSTEM degree, thereby giving an attacker the power to put in malicious software program, modify system settings, tamper with safety features, entry delicate information, and keep persistent entry.
“What makes this vulnerability notably regarding is that Microsoft has confirmed lively exploitation within the wild, but presently, no patch has been launched for Home windows 10 32-bit or 64-bit programs,” Ben McCarthy, lead cyber safety engineer at Immersive, mentioned. “The shortage of a patch leaves a essential hole in protection for a large portion of the Home windows ecosystem.”
“Underneath sure reminiscence manipulation circumstances, a use-after-free could be triggered, which an attacker can exploit to execute code on the highest privilege degree in Home windows. Importantly, the attacker doesn’t want administrative privileges to take advantage of the vulnerability – solely native entry is required.”
The lively exploitation of the flaw, per Microsoft, has been linked to ransomware assaults in opposition to a small variety of targets. The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add it to the Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the repair by April 29, 2025.
A few of the different notable vulnerabilities patched by Redmond this month embrace a safety function bypass (SFB) flaw affecting Home windows Kerberos (CVE-2025-29809), in addition to distant code execution flaws in Home windows Distant Desktop Companies (CVE-2025-27480, CVE-2025-27482), and Home windows Light-weight Listing Entry Protocol (CVE-2025-26663, CVE-2025-26670)
Additionally of word are a number of Essential-severity distant code execution flaws in Microsoft Workplace and Excel (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745, and CVE-2025-27752) that might be exploited by a foul actor utilizing a specifically crafted Excel doc, leading to full system management.
Capping off the checklist of Essential flaws are two distant code execution vulnerabilities impacting Home windows TCP/IP (CVE-2025-26686) and Home windows Hyper-V (CVE-2025-27491) that would enable an attacker to execute code over a community beneath sure circumstances.
It is value noting that a number of of the vulnerabilities are but to obtain patches for Home windows 10. Microsoft mentioned the updates could be “launched as quickly as attainable, and when they’re obtainable, prospects will probably be notified through a revision to this CVE data.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
(The story was up to date after publication to replicate the change within the variety of safety patches for April 2025. In a press release shared with The Hacker Information, Microsoft mentioned one of many CVEs was “revealed in error” and has been faraway from the discharge notes.)
