{"id":712,"date":"2025-04-09T21:24:58","date_gmt":"2025-04-09T21:24:58","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4301543"},"modified":"2025-04-09T21:24:58","modified_gmt":"2025-04-09T21:24:58","slug":"patch-tuesday-microsoft-fixes-134-vulnerabilities-including-1-zero-day","status":"publish","type":"post","link":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/04\/09\/patch-tuesday-microsoft-fixes-134-vulnerabilities-including-1-zero-day\/","title":{"rendered":"Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day"},"content":{"rendered":"
\"Photo
Microsoft CEO Satya Nadella. Image: Microsoft News<\/figcaption><\/figure>\n

Microsoft\u2019s Patch Tuesday security update for April included 134 flaws, one of which is an actively exploited zero-day flaw.<\/p>\n

The security patches for Windows 10 were unavailable when the Windows 11 patches were released. The Windows 10 patches have since arrived, but the delay was unusual.<\/p>\n

Tyler Reguly, associate director of security R&D at global cybersecurity software and services provider Fortra, suggested in an email to TechRepublic that the two separate releases and a 40-minute delay in the Windows 11 update might point to something unusual behind the scenes.<\/p>\n

SEE: What is Patch Tuesday? Microsoft\u2019s Monthly Update Explained<\/a><\/strong><\/p>\n

<\/span>CVE-2025-29824 has been detected in the wild<\/span><\/h2>\n

The zero-day vulnerability was CVE-2025-29824, an elevation of privilege bug<\/a> in the Windows Common Log File System (CLFS) Driver.<\/p>\n

\u201cThis vulnerability is significant because it affects a core component of Windows, impacting a wide range of environments, including enterprise systems and critical infrastructure,\u201d Mike Walters, president and co-founder of patch automation company Action, wrote in an email. \u201cIf exploited, it allows privilege escalation to SYSTEM level\u2014the highest privilege on a Windows system.\u201d<\/p>\n

Elevation of privilege attacks require the threat actor to have a foothold in the system first.<\/p>\n

\u201cElevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years,\u201d Satnam Narang, Tenable\u2019s senior staff research engineer, said in an email.<\/p>\n

\u201cWhat makes this vulnerability particularly concerning is that Microsoft has confirmed active exploitation in the wild, yet at this time, no patch has been released for Windows 10 32-bit or 64-bit systems,\u201d Ben McCarthy, lead cybersecurity engineer at security training company Immersive, added. \u201cThe lack of a patch leaves a critical gap in defense for a wide portion of the Windows ecosystem.\u201d<\/p>\n

The delayed rollout of Windows 10 patches \u2014 paired with a 40-minute delay in the Windows 11 update \u2014 adds further weight to concerns about internal disruptions or challenges at Microsoft. While the reason for the delay remains unclear, security researchers are taking note of the timing, particularly given the active exploitation of CVE-2025-29824.<\/p>\n

CVE-2025-29824 has been exploited against \u201ca small number of targets\u201d in \u201corganizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,\u201d Microsoft disclosed<\/a>.<\/p>\n

\u201cI was recently discussing CLFS vulnerabilities and how they seem to come in waves,\u201d Reguly noted. \u201cWhen a vulnerability in CLFS is patched, people tend to dig around and look at what\u2019s going on and come across other vulnerabilities in the process. If I was a gambler, I would bet on CLFS appearing again next month.\u201d<\/p>\n

<\/span>Remote code execution and Microsoft Office flaws are common patterns<\/span><\/h2>\n

Other notable parts of April\u2019s Patch Tuesday include a fix for CVE-2025-26663, a critical flaw that could affect organizations running Windows Lightweight Directory Access Protocol (LDAP) servers.<\/p>\n

Reguly highlighted CVE-2025-27472, a vulnerability in Mark of the Web (MOTW) that Microsoft listed as Exploitation More Likely.  \u201cIt is common to see MOTW vulnerabilities utilized by threat actors,\u201d he said. \u201cI wouldn\u2019t be surprised if this is a vulnerability that we see exploited in the future.\u201d<\/p>\n

SEE: Choose the right security applications for your business<\/a> by balancing features, data storage, and cost. <\/strong><\/p>\n

Microsoft released multiple patches for CVEs in Office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, and CVE-2025-27745). Microsoft Office\u2019s popularity means these vulnerabilities have the potential for widespread problems, although they all require successful social engineering or remote code execution to inject a malicious file.<\/p>\n

While some of these CVEs enabled remote code execution (RCE), this month\u2019s Patch Tuesday told a different story overall.<\/p>\n