Tenable Blog Microsoft's April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)

11Critical110Important0Moderate0LowMicrosoft addresses 121 CVEs including one zero-day which was exploited in the wild.Microsoft patched 121 CVEs in its April 2025 Patch Tuesday release, with 11 rated critical and 110 rated as important.This month's update includes patches for:ASP.NET CoreActive Directory Domain ServicesAzure LocalAzure Local ClusterAzure Portal Windows Admin CenterDynamics Business CentralMicrosoft AutoUpdate (MAU)Microsoft Edge (Chromium-based)Microsoft Edge for iOSMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office OneNoteMicrosoft Office SharePointMicrosoft Office WordMicrosoft Streaming ServiceMicrosoft Virtual Hard DriveOpenSSH for WindowsOutlook for AndroidPower AutomateRPC Endpoint Mapper ServiceRemote Desktop ClientRemote Desktop Gateway ServiceSystem CenterVisual StudioVisual Studio CodeVisual Studio Tools for Applications and SQL Server Management StudioWindows Active Directory Certificate ServicesWindows BitLockerWindows Bluetooth ServiceWindows Common Log File System DriverWindows Cryptographic ServicesWindows DWM Core LibraryWindows Defender Application Control (WDAC)Windows Digital MediaWindows HTTP.sysWindows HelloWindows Hyper-VWindows InstallerWindows KerberosWindows KernelWindows Kernel MemoryWindows Kernel-Mode DriversWindows LDAP - Lightweight Directory Access ProtocolWindows Local Security Authority (LSA)Windows Local Session Manager (LSM)Windows Mark of the Web (MOTW)Windows MediaWindows Mobile BroadbandWindows NTFSWindows Power Dependency CoordinatorWindows Remote Desktop ServicesWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows Secure ChannelWindows Security Zone MappingWindows ShellWindows Standards-Based Storage Management ServiceWindows Subsystem for LinuxWindows TCP/IPWindows Telephony ServiceWindows USB Print DriverWindows Universal Plug and Play (UPnP) Device HostWindows Update StackWindows Virtualization-Based Security (VBS) EnclaveWindows Win32K - GRFXWindows upnphost.dllElevation of privilege (EoP) vulnerabilities accounted for 40.5% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.6%.ImportantCVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege VulnerabilityCVE-2025-29824 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day. Microsoft identified this vulnerability in ransomware deployed by the PipeMagic malware via the group tracked as Storm-2460.This is the second EoP vulnerability in the Windows CLFS driver patched in 2025. In 2024, there were eight CLFS vulnerabilities patched, including one zero-day vulnerability in the CLFS driver that was exploited (CVE-2024-49138) and patched in the December 2024 Patch Tuesday release. Microsoft has patched an average of 10 vulnerabilities per year in the CLFS driver since 2022. Windows CLFS continues to be a popular attack vector for ransomware.CriticalCVE-2025-26671, CVE-2025-27482 and CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution VulnerabilityCVE-2025-26671, CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in Windows Remote Desktop Gateway Service. Each was assigned a CVSSv3 score of 8.1 and two were rated as critical, with CVE-2025-26671 having a rating of Important. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed CVE-2025-27482 and CVE-2025-27480 as "Exploitation More Likely" according to Microsoft's Exploitability Index.Microsoft also patched an RCE vulnerability in Remote Desktop Client (CVE-2025-27487).CriticalCVE-2025-26663 and CVE-2025-26670 | Multiple Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilitiesCVE-2025-26663 and CVE-2025-26670 are critical RCE vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP) and LDAP Client respectively. These vulnerabilities were assigned a CVSSv3 score of 8.1, rated as critical and assessed as "Exploitation More Likely" according to Microsoft. Successful exploitation of either requires winning a race condition via a specially crafted request resulting in a use after free. If successful, the attacker could achieve RCE on an affected host.Microsoft also patched CVE-2025-26673 and CVE-2025-27469, two denial of service (DoS) vulnerabilities in LDAP. These were assessed as Important and "Exploitation Less Likely."ImportantCVE-2025-27740 | Active Directory Certificate Services Elevation of Privilege VulnerabilityCVE-2025-27740 is an EoP vulnerability affecting Active Directory Certificate Services. It was assigned a CVSSv3 score of 8.8 and is rated as important. According to Microsoft, successful exploitation would allow an attacker to gain domain administrator privileges by manipulating computer accounts. This vulnerability is assessed as "Exploitation Less Likely."A publicly disclosed zero-day vulnerability in Active Directory Certificate Services was also patched in November, 2024 (CVE-2024-49019). Active Directory remains a popular target for attackers.ImportantCVE-2025-29793 and CVE-2025-29794 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2025-29793 and CVE-2025-29794 are RCE vulnerabilities affecting Microsoft SharePoint Server. The most severe of these vulnerabilities was assigned a CVSSv3 score of 8.8 and both were rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. According to Microsoft, an attacker would need to be authenticated in order to exploit this vulnerability.Microsoft has patched four vulnerabilities in SharePoint already this year, including three RCE vulnerabilities, and 20 vulnerabilities impacting SharePoint in 2024.Tenable SolutionsA list of all the plugins released for Microsoft's April 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's April 2025 Security UpdatesTenable plugins for Microsoft April 2025 Patch Tuesday Security UpdatesJoin Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.