Back to Blog
Detection and Response

Patch Tuesday - April 2025

Adam Barnett
Adam Barnett
|Last updated on May 26, 2025|1 min read
LinkedInFacebookX
Patch Tuesday - April 2025

Microsoft is addressing 121 vulnerabilities this April 2025 Patch Tuesday, which is more than twice as many as last month. Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, which is already reflected in CISA KEV. Once again, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication, so that’s now a seven month unbroken streak. Today also sees the publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

CLFS: zero-day EoP

The Windows Common Log File System (CLFS) Driver is firmly back on our radar today with CVE-2025-29824, a zero-day local elevation of privilege vulnerability. First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft; the less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn’t be listing CVE-2025-29824 as exploited in the wild.

The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be SYSTEM, because that’s the prize for all the other CLFS elevation of privilege zero-day vulnerabilities. As usual, some form of less-privileged local access is a pre-requisite, but attack complexity is low, so this is the sort of vulnerability which goes into any standard break-and-enter toolkit. Given the long history of similar vulnerabilities, it would be more surprising if exploit code wasn’t publicly available in the not-too-distant future.

Although December 2024 Patch Tuesday seems as though it must have been a very long time ago, any standard calendar will tell us that only 119 days have elapsed since the last zero-day CLFS local elevation of privilege. Rapid7 discussed the history of CLFS zero-day elevation of privilege vulnerabilities at the time. All versions of Windows receive a patch, except for the venerable LTSC Windows 10 1507, which is listed on the advisory as vulnerable, but left out in the cold with no update; the FAQ says to check back later. Windows 10 LTSC 1507 is scheduled for end of servicing on 2025-10-14, so the clock is ticking regardless.

LDAP Server: critical RCE

Although it has been many months since we’ve seen a critical zero-day vulnerability from Microsoft, there is no shortage of critical remote code execution (RCE) vulnerabilities published today. Defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker. Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.

LDAP Client: critical RCE

If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to “send specially crafted requests to a vulnerable LDAP server”; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker win a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it’s still a critical RCE which Microsoft rates as “exploitation more likely”. On that basis, patching is always recommended.

RDS: critical RCEs

The prolific Windows vulnerability pioneers at Kunlun Lab are credited with a pair of critical RCE vulnerabilities in Windows Remote Desktop Services. Although both CVE-2025-27480 and CVE-2025-27482 share a CVSSv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary severity ranking scale. Both vulnerabilities require that an attacker win a race condition. If you’ve ever read Microsoft’s guide to deploying the Remote Desktop Gateway role, you probably have some systems to patch.

Hyper-V: critical RCE

Some Microsoft security advisory FAQs provide a satisfying level of detail, whereas others raise more questions than they answer. CVE-2025-27491 is a Hyper-V critical RCE which falls into the second category, since it states that an attacker must be authenticated — no need for elevated privileges — but also that the attacker must send the user a malicious site and convince them to open it, and it’s not at all clear why authentication would be required in that case. Also unusual: the remediation table on the advisory lists several 32-bit versions of Windows as receiving patches, although Hyper-V requires a 64-bit processor and a 64-bit host OS.

Microsoft lifecycle update

In Microsoft product lifecycle news, Dynamics GP 2015 moves past the end of extended support today. The next batch of significant lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close.

Summary charts

image.pngA bar chart showing the distribution of vulnerabilities by affected component for Microsoft Patch Tuesday April 2025.Elevated amounts of elevation of privilegeA heatmap showing the distribution of vulnerabilities by impact and affected component for Microsoft Patch Tuesday April 2025.

Summary tables

Apps vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-29805Outlook for Android Information Disclosure VulnerabilityNoNo7.5

Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-27489Azure Local Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-26628Azure Local Cluster Information Disclosure VulnerabilityNoNo7.3
CVE-2025-25002Azure Local Cluster Information Disclosure VulnerabilityNoNo6.8

Browser vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-25000Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-29815Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo7.6
CVE-2025-29796Microsoft Edge for iOS Spoofing VulnerabilityNoNo4.7
CVE-2025-25001Microsoft Edge for iOS Spoofing VulnerabilityNoNo4.3
CVE-2025-3074Chromium: CVE-2025-3074 Inappropriate implementation in DownloadsNoNoN/A
CVE-2025-3073Chromium: CVE-2025-3073 Inappropriate implementation in AutofillNoNoN/A
CVE-2025-3072Chromium: CVE-2025-3072 Inappropriate implementation in Custom TabsNoNoN/A
CVE-2025-3071Chromium: CVE-2025-3071 Inappropriate implementation in NavigationsNoNoN/A
CVE-2025-3070Chromium: CVE-2025-3070 Insufficient validation of untrusted input in ExtensionsNoNoN/A
CVE-2025-3069Chromium: CVE-2025-3069 Inappropriate implementation in ExtensionsNoNoN/A
CVE-2025-3068Chromium: CVE-2025-3068 Inappropriate implementation in IntentsNoNoN/A
CVE-2025-3067Chromium: CVE-2025-3067 Inappropriate implementation in Custom TabsNoNoN/A
CVE-2025-3066Chromium: CVE-2025-3066 Use after free in NavigationsNoNoN/A

Developer Tools vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-26682ASP.NET Core and Visual Studio Denial of Service VulnerabilityNoNo7.5
CVE-2025-29802Visual Studio Elevation of Privilege VulnerabilityNoNo7.3
CVE-2025-29804Visual Studio Elevation of Privilege VulnerabilityNoNo7.3
CVE-2025-20570Visual Studio Code Elevation of Privilege VulnerabilityNoNo6.8

Developer Tools SQL Server vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-29803Visual Studio Tools for Applications and SQL Server Management Studio Elevation of Privilege VulnerabilityNoNo7.3

Microsoft Dynamics vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-29821Microsoft Dynamics Business Central Information Disclosure VulnerabilityNoNo5.5

Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-29794Microsoft SharePoint Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-27747Microsoft Word Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-29820Microsoft Word Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-29822Microsoft OneNote Security Feature Bypass VulnerabilityNoNo7.8
CVE-2025-27745Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27748Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27749Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27746Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-26642Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27744Microsoft Office Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27752Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-29791Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27751Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27750Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-29823Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-29800Microsoft AutoUpdate (MAU) Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-29801Microsoft AutoUpdate (MAU) Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-29816Microsoft Word Security Feature Bypass VulnerabilityNoNo7.5
CVE-2025-29792Microsoft Office Elevation of Privilege VulnerabilityNoNo7.3
CVE-2025-29793Microsoft SharePoint Remote Code Execution VulnerabilityNoNo7.2

System Center vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-27743Microsoft System Center Elevation of Privilege VulnerabilityNoNo7.8

Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-26678Windows Defender Application Control Security Feature Bypass VulnerabilityNoNo8.4
CVE-2025-27482Windows Remote Desktop Services Remote Code Execution VulnerabilityNoNo8.1
CVE-2025-26639Windows USB Print Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-26675Windows Subsystem for Linux Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27729Windows Shell Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-29811Windows Mobile Broadband Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-26666Windows Media Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-26674Windows Media Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-27728Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27739Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27476Windows Digital Media Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27467Windows Digital Media Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27730Windows Digital Media Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-24058Windows DWM Core Library Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27490Windows Bluetooth Service Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27731Microsoft OpenSSH for Windows Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-24074Microsoft DWM Core Library Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-24073Microsoft DWM Core Library Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-24060Microsoft DWM Core Library Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-24062Microsoft DWM Core Library Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-29812DirectX Graphics Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-29809Windows Kerberos Security Feature Bypass VulnerabilityNoNo7.1
CVE-2025-27491Windows Hyper-V Remote Code Execution VulnerabilityNoNo7.1
CVE-2025-27475Windows Update Stack Elevation of Privilege VulnerabilityNoNo7
CVE-2025-26649Windows Secure Channel Elevation of Privilege VulnerabilityNoNo7
CVE-2025-27492Windows Secure Channel Elevation of Privilege VulnerabilityNoNo7
CVE-2025-26640Windows Digital Media Elevation of Privilege VulnerabilityNoNo7
CVE-2025-26681Win32k Elevation of Privilege VulnerabilityNoNo6.7
CVE-2025-26651Windows Local Session Manager (LSM) Denial of Service VulnerabilityNoNo6.5
CVE-2025-26635Windows Hello Security Feature Bypass VulnerabilityNoNo6.5
CVE-2025-27735Windows Virtualization-Based Security (VBS) Security Feature Bypass VulnerabilityNoNo6
CVE-2025-27736Windows Power Dependency Coordinator Information Disclosure VulnerabilityNoNo5.5
CVE-2025-29808Windows Cryptographic Services Information Disclosure VulnerabilityNoNo5.5
CVE-2025-26644Windows Hello Spoofing VulnerabilityNoNo5.1

Windows Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-29819Windows Admin Center in Azure Portal Information Disclosure VulnerabilityNoNo6.2

Windows ESU vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-27477Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21205Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21221Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21222Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-27481Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-26669Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo8.8
CVE-2025-27740Active Directory Certificate Services Elevation of Privilege VulnerabilityNoNo8.8
CVE-2025-27737Windows Security Zone Mapping Security Feature Bypass VulnerabilityNoNo8.6
CVE-2025-27480Windows Remote Desktop Services Remote Code Execution VulnerabilityNoNo8.1
CVE-2025-26671Windows Remote Desktop Services Remote Code Execution VulnerabilityNoNo8.1
CVE-2025-26663Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityNoNo8.1
CVE-2025-26647Windows Kerberos Elevation of Privilege VulnerabilityNoNo8.1
CVE-2025-26670Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution VulnerabilityNoNo8.1
CVE-2025-27487Remote Desktop Client Remote Code Execution VulnerabilityNoNo8
CVE-2025-21204Windows Process Activation Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-26648Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27727Windows Installer Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-29824Windows Common Log File System Driver Elevation of Privilege VulnerabilityYesNo7.8
CVE-2025-26679RPC Endpoint Mapper Service Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27741NTFS Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27483NTFS Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27733NTFS Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-26688Microsoft Virtual Hard Disk Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-27484Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege VulnerabilityNoNo7.5
CVE-2025-26686Windows TCP/IP Remote Code Execution VulnerabilityNoNo7.5
CVE-2025-26680Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-27470Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-21174Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-26652Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-27485Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-27486Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-26668Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo7.5
CVE-2025-26673Windows Lightweight Directory Access Protocol (LDAP) Denial of Service VulnerabilityNoNo7.5
CVE-2025-27469Windows Lightweight Directory Access Protocol (LDAP) Denial of Service VulnerabilityNoNo7.5
CVE-2025-26641Microsoft Message Queuing (MSMQ) Denial of Service VulnerabilityNoNo7.5
CVE-2025-27479Kerberos Key Distribution Proxy Service Denial of Service VulnerabilityNoNo7.5
CVE-2025-27473HTTP.sys Denial of Service VulnerabilityNoNo7.5
CVE-2025-29810Active Directory Domain Services Elevation of Privilege VulnerabilityNoNo7.5
CVE-2025-26665Windows upnphost.dll Elevation of Privilege VulnerabilityNoNo7
CVE-2025-27478Windows Local Security Authority (LSA) Elevation of Privilege VulnerabilityNoNo7
CVE-2025-21191Windows Local Security Authority (LSA) Elevation of Privilege VulnerabilityNoNo7
CVE-2025-27732Windows Graphics Component Elevation of Privilege VulnerabilityNoNo7
CVE-2025-26637BitLocker Security Feature Bypass VulnerabilityNoNo6.8
CVE-2025-26664Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-26667Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-27474Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-21203Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-26672Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-26676Windows Routing and Remote Access Service (RRAS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-27738Windows Resilient File System (ReFS) Information Disclosure VulnerabilityNoNo6.5
CVE-2025-21197Windows NTFS Information Disclosure VulnerabilityNoNo6.5
CVE-2025-27471Microsoft Streaming Service Denial of Service VulnerabilityNoNo5.9
CVE-2025-27742NTFS Information Disclosure VulnerabilityNoNo5.5
CVE-2025-27472Windows Mark of the Web Security Feature Bypass VulnerabilityNoNo5.4

Windows ESU Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-26687Win32k Elevation of Privilege VulnerabilityNoNo7.5

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now

Article Tags

Author

Adam Barnett
Adam Barnett
Authors's Posts

Related blog posts