Microsoft has recently addressed a significant number of vulnerabilities in its software products, totaling 126 flaws in all. Among these vulnerabilities, 11 have been classified as Critical, 112 as Important, and two as Low severity. The range of vulnerabilities include privilege escalation, remote code execution, information disclosure, and denial-of-service bugs.
This latest batch of patches comes in addition to the 22 flaws that were previously patched in Microsoft’s Chromium-based Edge browser since the last Patch Tuesday update. One particular vulnerability within the Windows Common Log File System (CLFS) Driver, identified as CVE-2025-29824 with a CVSS score of 7.8, has been actively exploited in the wild. This elevation of privilege (EoP) flaw allows an attacker to elevate privileges locally through a use-after-free scenario. This is the sixth EoP vulnerability discovered in the same component that has been exploited since 2022.
Security experts have highlighted the significance of this vulnerability, noting that it allows attackers to escalate privileges to the SYSTEM level, granting them the ability to install malicious software, modify system settings, tamper with security features, access sensitive data, and maintain persistent access. Despite the active exploitation of this flaw, Microsoft has yet to release a patch for Windows 10 32-bit or 64-bit systems, leaving a critical gap in defense for a wide portion of the Windows ecosystem.
The exploitation of this vulnerability has been linked to ransomware attacks against a small number of targets, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been urged to apply the fix by April 29, 2025.
In addition to the CLFS vulnerability, other notable vulnerabilities patched by Microsoft this month include a security feature bypass flaw affecting Windows Kerberos, as well as remote code execution flaws in Windows Remote Desktop Services and Windows Lightweight Directory Access Protocol. Critical-severity remote code execution flaws in Microsoft Office and Excel have also been addressed, which could be exploited by bad actors using specially crafted Excel documents.
It is worth mentioning that some of the vulnerabilities are still awaiting patches for Windows 10. Microsoft has assured that the updates will be released as soon as possible, with customers being notified via a revision to the CVE information.
Furthermore, various other vendors have also released security updates to address vulnerabilities in their software products, underscoring the ongoing efforts to strengthen cybersecurity across the industry. The collective response to these vulnerabilities underscores the collaborative approach taken by the cybersecurity community to safeguard systems and data from potential threats.