Microsoft’s April 2025 Patch Tuesday Update: What’s New
This time, Microsoft addressed 121 vulnerabilities, including the actively exploited zero-day CVE-2025–29824 and 11 critical RCE flaws.
Microsoft released the April 2025 Patch Tuesday update, including fixes for a significant 121 vulnerabilities across various Microsoft products. This includes one actively exploited zero-day vulnerability, CVE-2025–29824, and 11 critical remote code execution (RCE) vulnerabilities. The patch addresses vulnerabilities in key components such as Windows Hyper-V, Remote Desktop Services, Azure, LDAP, .NET Framework, and Microsoft Office, making it an important update for users and organizations.
The 121 vulnerabilities patched in April 2025 span multiple severity levels and types, with Microsoft classifying them as follows:
- 11 Critical: These are primarily RCE vulnerabilities that could allow attackers to execute malicious code remotely, often without user interaction or authentication.
- 109 Important: These include elevation of privilege (EoP), denial-of-service (DoS), and information disclosure bugs, which, while less severe, could still amplify attacks when combined with critical flaws.
- 1 Low: A less impactful issue, though still addressed for completeness.
The vulnerabilities affect a wide range of Microsoft products, including operating systems (Windows 10, 11, and Server editions), virtualization platforms (Hyper-V), remote access tools (Remote Desktop Services), cloud services (Azure), directory services (LDAP), development frameworks (.NET), and productivity software (Office).
CVE-2025–29824: Actively Exploited Zero-Day Vulnerability
Discovered by the Microsoft Threat Intelligence Center, CVE-2025–29824 is a use-after-free vulnerability in the CLFS Driver, a core Windows component used for system logging. This zero-day flaw has been actively exploited by the ransomware gang Storm-2460, linked to the RansomEXX group, using the PipeMagic malware. The exploitation process begins with initial access via PipeMagic, followed by leveraging CVE-2025–29824 to escalate privileges to SYSTEM level — the highest privilege tier on a Windows system.
- Affected Systems: All supported Windows versions (e.g., Windows 10, 11, and Server editions) running the CLFS Driver, though the exploit does not function on Windows 11 version 24H2.
- Real-World Impact: Victims have been identified across the US (IT and real estate), Spain (software firms), Venezuela (finance), and Saudi Arabia (retail). Once SYSTEM access is gained, attackers can deploy ransomware, steal data, or disrupt operations.
- Urgency: The active exploitation by a known threat actor, combined with its inclusion in the CISA Known Exploited Vulnerabilities Catalog (with a patching deadline of April 29, 2025), emphasizes the critical need to apply this update immediately.
The April 2025 update patches 11 critical RCE vulnerabilities:
CVE-2025–26686 — Windows TCP/IP RCE: This critical flaw in the Windows TCP/IP Stack, caused by a race condition with unlocked memory, lets remote attackers execute code over a network. It requires precise timing but no authentication, risking compromise of network-facing systems without user interaction.
CVE-2025–27752 & CVE-2025–29791 — Microsoft Excel RCE: These critical Excel vulnerabilities — a heap-based buffer overflow and a type confusion bug — allow unauthenticated attackers to execute code via malicious files. Exploitable through phishing, they grant system control without needing elevated privileges, threatening Excel users.
CVE-2025–27491 — Windows Hyper-V RCE: A critical use-after-free flaw with a race condition in Windows Hyper-V lets an authenticated guest VM attacker run code on the host. It breaches VM isolation, endangering virtualization setups and potentially escalating privileges.
CVE-2025–27745 — Microsoft Office RCE: This critical use-after-free issue in Microsoft Office enables unauthenticated attackers to trigger RCE via malicious documents. Requiring no special access, it risks system takeovers across Office’s vast user base.
CVE-2025–27748 — Microsoft Office RCE: Another critical use-after-free flaw in Office, this vulnerability allows unauthenticated RCE through crafted documents. Easily exploitable via user action, it amplifies threats to Office environments.
CVE-2025–27749 — Microsoft Office RCE: A third critical use-after-free in Office, this flaw permits unauthenticated attackers to execute code via malicious files. Its simplicity heightens risks for Office users, enabling potential system compromise.
CVE-2025–27480 — Remote Desktop Services RCE: This critical RD Gateway flaw, involving a race condition and use-after-free, lets unauthenticated attackers execute code over the network. Targeting exposed systems, it threatens remote access infrastructures.
CVE-2025–27482 — Remote Desktop Services RCE: A critical RD Gateway vulnerability from insecure memory storage allows unauthenticated network-based RCE. It endangers remote setups, potentially enabling attackers to disrupt or control systems.
CVE-2025–26663 & CVE-2025–26670 — Windows LDAP Client RCE: These critical use-after-free bugs in the Windows LDAP Client, triggered by crafted server responses, enable unauthenticated remote code execution. With wormable potential, they threaten domain environments, risking widespread network compromise.
In addition to security patches, the April 2025 update introduces enhancements and fixes for Windows 11 and Windows 10, improve user experience and system stability.
Windows 11 KB5055523 (Build 26100.3775 for 24H2)
New Features:
- AI-Powered Windows Search: For Copilot+ PCs, search now supports natural language queries (e.g., “summer picnics”) and integrates OneDrive cloud photos into File Explorer results.
- Taskbar Enhancements: Adds an emoji icon in the system tray for quick access.
- Settings Upgrade: Displays key PC specs in “Top Cards” for easier system monitoring.
- Gamepad-Friendly Keyboard: A new touch keyboard layout optimized for Xbox controller users.
Fixes:
- Resolves a File Explorer bug where the three-dot menu opened in the wrong direction or off-screen.
- Fixes a Blue Screen of Death (BSOD) issue tied to Intel sensor compatibility when waking from sleep.
New Features: Limited new functionality due to the impending end of support on October 14, 2025, but it includes minor stability improvements.
- Eliminates random text appearing during printing, a long-standing issue for users.
- Addresses general performance hiccups to ensure smoother operation in its final months.
Source: https://windows101tricks.com/microsoft-patch-tuesday-review/
