Microsoft has dropped another massive Patch Tuesday bombshell, fixing 126 security vulnerabilities — including one zero-day actively being used in attacks. Windows admins, brace yourselves.
It’s only April, and Microsoft has already released its second triple-digit security update of the year. This month’s patches come packed with a hefty mix of elevation-of-privilege bugs, remote code execution flaws, and a zero-day that attackers have already been exploiting. That’s not just concerning — it’s downright exhausting for IT teams scrambling to stay ahead of threats.
Zero-Day Exploit in CLFS Is Already Being Weaponized
At the top of everyone’s priority list? CVE-2025-29824.This vulnerability, scoring a 7.8 on the CVSS scale, affects the Windows Common Log File System (CLFS) Driver. It’s not just some obscure technical hiccup — it’s the kind of bug that lets hackers jump from being regular users to system-level bosses. One sentence here for pacing.
Microsoft confirmed that threat group Storm-2460 has been actively exploiting this bug to escalate privileges and launch ransomware campaigns. Victims include U.S.-based IT and real estate firms, a software company in Spain, a retail business in Saudi Arabia, and financial organizations in Venezuela. So, yes, it’s global.
“CLFS is no stranger to Patch Tuesday,” said Tenable’s Satnam Narang. Since 2022, Microsoft’s patched 32 CLFS bugs. Six were already being used by attackers. This one fits the mold — nasty, stealthy, and dangerous.
Privilege Escalation Bugs Take Center Stage
This month’s update flips the usual script. Instead of remote code execution vulnerabilities taking the lead, privilege escalation bugs dominate the count. Microsoft patched 49 of them this time — more than any other category.
Here’s a handful security folks flagged as especially worrisome:
-
CVE-2025-27727: Found in Windows Installer, rated 7.8 CVSS
-
CVE-2025-29792: Found in Microsoft Office, rated 7.3 CVSS
-
CVE-2025-29812: Found in DirectX Graphics Kernel, also 7.8 CVSS
None were marked “critical,” but they’re still ripe for exploitation. Low complexity, low privileges required, and no user interaction? That’s hacker heaven.
“Elevation-of-privilege bugs are popular in targeted attacks,” said Narang. And it’s true — once attackers gain access, these flaws help them burrow deeper into systems, turn off defenses, and spread like digital wildfire.
Remote Code Execution Still a Serious Threat
While privilege escalation may have taken the spotlight, RCE bugs are still very much in play — and potentially more dangerous.
Six of the eleven most exploitable bugs this month were RCEs. That includes some high-impact vulnerabilities in LDAP and Remote Desktop services.
CVE-2025-26663 stands out. It allows unauthenticated attackers to send crafted requests to an LDAP server and — boom — execute arbitrary code. Microsoft described it as a “use-after-free” issue. If you know what that means, you know how ugly it can get.
Another pair of flaws, CVE-2025-27580 and CVE-2025-27582, exploit race conditions in systems running Remote Desktop Gateway. No credentials needed, no user action required. A few milliseconds of bad timing, and attackers could gain full control.
One-sentence paragraph? Here it is.
Rob Reeves from Immersive noted that Windows 10 patches for LDAP weren’t released yet, urging admins to limit exposure until the fix lands. That’s not great news for folks still running legacy systems.
Patch Gaps Leave Windows 10 Users in Limbo And that’s where things get sketchy.
For reasons Microsoft hasn’t explained, some Windows 10 systems — both 64-bit and 32-bit — didn’t get patches for a handful of these CVEs. Affected bugs include Office vulnerabilities and flaws like CVE-2025-27472 (bypasses the “Mark of the Web” security feature).That lack of clarity leaves security teams on edge.
“For disclosed vulnerabilities, the patch delay opens the door to reverse-engineering and exploitation,” said Fortra’s Tyler Reguly. He wasn’t mincing words. CISOs should be tracking these delays closely.
Let’s be real — if you’re a CISO and your systems are still missing patches for known bugs, your phone should be blowing up.
Office Flaws, Kerberos Issues and More
Microsoft Office took a few hits this month too. Notably:
-
CVE-2025-29791
-
CVE-2025-27749
-
CVE-2025-27748
-
CVE-2025-27745
These vulnerabilities allow privilege escalation or even bypass certain built-in protections.
Two other standouts involve bypassing security features outright. CVE-2025-27472 lets attackers sneak past the Mark of the Web feature, which is supposed to warn users before opening files from untrusted sources. Meanwhile, CVE-2025-29809 deals with Windows Kerberos — and any time authentication systems are affected, that’s a big deal.
Here’s a quick look at how the April patch numbers compare:
| Month | Total CVEs | Zero-Days | Most Patched Type |
|---|---|---|---|
| January | 159 | 2 | Remote Code Execution |
| April | 126 | 1 | Privilege Escalation (49) |
It’s a shift in pattern, and not one to take lightly.
Attackers Are Watching, Even If You Aren’t
If there’s one thing security teams know, it’s that attackers love to move fast. If Microsoft’s already published details, the cat’s out of the bag. That gives hackers just enough time to start working up fresh exploits — especially with delays hitting some patches.
Seth Hoyt from Automox summed it up nicely: “An attacker with initial access — whether through phishing, malware, or stolen creds — can use this flaw to bypass normal privilege restrictions.” From there, they’re off to the races. You don’t need to be a security guru to realize: that’s a huge problem.
