Microsoft Fixes Over 130 CVEs in April Patch Tuesday – Source: www.infosecurity-magazine.com

System administrators have double the workload this month versus March’s Patch Tuesday announcement, after Microsoft published fixes for over 130 CVEs.

However, there was only one zero-day bug announced this month, compared to seven in March.

CVE-2025-29824 is an actively exploited elevation of privilege (EoP) vulnerability in the Windows Common Log File System (CLFS), that stems from a use-after-free condition. An attacker doesn’t need admin privileges to exploit the vulnerability – only local access.

“The vulnerability arises from improper memory handling in the CLFS driver (clfs.sys). Under certain memory manipulation conditions, a use-after-free can be triggered, which an attacker can exploit to execute code at the highest privilege level in Windows,” explained Ben McCarthy, lead cybersecurity engineer at Immersive. 

“This type of vulnerability is especially dangerous in post-compromise scenarios. Once an attacker has a foothold on a machine – via phishing, malware, or other vectors – they can exploit the CLFS bug to elevate privileges, maintain persistence, and move laterally across an enterprise network. It is a favored class of vulnerability in targeted attacks and ransomware operations.”

Read more on Patch Tuesday: Microsoft Patches Eight Zero-Days to Start the Year

Updates are only currently available for Windows Server and Windows 11. Users of Windows 10 for x64-and 32-bit systems will have to wait. This leaves a potentially “critical gap in defense” for a large number of Windows users, warned McCarthy.

“In the absence of a security update, organizations should take proactive steps to mitigate risk. Security teams are advised to monitor the CLFS driver closely using EDR/XDR tools,” he said.

“This includes watching for processes interacting with clfs.sys, being spawned by it, or showing anomalous behavior when communicating with other drivers or memory spaces. Until a patch is made available, visibility and endpoint behavior analysis are the most effective defenses against exploitation of this actively abused vulnerability.”

EoP vulnerabilities were by far the most common type fixed this Patch Tuesday, with Microsoft issuing updates for 49 in total. Next came remote code execution (31) and information disclosure (17) CVEs.

Beyond CVSS

Tyler Reguly, associate director, security R&D, at Fortra, argued that security teams need to look beyond severity scores to prioritize patching.

“This is a month that really demonstrates that CVSS severity is not necessarily the best metric for prioritization. CVE-2025-29824 has a base score of 7.8, while another vulnerability that I would pay attention to, CVE-2025-27472, only has a base score of 5.4,” he explained.

“In the case of Microsoft, prioritization is better done utilizing the Microsoft Exploitability Index and focusing on vulnerabilities with an index of 0 (exploitation detected) or 1 (exploitation more likely).”