Microsoft in the present day launched updates to plug no less than 121 safety holes in its Home windows working programs and software program, together with one vulnerability that’s already being exploited within the wild. Eleven of these flaws earned Microsoft’s most-dire “vital” ranking, which means malware or malcontents might exploit them with little to no interplay from Home windows customers.
The zero-day flaw already seeing exploitation is CVE-2025-29824, a neighborhood elevation of privilege bug within the Home windows Frequent Log File System (CLFS) driver. Microsoft charges it as “necessary,” however as Chris Goettl from Ivanti factors out, risk-based prioritization warrants treating it as vital.
This CLFS element of Home windows isn’t any stranger to Patch Tuesday: In keeping with Tenable’s Satnam Narang, since 2022 Microsoft has patched 32 CLFS vulnerabilities — averaging 10 per 12 months — with six of them exploited within the wild. The final CLFS zero-day was patched in December 2024.
Narang notes that whereas flaws permitting attackers to put in arbitrary code are constantly prime general Patch Tuesday options, the information is reversed for zero-day exploitation.
“For the previous two years, elevation of privilege flaws have led the pack and, to this point in 2025, account for over half of all zero-days exploited,” Narang wrote.
Rapid7’s Adam Barnett warns that any Home windows defenders liable for an LDAP server — which suggests virtually any group with a non-trivial Microsoft footprint — ought to add patching for the vital flaw CVE-2025-26663 to their to-do checklist.
“With no privileges required, no want for consumer interplay, and code execution presumably within the context of the LDAP server itself, profitable exploitation can be a beautiful shortcut to any attacker,” Barnett stated. “Anybody questioning if in the present day is a re-run of December 2024 Patch Tuesday can take some small solace in the truth that the worst of the trio of LDAP vital RCEs printed on the finish of final 12 months was probably simpler to take advantage of than in the present day’s instance, since in the present day’s CVE-2025-26663 requires that an attacker win a race situation. Regardless of that, Microsoft nonetheless expects that exploitation is extra probably.”
Among the many vital updates Microsoft patched this month are distant code execution flaws in Home windows Distant Desktop providers (RDP), together with CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482; solely the latter two are rated “vital,” and Microsoft marked each of them as “Exploitation Extra Probably.”
Maybe essentially the most widespread vulnerabilities mounted this month had been in internet browsers. Google Chrome up to date to repair 13 flaws this week, and Mozilla Firefox mounted eight bugs, with presumably extra updates coming later this week for Microsoft Edge.
Because it tends to do on Patch Tuesdays, Adobe has launched 12 updates resolving 54 safety holes throughout a variety of merchandise, together with ColdFusion, Adobe Commerce, Expertise Supervisor Varieties, After Results, Media Encoder, Bridge, Premiere Professional, Photoshop, Animate, AEM Screens, and FrameMaker.
Apple customers could have to patch as nicely. On March 31, Apple launched an enormous safety replace (greater than three gigabytes in dimension) to repair points in a variety of their merchandise, together with no less than one zero-day flaw.
And in case you missed it, on March 31, 2025 Apple launched a reasonably giant batch of safety updates for a variety of their merchandise, from macOS to the iOS working programs on iPhones and iPads.
Earlier in the present day, Microsoft included a observe saying Home windows 10 safety updates weren’t out there however can be launched as quickly as attainable. It seems from searching askwoody.com that this snafu has since been rectified. Both manner, in case you run into problems making use of any of those updates please depart a observe about it within the feedback under, as a result of the possibilities are good that another person had the identical downside.
As ever, please think about backing up your knowledge and or gadgets previous to updating, which makes it far simpler to undo a software program replace gone awry. For extra granular particulars on in the present day’s Patch Tuesday, take a look at the SANS Web Storm Middle’s roundup. Microsoft’s replace information for April 2025 is right here.
For extra particulars on Patch Tuesday, take a look at the write-ups from Action1 and Automox.
