Patch Tuesday: April 2025

Patch Tuesday has struck again, with Microsoft bringing over double the amount of fixes than last month. April 2025's patch Tuesday has addressed 126 security vulnerabilities, including an actively  exploited zero-day vulnerability in the WCLFS and 11 Critical CVEs.

You can find a full list of security updates here.

Key Updates for February 2025

• 126 Vulnerabilities Patched
• 1 Actively Exploited Zero Day Vulnerability in the Windows Common Log File System
  
• 11 critical vulnerabilities.

Zero Day Vulnerabilities 

CVE-2025-29824 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

• CVSS Score: 7.8

• Severity: High

• Description: A use-after-free vulnerability in the Windows Common Log File System (CLFS) Driver allows a local attacker with limited privileges to execute arbitrary code with SYSTEM-level permissions.

• Exploitation Status: Actively exploited in the wild.

Use RoboShadow to check your organisations OS status.

Critical Vulnerability Summary

This April, Microsoft released fixes for 11 Critical Vulnerabilities.

CVE-2025-26663 – Windows LDAP Use-After-Free Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Description: A use-after-free vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) allows an unauthorized attacker to execute code over a network.

CVE-2025-26670 – Windows LDAP Use-After-Free Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Description: A use-after-free vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) allows an unauthorized attacker to execute code over a network.

CVE-2025-27480 – Remote Desktop Gateway Service Use-After-Free Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Description: A use-after-free vulnerability in the Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

CVE-2025-27482 – Remote Desktop Gateway Service Improper Memory Locking Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Description: Sensitive data storage in improperly locked memory in the Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

CVE-2025-27745 – Microsoft Office Use-After-Free Local Code Execution Vulnerability

• CVSS Score: 7.8
• Description: A use-after-free vulnerability in Microsoft Office allows an unauthorized attacker to execute code locally.

CVE-2025-27749 – Microsoft Office Use-After-Free Local Code Execution Vulnerability

• CVSS Score: 7.8
• Description: A use-after-free vulnerability in Microsoft Office allows an unauthorized attacker to execute code locally.

CVE-2025-27752 – Microsoft Office Excel Heap-Based Buffer Overflow Local Code Execution Vulnerability

• CVSS Score: 7.8
• Description: A heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CVE-2025-29791 – Microsoft Office Type Confusion Local Code Execution Vulnerability

• CVSS Score: 7.8
• Description: Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

CVE-2025-26686 – Windows TCP/IP Improper Memory Locking Remote Code Execution Vulnerability

• CVSS Score: 7.5
• Description: Sensitive data storage in improperly locked memory in Windows TCP/IP allows an unauthorized attacker to execute code over a network.

CVE-2025-27491 – Windows Hyper-V Use-After-Free Remote Code Execution Vulnerability

• CVSS Score: 7.1
• Description: A use-after-free vulnerability in Windows Hyper-V allows an authorized attacker to execute code over a network.

CVE-2025-27748 – Microsoft Office Use-After-Free Local Code Execution Vulnerability

• CVSS Score: Not Specified
• Description: A use-after-free vulnerability in Microsoft Office allows an unauthorized attacker to execute code locally.

Actions to Take:

• Prioritize Immediate Patching of Critical Vulnerabilities
  Among the critical vulnerabilities, CVE-2025-29824—a Windows Common Log File System Driver Elevation of Privilege Vulnerability—is actively being exploited in the wild. This flaw allows attackers to gain SYSTEM-level privileges, posing a significant risk. Ensure that all systems, especially those running Windows Server and Windows 11, are updated promptly. Note that patches for Windows 10 are pending; monitor Microsoft's updates to apply them as soon as they become available.
  
  
• Update and Test Incident Response Plans
• Given the active exploitation of vulnerabilities like CVE-2025-29824, it's crucial to have a robust incident response plan in place. Regularly update and test this plan to ensure your team can respond swiftly and effectively to security incidents. Conducting tabletop exercises can help identify gaps and improve coordination during actual events.
  
  
• Restrict Network Exposure of Critical Services
• Vulnerabilities such as CVE-2025-27480 and CVE-2025-27482 affect Windows Remote Desktop Services. To mitigate risks, limit the exposure of Remote Desktop Protocol (RDP) services to the internet. Implementing Virtual Private Networks (VPNs) and enforcing strict access controls can reduce the attack surface and prevent unauthorized access.

Did you know? You can use the RoboShadow platform to scan for vulnerabilities, check your Windows Updates and also patch any outstanding software updates using Cyber Heal.

If you have any questions about Patch Tuesday, or feedback on this blog please
reach out to us: hello@roboshadow.com 

Thanks for reading!