April Patch Tuesday: Microsoft announces 121 vulnerabilities

Microsoft is addressing 121 vulnerabilities this April 2025 Patch Tuesday, which is more than twice as many as last month. 

Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, which is already reflected in CISA KEV. Once again, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication, so that's now a seven month unbroken streak. 

Today also sees the publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

The Windows Common Log File System (CLFS) Driver is firmly back on our radar today, with CVE-2025-29824, a zero-day local elevation of privilege vulnerability. First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Centre, so the exploit was successfully reproduced by Microsoft. The less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn't be listing CVE-2025-29824 as exploited in the wild. The advisory does not specify what privilege level is achieved upon successful exploitation, but it'll be SYSTEM, because that's the prize for all the other CLFS elevation of privilege zero-day vulnerabilities. 

As usual, some form of less-privileged local access is a pre-requisite, but attack complexity is low, so this is the sort of vulnerability which goes into any standard break-and-enter toolkit. Given the long history of similar vulnerabilities, it would be more surprising if exploit code wasn't publicly available in the not-too-distant future. Although December 2024 Patch Tuesday seems as though it must have been a very long time ago, any standard calendar will tell us that only 119 days have elapsed since the last zero-day CLFS local elevation of privilege. Rapid7 discussed the history of CLFS zero-day elevation of privilege vulnerabilities at the time. All versions of Windows receive a patch, except for the venerable LTSC Windows 10 1507, which is listed on the advisory as vulnerable, but left out in the cold with no update; the FAQ says to check back later. Windows 10 LTSC 1507 is scheduled for end of servicing on 2025-10-14, so the clock is ticking regardless.

Although it has been many months since we've seen a critical zero-day vulnerability from Microsoft, there is no shortage of critical remote code execution (RCE) vulnerabilities published today. Defenders responsible for an LDAP serve,  which means almost any organisation with a non-trivial Microsoft footprint, should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker. Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today's example, since today's CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.

If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you're certain that you don't have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to "send specially crafted requests to a vulnerable LDAP server"; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker win a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it's still a critical RCE which Microsoft rates as "exploitation more likely". On that basis, patching is always recommended.

The prolific Windows vulnerability pioneers at Kunlun Lab are credited with a pair of critical RCE vulnerabilities in Windows Remote Desktop Services. Although both CVE-2025-27480 and CVE-2025-27482 share a CVSSv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary severity ranking scale. Both vulnerabilities require that an attacker win a race condition. If you've ever read Microsoft's guide to deploying the Remote Desktop Gateway role, you probably have some systems to patch.

Some Microsoft security advisory FAQs provide a satisfying level of detail, whereas others raise more questions than they answer. CVE-2025-27491 is a Hyper-V critical RCE which falls into the second category, since it states that an attacker must be authenticated (no need for elevated privileges), but also that the attacker must send the user a malicious site and convince them to open it, and it's not at all clear why authentication would be required in that case. Also unusual: the remediation table on the advisory lists several 32-bit versions of Windows as receiving patches, although Hyper-V requires a 64-bit processor and a 64-bit host OS.

In Microsoft product lifecycle news, Dynamics GP 2015 moves past the end of extended support today. The next batch of significant lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close.