Microsoft’s April 2025 bumper Patch Tuesday corrects 124 bugs
Microsoft’s mighty bundle of 124 April fixes for Frequent Vulnerabilities and Exposures (CVEs) in its codebase consists of 11 which might be rated “crucial” and two rated “low”, with the remainder rated “necessary” in severity.
Dustin Childs of the Zero Day Initiative famous that “solely one in every of these bugs is listed as publicly recognized or beneath lively assault on the time of launch”, however that this can be of little consolation.
In a weblog put up, Childs stated of the vulnerability being listed by Microsoft as beneath lively assault: “This privilege escalation bug [CVE-2025-29824] … permits a menace actor to execute their code with System privileges. Most of these bugs are sometimes paired with code execution bugs to take over a system. Microsoft offers no indication of how widespread these assaults are.”
Two of the opposite bugs Childs picked out – CVE-2025-26663 and CVE-2025-26670 – “permit a distant, unauthenticated attacker to execute their code on affected techniques simply by sending a specifically crafted LDAP [Lightweight Directory Access Protocol] message”. He added: “Since nearly every little thing can host an LDAP service, there’s a plethora of targets on the market. And since no person interplay is concerned, these bugs are wormable.” Wormable means no human interplay is required for the cyber assault to unfold.
Of the present crop of Microsoft vulnerabilities being disclosed, Adam Barnett, lead software program engineer at Rapid7, stated: “The Home windows Frequent Log File System (CLFS) Driver is firmly again on our radar in the present day with CVE-2025-29824, a zero-day native elevation of privilege vulnerability.”
That is the vulnerability that Childs put major give attention to in his put up.
Barnett stated: “First, the excellent news: the Acknowledgements part credit the Microsoft Menace Intelligence Heart, so the exploit was efficiently reproduced by Microsoft; the less-good information is that somebody apart from Microsoft was first to find the exploit, as a result of in any other case Microsoft wouldn’t be itemizing CVE-2025-29824 as exploited within the wild. The advisory doesn’t specify what privilege stage is achieved upon profitable exploitation, but it surely’ll be System, as a result of that’s the prize for all the opposite CLFS [Common Log File System] elevation of privilege zero-day vulnerabilities.
“Defenders accountable for an LDAP server – which suggests nearly any organisation with a non-trivial Microsoft footprint – ought to add patching for CVE-2025-26663 to their to-do checklist. With no privileges required, no want for person interplay, and code execution presumably within the context of the LDAP server itself, profitable exploitation could be a beautiful shortcut to any attacker.”
He added this additional be aware of warning: “For those who breathe a sigh of aid if you see LDAP server crucial RCE vulnerabilities like CVE-2025-26663, since you’re sure that you simply don’t have any Home windows LDAP servers in your property, how about LDAP purchasers? CVE-2025-26670 describes a crucial RCE [Remote Code Execution] within the LDAP consumer, though the FAQ confusingly states that exploitation would require an attacker to ‘ship specifically crafted requests to a weak LDAP server’; this looks like it may be an information entry error on the advisory FAQ, so maintain a watch out for an replace to that part of the advisory.”
The complete checklist of CVEs launched by Microsoft for April 2025 will be discovered right here.
The CVEs embody, in keeping with Childs’ enumeration, Home windows and Home windows Parts, Workplace and Workplace Parts, Azure, .Web and Visible Studio, BitLocker, Kerberos, Home windows Hiya, OpenSSH, and Home windows Light-weight Listing Entry Protocol.
