For the second time this year, Microsoft has delivered another massive round of security fixes. This time tackling 126 vulnerabilities across its product ecosystem. The April 2025 Patch Tuesday update includes a broad mix of flaws, most notably a zero-day exploit that’s actively being used by attackers. As well as over a dozen others flagged as highly likely to be targeted in the near future.
One vulnerability in particular, tracked as CVE-2025-29824, has taken center stage. Found in the Windows Common Log File System (CLFS) Driver. This bug allows attackers to escalate privileges on an already-compromised machine. Microsoft has attributed its exploitation to a threat actor group it tracks as Storm-2460. Which has reportedly used the flaw to deploy ransomware across industries ranging from IT to real estate and retail, spanning countries like the U.S., Venezuela, Saudi Arabia, and Spain.
This exploit gives adversaries the ability to gain system-level access. Allowing them to move laterally within a network, disable protections, or install malicious code. The flaw received a 7.8 CVSS rating, and security professionals say it should be patched without delay. Microsoft emphasized that organizations must prioritize privilege escalation fixes to prevent post-compromise activity from spiraling into full-blown ransomware incidents.
Security researchers point out that CLFS bugs aren’t new. Since 2022, Microsoft has fixed more than 30 vulnerabilities in the same component. Including six that were already being exploited before they were patched. One of the most recent — CVE-2024-49138 — was addressed in late 2024. These recurring weaknesses continue to attract threat actors looking for reliable ways to gain deeper access after an initial breach.
This month’s update also contains dozens of other privilege escalation vulnerabilities, totaling 49 in all. The largest category among the fixes. These bugs affect components like Windows Installer, Microsoft Office, and the DirectX Graphics kernel. Even though they weren’t marked “Critical,” several have CVSS scores near or above 7.8. Involve minimal complexity, and don’t require any user interaction — characteristics that make them valuable tools in post-exploitation scenarios.
Remote code execution flaws, which typically top the vulnerability count in past Patch Tuesday releases, were fewer this time — but no less important. Among them, several stand out due to how easily attackers can exploit them. Three of the most concerning RCE bugs reside in the Windows LDAP service and can be triggered remotely with specially crafted requests. These include CVE-2025-26663, which could allow unauthenticated attackers to hijack memory and execute code on a vulnerable server.
In addition, Microsoft flagged CVE-2025-27580 and CVE-2025-27582, two vulnerabilities impacting Remote Desktop Gateway services. These bugs can be used to remotely run code without needing a login, exploiting timing flaws in how memory is allocated. Experts warn that these could give attackers full control of targeted systems over the network.
A number of Microsoft Office flaws were also addressed in this month’s batch. Alongside bugs that allow attackers to bypass critical security features like Mark of the Web and Windows Kerberos protections. All told, security researchers are urging enterprises not to overlook these updates. Even if some are not yet marked as critical.
However, some Windows users might need to wait a bit longer for complete protection. Microsoft has yet to release patches for certain Windows 10 systems, both 32-bit and x64-based. While the company says the updates are coming soon, no official release date has been shared. This delay has drawn concern from security professionals, who warn that once a vulnerability is publicly disclosed, it becomes a prime target for exploitation — especially if patches are delayed.
With 126 vulnerabilities addressed in a single update — and at least one already being used in active ransomware attacks — the April 2025 Patch Tuesday underscores the rising pressure facing security teams. From stealthy privilege escalation tactics to remote code execution threats, the latest wave of vulnerabilities serves as a reminder that keeping systems secure is a moving target.
