Microsoft has released its April security update, a massive package addressing 126 security vulnerabilities across its product line. The update is a critical one for IT administrators, as it includes a patch for a zero-day vulnerability that is already being actively exploited by attackers in the wild to launch ransomware campaigns. This marks the second time this year that Microsoft’s monthly update has exceeded one hundred fixes.
A Zero-Day Exploit Puts Systems at Immediate Risk
The most urgent vulnerability for IT teams to address is CVE-2025-29824. This flaw exists in the Windows Common Log File System (CLFS) Driver and carries a CVSS score of 7.8. Attackers are using this bug to gain full system-level control from a regular user account.
Microsoft has confirmed that a threat group known as Storm-2460 is actively weaponizing this exploit. The attacks have been global, targeting organizations in the United States, Spain, Saudi Arabia, and Venezuela. This isn’t a theoretical threat; it’s a clear and present danger to unpatched systems.
The CLFS driver has become a frequent target for attackers. According to security firm Tenable, this is the 32nd CLFS bug patched since 2022, and the sixth one that was already being exploited before a fix was available.
Privilege Escalation Flaws Dominate this Month’s Patches
In a notable shift from the usual pattern, privilege escalation vulnerabilities were the most common type of flaw fixed this month, with 49 patches in this category. While most were not rated “critical,” they provide a crucial pathway for attackers who have already gained initial access to a network.
Security experts have highlighted several of these bugs as particularly concerning due to their low complexity and lack of required user interaction. These include:
- CVE-2025-27727: A vulnerability in Windows Installer with a 7.8 CVSS score.
- CVE-2025-29812: A flaw in the DirectX Graphics Kernel, also rated 7.8 CVSS.
- CVE-2025-29792: A bug affecting Microsoft Office, rated 7.3 CVSS.
Once inside a system, attackers use these types of flaws to move deeper, disable security software, and deploy malware like ransomware across the network.
Critical Remote Code Execution Bugs Still Lurk
Despite the focus on privilege escalation, dangerous Remote Code Execution (RCE) bugs remain a significant threat. These flaws can allow an attacker to run their own code on a target machine from afar, often without any action from the user.
One of the most severe is CVE-2025-26663, a flaw in LDAP servers. An unauthenticated attacker can send a specially crafted request and execute code on the server.
Two other RCE flaws, CVE-2025-27580 and CVE-2025-27582, impact systems that use Remote Desktop Gateway. These bugs do not require credentials and can give an attacker full control over a vulnerable system.
Patch Gaps and Other Notable Flaws
Adding to the pressure on IT teams, Microsoft has not yet released patches for some of these vulnerabilities on certain Windows 10 systems. This delay, which Microsoft has not yet explained, leaves these systems exposed to known threats, including a flaw that bypasses the “Mark of the Web” security feature (CVE-2025-27472).
This month’s update also addressed several bugs in Microsoft Office and a security feature bypass in Windows Kerberos, the core authentication system. Any flaw affecting authentication is considered a high-priority issue. The trend this month shows a clear shift in the types of vulnerabilities being patched.
| Month | Total CVEs | Zero-Days | Most Patched Type |
|---|---|---|---|
| January | 159 | 2 | Remote Code Execution |
| April | 126 | 1 | Privilege Escalation (49) |
Security professionals urge administrators to patch all systems immediately, especially given the active exploitation of the CLFS zero-day. The delay in patches for some systems means that monitoring and defense-in-depth strategies are more important than ever.
