Microsoft Announces 121 Vulnerabilities – ryan

Microsoft is Addressing 121 VulnerAbilities This April 2025 Patch Tuesdaywhich is more than twice as many as last month.

Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, which is already reflected in Cisa Kev. Once again, Microsoft has published zero-day vulnerabilities on patch tuesday without evaluating any of them as critical victority at time of publication, so that is now a seven month unbroken streak.

Today also see the publication of 11 Critical Remote Code Execution (RCE) vulnerabilities. 13 Browser vulnerabilities have already been published separately this month, and are not included in the total.

The Windows Common Log File System (CLFS) Driver is firmly back on our radar today, with Cve-2025-29824a zero-day local elevation of privilege vulnerability. First, the Good News: The Acknowledgements Section Credits The Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft. The less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise microsoft would not be listing cve-2025-29824 as exploited in the wildlife. The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be system, because that is the prize for all the other clfs elevation of privilege zero-day vulnerabilities.

As usual, some form of less-privileged local access is a pre-requisite, but attack complexity is low, so this is the sort of vulnerability which goes into any standard break-and-en-entry toolkit. Given the long history of similar vulnerabilities, it would be more surprising if exploit code wasnt publicly available in the not-to-distant future. Although December 2024 Patch Tuesday Saems as though it must have been a very long time ago, any standard calendar will tell us that only 119 days have elapsed since the last zero-day clfs local elevation of privilege. Rapid7 Discussed The History of Clfs Zero-Day Elevation of Privilege Vulnerabilities at the time. All versions of Windows Receive a Patch, except for the Venerable LTSC Windows 10 1507, which is listed on the advisory as vulnerable, but left out in the cold with no update; The Faq says to check back later. Windows 10 LTSC 1507 is scheduled for end of service on 2025-10-14so the lock is ticking regardless.

Although it has been many months since we’ve blessed a critical zero-day vulnerability from Microsoft, there is no shortage of critical remote code execution (RCE) vulnerabilities published today. Defenders responsible for an LDAP Serve, which means almost any organization with a non-trivial Microsoft Footprint, should add patching for Cve-2025-26663 To their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker. Anyone Wondering If today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of ldap critical rces published at the end of last year Was Likely Easier to Exploit Than Today’s Example, Since Today’s Cve-2025-26663 Requires that an attacker wins a race condition. Despite that, Microsoft Still Expects That Exploitation is More Likely.

If you breathe a sigh of relief when you see ldap server critical rce vulnerabilities like Cve-2025-26663because you are certain that you don’t have any windows ldap servers in your estate, how about ldap clients? Cve-2025-26670 Describes a critical rce in the LDAP client, although the faq confusingly states that exploitation would require an attacker to “Send specially crafted requests to a vulnerable ldap server”; This seems like it might be a data entry error on the advisory faq, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker wins a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it’s still a critical rce which microsoft rates as “exploitation more likely”. On that base, patching is always recommended.

The prolific windows vulnerability pioneers at kunlun lab are credited with a pair of critical rce vulnerabilities in Windows remote desktop services. Although Both Cve-2025-27480 and Cve-2025-27482 Share a cvssv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary victory ranking scale. Both vulnerabilities require that an attacker wins a race condition. If you’ve ever read Microsoft’s Guide to deploying the remote desktop gateway roleyou probably have some systems to patch.

Some Microsoft Security Advisory Faqs provide a satisfying level of detail, where others raise more questions than they answer. Cve-2025-27491 is a hyper-v critical rce which falls into the second category, since it states that an attacker must be authenticated (no need for elevated privileges), but also that the attacker must send the user a malicious site and convince them to open it, and it’s not at all CLEAR WHY authentication would be required in that case. Also Unusual: The Remediation Table on the Advisory Lists Several 32-Bit Versions of Windows as Receiving Patches, although Hyper-V Requires A 64-bit processor and a 64-bit hosts.

In Microsoft Product Lifecycle News, Dynamics GP 2015 moves past the end of extended support today. The Next Batch of Significant Lifecycle Status Changes are due in July 2025, when SQL Server 2012 Esu Program draws to a close.