Microsoft has launched security fixes to deal with an enormous set of 126 flaws affecting its software program merchandise, together with one vulnerability that it stated has been actively exploited within the wild.
Of the 126 vulnerabilities, 11 are rated Essential, 112 are rated Vital, and two are rated Low in severity. Forty-nine of those vulnerabilities are categorised as privilege escalation, 34 as distant code execution, 16 as data disclosure, and 14 as denial-of-service (DoS) bugs.
The updates are apart from the 22 flaws the corporate patched in its Chromium-based Edge browser for the reason that launch of final month’s Patch Tuesday replace.
The vulnerability that has been flagged as below energetic assault is an elevation of privilege (EoP) flaw impacting the Home windows Widespread Log File System (CLFS) Driver (CVE-2025-29824, CVSS rating: 7.8) that stems from a use-after-free state of affairs, permitting a certified attacker to raise privileges regionally.
CVE-2025-29824 is the sixth EoP vulnerability to be found in the identical part that has been exploited within the wild since 2022, the others being CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-49138 (CVSS scores: 7.8).
“From an attacker’s perspective, post-compromise exercise requires acquiring requisite privileges to conduct follow-on exercise on a compromised system, equivalent to lateral motion,” Satnam Narang, senior workers analysis engineer at Tenable, stated.
“Due to this fact, elevation of privilege bugs are usually well-liked in focused assaults. Nonetheless, elevation of privilege flaws in CLFS have turn into particularly well-liked amongst ransomware operators through the years.”
Mike Walters, president and co-founder of Action1, stated the vulnerability permits privilege escalation to the SYSTEM degree, thereby giving an attacker the power to put in malicious software program, modify system settings, tamper with security options, entry delicate information, and keep persistent entry.
“What makes this vulnerability significantly regarding is that Microsoft has confirmed energetic exploitation within the wild, but at the moment, no patch has been launched for Home windows 10 32-bit or 64-bit methods,” Ben McCarthy, lead cyber security engineer at Immersive, stated. “The dearth of a patch leaves a essential hole in protection for a large portion of the Home windows ecosystem.”
“Below sure reminiscence manipulation situations, a use-after-free could be triggered, which an attacker can exploit to execute code on the highest privilege degree in Home windows. Importantly, the attacker doesn’t want administrative privileges to use the vulnerability – solely native entry is required.”
The energetic exploitation of the flaw, per Microsoft, has been linked to ransomware assaults in opposition to a small variety of targets. The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add it to the Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to use the repair by April 29, 2025.
Among the different notable vulnerabilities patched by Redmond this month embrace a security function bypass (SFB) flaw affecting Home windows Kerberos (CVE-2025-29809), in addition to distant code execution flaws in Home windows Distant Desktop Providers (CVE-2025-27480, CVE-2025-27482), and Home windows Light-weight Listing Entry Protocol (CVE-2025-26663, CVE-2025-26670)
Additionally of be aware are a number of Essential-severity distant code execution flaws in Microsoft Workplace and Excel (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745, and CVE-2025-27752) that could possibly be exploited by a foul actor utilizing a specifically crafted Excel doc, leading to full system management.
Capping off the record of Essential flaws are two distant code execution vulnerabilities impacting Home windows TCP/IP (CVE-2025-26686) and Home windows Hyper-V (CVE-2025-27491) that would permit an attacker to execute code over a community below sure situations.
It is price noting that a number of of the vulnerabilities are but to obtain patches for Home windows 10. Microsoft stated the updates could be “launched as quickly as potential, and when they’re accessible, prospects shall be notified through a revision to this CVE data.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
