Patch Tuesday Patch Tuesday has arrived, and Microsoft has revealed one flaw in its products under active exploitation and 11 critical issues in its code to fix.

Redmond [1]delivered fixes for more than 120 flaws this month; none are rated with a CVSS severity score of nine or higher.

The one that deserves most attention is [2]CVE-2025-29824 , an elevation of privilege (EoP) hole in the Windows Common Log File System Driver, because it is already being exploited.

[3]

In a separate note, Microsoft [4]explained the vulnerability is being exploited by a crew it has designated as Storm-2460, which uses the bug to deliver ransomware it’s dubbed PipeMagic. Victims have been found in the US, Spain, Venezuela, and Saudi Arabia.

[5]

[6]

The 7.8-rated flaw allows an attacker to elevate privileges up to system level thanks to a use-after-free() flaw in the aforementioned driver. The issue affects all versions of Windows Server up to 2025 and Windows 10 and 11. Windows Server and Windows 11 have been patched, but Windows 10 awaits a fix.

"The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information," Redmond wrote, regarding patches for Windows 10.

[7]Apple belatedly patches actively exploited bugs in older OSes

[8]Windows Server Update Services live to patch another day

[9]Windows 11 roadmap great for knowing what's coming next week. Not so good for next year

[10]Boeing 787 radio software safety fix didn't work, says Qatar

This appears to be a common problem this month, with many of the patches excluding Windows 10 for the moment. We've asked Microsoft for clarification on release dates and what the issue is. Windows 10 is approaching end of life but it's not there yet.

All of the critical flaws all allow remote code execution (RCE). Three impact Office, and two target Excel, LDAP, and Remote Desktop. A summary, courtesy of Trend Micro's Zero Day Initiative, for the most serious holes in this month's patch batch is below in table form.

CVE

Title

Severity

CVSS

Public

Exploited

Type

[11]CVE-2025-29824

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

7.8

No

Yes

EoP

[12]CVE-2025-26670

Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

[13]CVE-2025-27752

Microsoft Excel Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

[14]CVE-2025-29791

Microsoft Excel Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

[15]CVE-2025-27745

Microsoft Office Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

[16]CVE-2025-27748

Microsoft Office Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

[17]CVE-2025-27749

Microsoft Office Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

[18]CVE-2025-27491

Windows Hyper-V Remote Code Execution Vulnerability

Critical

7.1

No

No

RCE

[19]CVE-2025-26663

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

[20]CVE-2025-27480

Windows Remote Desktop Services Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

[21]CVE-2025-27482

Windows Remote Desktop Services Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

[22]CVE-2025-26686

Windows TCP/IP Remote Code Execution Vulnerability

Critical

7.5

No

No

RCE

[23]CVE-2025-29809

Windows Kerberos Security Feature Bypass Vulnerability

(NB: Further administrative actions are required to fully address the vulnerability)

Important

7.1

No

No

SFB

Regarding CVE-2025-29809, ZDI's Dustin Childs noted in his [24]full summary of Patch Tuesday that extra steps are needed to patch up the bug: "There are several security feature bypass (SFB) bugs in this release, but this one stands out above the others. A local attacker could abuse this vulnerability to leak Kerberos credentials. And you may need to take actions beyond just patching. If you rely on virtualization-based security, you’ll need to read [25]this document and then redeploy with the updated policy."

As for CVE-2025-26663 and CVE-2025-26670, the RCE in Windows LDAP, Childs noted this is a wormable bug, and requires a race condition to exploit. "LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone," he wrote. "Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet."

[26]

The RDP RCE, CVE-2025-27480 and CVE-2025-27482, also seems wormable, and as remote desktop is often exposed to the public internet, patch this one ASAP or lock down the service to trusted networks or IP addresses.

Adobe, AMD issues

Adobe released 50-plus fixes this month, covering [27]Cold Fusion , [28]After Effects , [29]Media Encoder , [30]Bridge , [31]Commerce , [32]AEM Forms , [33]Premiere Pro , [34]Photoshop , [35]Animate , [36]AEM Screens , [37]FrameMaker , and the Adobe [38]XMP Toolkit SDK .

Adobe ranked the bugs it fixed in Cold Fusion as both critical and important, and urged users to make them their top priority despite finding no evidence of active exploitation.

Finally, AMD updated some of its earlier advisories: Uninitialized GPU register access ( [39]CVE-2024-21969 ), SMM vulnerabilities ( [40]CVE-2024-0179, CVE-2024-21925 ), a SEV confidential computing vulnerability ( [41]CVE-2024-56161 ), that CPU microcode signature verification vulnerability ( [42]CVE-2024-36347 ), and GPU memory leaks ( [43]CVE-2023-4969 ). Then there's various Ryzen AI software vulnerabilities ( [44]CVE-2025-0014, CVE-2024-36337, CVE-2024-36328, CVE-2024-36336 ) from earlier this month.

The updated advisories basically contain additional mitigations and information, for those with affected products. ®

Get our [45]Tech Resources



[1] https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_Xw7IOb-PiwZXnJL86LMQAAAEk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_Xw7IOb-PiwZXnJL86LMQAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_Xw7IOb-PiwZXnJL86LMQAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2025/04/02/apple_patch_bundle/

[8] https://www.theregister.com/2025/04/08/microsoft_wsus_extended_support/

[9] https://www.theregister.com/2025/03/28/microsoft_windows_11_roadmap/

[10] https://www.theregister.com/2025/04/08/boeing_787_radio_software_patch/

[11] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

[12] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26670

[13] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27752

[14] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29791

[15] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27745

[16] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27748

[17] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27749

[18] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27491

[19] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26663

[20] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27480

[21] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27482

[22] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26686

[23] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29809

[24] https://www.zerodayinitiative.com/blog/2025/4/8/the-april-2025-security-update-review

[25] https://support.microsoft.com/en-us/topic/guidance-for-blocking-rollback-of-virtualization-based-security-vbs-related-security-updates-b2e7ebf4-f64d-4884-a390-38d63171b8d3

[26] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_Xw7IOb-PiwZXnJL86LMQAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[27] https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html

[28] https://helpx.adobe.com/security/products/after_effects/apsb25-23.html

[29] https://helpx.adobe.com/security/products/media-encoder/apsb25-24.html

[30] https://helpx.adobe.com/security/products/bridge/apsb25-25.html

[31] https://helpx.adobe.com/security/products/magento/apsb25-26.html

[32] https://helpx.adobe.com/security/products/aem-forms/apsb25-27.html

[33] https://helpx.adobe.com/security/products/premiere_pro/apsb25-28.html

[34] https://helpx.adobe.com/security/products/photoshop/apsb25-30.html

[35] https://helpx.adobe.com/security/products/animate/apsb25-31.html

[36] https://helpx.adobe.com/security/products/aem-screens/apsb25-32.html

[37] https://helpx.adobe.com/security/products/framemaker/apsb25-33.html

[38] https://helpx.adobe.com/security/products/xmpcore/apsb25-34.html

[39] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6013.html

[40] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7027.html

[41] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html

[42] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html

[43] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html

[44] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7037.html

[45] https://whitepapers.theregister.com/