Microsoft Addresses 134 Vulnerabilities in Latest Patch Tuesday, Including 1 Zero-Day
The latest security update from Microsoft for April revealed the presence of 134 vulnerabilities, one of which is a zero-day vulnerability that is actively being exploited.
Unlike the simultaneous release of Windows 11 patches, the security patches for Windows 10 had a delayed availability. Although the Windows 10 patches have now been released, the delay in their rollout was uncommon.
In an email to TechRepublic, Tyler Reguly, the associate director of security R&D at Fortra, a global cybersecurity software and services provider, indicated that the staggered release of the two updates and a 40-minute delay in the Windows 11 update might indicate some atypical occurrences in the background.
Reference: Understanding Patch Tuesday: A Comprehensive Overview of Microsoft’s Monthly Update
Discovery of CVE-2025-29824 in Live Environment
The zero-day vulnerability in question is CVE-2025-29824, an exploit for elevation of privilege within the Windows Common Log File System (CLFS) Driver.
Mike Walters, the president and co-founder of Action, a patch automation company, highlighted the significance of this vulnerability as it affects a fundamental element of Windows, thereby impacting a broad spectrum of environments including corporate systems and critical infrastructure. If successfully exploited, this vulnerability could lead to privilege escalation to the highest level, SYSTEM, on a Windows system.
Elevation of privilege attacks necessitate the threat actor to establish an initial access point within the system.
According to Satnam Narang, a senior staff research engineer at Tenable, “Elevation of privilege vulnerabilities in CLFS have gained popularity among ransomware operators over time.”
Ben McCarthy, the lead cybersecurity engineer at Immersive, added, “The absence of a patch for Windows 10 32-bit or 64-bit systems at this point, despite the confirmed active exploitation of CVE-2025-29824, presents a critical vulnerability affecting a substantial segment of the Windows ecosystem.”
The delayed issuance of Windows 10 patches, along with the 40-minute delay in the Windows 11 update, raises further concern about potential internal disruptions or impediments at Microsoft, especially given the ongoing exploitation of CVE-2025-29824.
Microsoft acknowledged that CVE-2025-29824 had been exploited in “a limited number of targets” spanning organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia, as per the disclosure by Microsoft.
Reguly reflected, “I recently had a conversation about vulnerabilities in CLFS and noticed a pattern of how they emerge. When one vulnerability in CLFS gets patched, it often triggers investigations that uncover additional vulnerabilities in the process. If I had to make a bet, I would anticipate CLFS vulnerabilities resurfacing next month.”
Common Trends: Remote Code Execution and Microsoft Office Vulnerabilities
Among other highlights of April’s Patch Tuesday is the resolution of CVE-2025-26663, a critical flaw that could potentially impact entities utilizing Windows Lightweight Directory Access Protocol (LDAP) servers.
Reguly drew attention to CVE-2025-27472, a vulnerability in the Mark of the Web (MOTW) flagged by Microsoft as “Exploitation More Likely.” He remarked, “It is a common occurrence to witness threat actors leveraging MOTW vulnerabilities. I wouldn’t be surprised if this becomes a exploited vulnerability in the near future.”
Reference: Evaluate the suitable security applications for your enterprise based on features, data storage, and cost considerations.
Microsoft provided several patches to address vulnerabilities in Office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, and CVE-2025-27745). Given the widespread use of Microsoft Office, these vulnerabilities pose a risk of widespread impact, albeit contingent on successful social engineering or remote code execution to introduce a malicious file.
While some of these CVEs allowed for remote code execution, this month’s Patch Tuesday statistics reveal a different narrative on the whole.
As Narang highlighted, “For the first time since August 2024, Patch Tuesday vulnerabilities have seen an increased emphasis on elevation of privilege bugs, accounting for over 40% (49) of all resolved vulnerabilities. Typically, Patch Tuesday updates are dominated by remote code execution (RCE) vulnerabilities, but this month only a quarter of the flaws (31) were RCEs.”
Reguly observed a recurring trend in recent Patch Tuesday updates revolving around Office, browsers, and MOTW.
He remarked, “If I were to make a recommendation as an infosec buyer, such as a CISO, I would closely monitor the patterns in Microsoft vulnerabilities – the frequent occurrence and exploitation of technologies like Office, Edge, CLFS, and MOTW – and inquire with my vendors about proactive defense measures against these vulnerability types,” he suggested.
Apple Unveils Extensive Security Update
As outlined by KrebsonSecurity, Apple users should not overlook security patch releases.
Apple rolled out a substantial security update on March 31, addressing some actively exploited vulnerabilities. Generally, Patch Tuesday serves as an opportune moment for organizations to deploy updates to their corporate devices.
It is advisable to back up devices prior to updating to mitigate any potential issues that may arise from the new software installations.
About Author
