Image source: QINQIE99,Shutterstock
One of them is a 0-day that a threat actor is using in an ransomware campaign
Microsoft has released fixes for 126 vulnerabilities in its April 2025 Patch Tuesday security update. Here are the flaws you might want to prioritize
The sole 0-Day bug in the update
CVE-2025-29824: Elevation of Privilege Vulnerability in Windows Common Log File System (CLFS) Driver. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
The reason to patch right away: A threat actor that Microsoft is tracking at Storm-2460 has already exploited the vulnerability to elevate privileges on compromised networks and drop ransomware on them. The “small number” of victims of the campaign “include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” according to Microsoft.
By way of perspective: “This is the second EoP vulnerability in the Windows CLFS driver patched in 2025. In 2024, there were eight CLFS vulnerabilities patched, including one zero-day vulnerability in the CLFS driver that was exploited (CVE-2024-49138) and patched in the December 2024 Patch Tuesday release. Microsoft has patched an average of 10 vulnerabilities per year in the CLFS driver since 2022. Windows CLFS continues to be a popular attack vector for ransomware”—Satnam Narang, security researcher, Tenable.
11 flaws Microsoft’s April 2025 security update that the company thinks attackers will likely target
6 enable Remote Code Execution (RCE):
CVE-2025-26663 A RCE vulnerability in Windows Lightweight Directory Access Protocol (LDAP): “An unauthenticated attacker could sequentially send specially crafted requests to a vulnerable LDAP server. Successful exploitation could result in a use after free which could be leveraged to achieve remote code execution”–Microsoft
CVE-2025-26670 A RCE bug affecting LDAP Client: “An unauthenticated attacker could sequentially send specially crafted requests to a vulnerable LDAP server. Successful exploitation could result in a use after free which could be leveraged to achieve remote code execution.”—Microsoft
CVE-2025-27480 Windows Remote Desktop Services Remote Code Execution Vulnerability: “An attacker could successfully exploit this vulnerability by connecting to a system with the Remote Desktop Gateway role, triggering the race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code.”–Microsoft
CVE-2025-27482 Windows Remote Desktop Services Remote Code Execution Vulnerability: “An attacker could successfully exploit this vulnerability by connecting to a system with the Remote Desktop Gateway role, triggering the race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code.”–Microsoft
CVE-2025-29793 Microsoft SharePoint Remote Code Execution Vulnerability: “An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.”–Microsoft
CVE-2025-29794 Microsoft SharePoint Remote Code Execution Vulnerability: “In a network-based attack, an authenticated attacker, as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.”—Microsoft.
2 of the high-risk bugs in April’s Patch Tuesday update enable security feature bypass
CVE-2025-27472 Windows Mark of the Web Security Feature Bypass Vulnerability: “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.”–Microsoft
CVE-2025-29809 Windows Kerberos Security Feature Bypass Vulnerability: “An attacker who successfully exploited this vulnerability could bypass Windows Defender Credential Guard Feature to leak Kerberos Credential.”–Microsoft
3 are Elevation of Privilege vulnerabilities
CVE-2025-27727 Windows Installer Elevation of Privilege Vulnerability: “Improper link resolution before file access (‘link following’) in Windows Installer allows an authorized attacker to elevate privileges locally.”–Microsoft
CVE-2025-29792 Microsoft Office Elevation of Privilege Vulnerability: “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”–Microsoft
CVE-2025-29812 DirectX Graphics Kernel Elevation of Privilege Vulnerability: “Untrusted pointer dereference in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”–Microsoft