Source: go.theregister.com – Author: Iain Thomson
Patch Tuesday Patch Tuesday has arrived, and Microsoft has revealed one flaw in its products under active exploitation and 11 critical issues in its code to fix.
Redmond delivered fixes for more than 120 flaws this month; none are rated with a CVSS severity score of nine or higher.
The one that deserves most attention is CVE-2025-29824, an elevation of privilege (EoP) hole in the Windows Common Log File System Driver, because it is already being exploited.
In a separate note, Microsoft explained the vulnerability is being exploited by a crew it has designated as Storm-2460, which uses the bug to deliver ransomware it’s dubbed PipeMagic. Victims have been found in the US, Spain, Venezuela, and Saudi Arabia.
The 7.8-rated flaw allows an attacker to elevate privileges up to system level thanks to a use-after-free() flaw in the aforementioned driver. The issue affects all versions of Windows Server up to 2025 and Windows 10 and 11. Windows Server and Windows 11 have been patched, but Windows 10 awaits a fix.
“The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information,” Redmond wrote, regarding patches for Windows 10.
- Apple belatedly patches actively exploited bugs in older OSes
- Windows Server Update Services live to patch another day
- Windows 11 roadmap great for knowing what’s coming next week. Not so good for next year
- Boeing 787 radio software safety fix didn’t work, says Qatar
This appears to be a common problem this month, with many of the patches excluding Windows 10 for the moment. We’ve asked Microsoft for clarification on release dates and what the issue is. Windows 10 is approaching end of life but it’s not there yet.
All of the critical flaws all allow remote code execution (RCE). Three impact Office, and two target Excel, LDAP, and Remote Desktop. A summary, courtesy of Trend Micro’s Zero Day Initiative, for the most serious holes in this month’s patch batch is below in table form.
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
|---|---|---|---|---|---|---|
| CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-26670 | Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2025-27752 | Microsoft Excel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-29791 | Microsoft Excel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-27745 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-27748 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-27749 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-27491 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | 7.1 | No | No | RCE |
| CVE-2025-26663 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
| CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability | Critical | 7.5 | No | No | RCE |
| CVE-2025-29809 | Windows Kerberos Security Feature Bypass Vulnerability (NB: Further administrative actions are required to fully address the vulnerability) |
Important | 7.1 | No | No | SFB |
Regarding CVE-2025-29809, ZDI’s Dustin Childs noted in his full summary of Patch Tuesday that extra steps are needed to patch up the bug: “There are several security feature bypass (SFB) bugs in this release, but this one stands out above the others. A local attacker could abuse this vulnerability to leak Kerberos credentials. And you may need to take actions beyond just patching. If you rely on virtualization-based security, you’ll need to read this document and then redeploy with the updated policy.”
As for CVE-2025-26663 and CVE-2025-26670, the RCE in Windows LDAP, Childs noted this is a wormable bug, and requires a race condition to exploit. “LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone,” he wrote. “Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.”
The RDP RCE, CVE-2025-27480 and CVE-2025-27482, also seems wormable, and as remote desktop is often exposed to the public internet, patch this one ASAP or lock down the service to trusted networks or IP addresses.
Adobe, AMD issues
Adobe released 50-plus fixes this month, covering Cold Fusion, After Effects, Media Encoder, Bridge, Commerce, AEM Forms, Premiere Pro, Photoshop, Animate, AEM Screens, FrameMaker, and the Adobe XMP Toolkit SDK.
Adobe ranked the bugs it fixed in Cold Fusion as both critical and important, and urged users to make them their top priority despite finding no evidence of active exploitation.
Finally, AMD updated some of its earlier advisories: Uninitialized GPU register access (CVE-2024-21969), SMM vulnerabilities (CVE-2024-0179, CVE-2024-21925), a SEV confidential computing vulnerability (CVE-2024-56161), that CPU microcode signature verification vulnerability (CVE-2024-36347), and GPU memory leaks (CVE-2023-4969). Then there’s various Ryzen AI software vulnerabilities (CVE-2025-0014, CVE-2024-36337, CVE-2024-36328, CVE-2024-36336) from earlier this month.
The updated advisories basically contain additional mitigations and information, for those with affected products. ®
Original Post URL: https://go.theregister.com/feed/www.theregister.com/2025/04/08/patch_tuesday_microsoft/
Category & Tags: –
Views: 3
