Microsoft’s mighty bundle of 124 April fixes for Widespread Vulnerabilities and Exposures (CVEs) in its codebase contains 11 which are rated “essential” and two rated “low”, with the remaining rated “vital” in severity.
Dustin Childs of the Zero Day Initiative famous that “solely one among these bugs is listed as publicly identified or underneath lively assault on the time of launch”, however that this will probably be of little consolation.
In a weblog submit, Childs mentioned of the vulnerability being listed by Microsoft as underneath lively assault: “This privilege escalation bug [CVE-2025-29824] … permits a menace actor to execute their code with System privileges. Most of these bugs are sometimes paired with code execution bugs to take over a system. Microsoft provides no indication of how widespread these assaults are.”
Two of the opposite bugs Childs picked out – CVE-2025-26663 and CVE-2025-26670 – “enable a distant, unauthenticated attacker to execute their code on affected methods simply by sending a specifically crafted LDAP [Lightweight Directory Access Protocol] message”. He added: “Since nearly the whole lot can host an LDAP service, there’s a plethora of targets on the market. And since no consumer interplay is concerned, these bugs are wormable.” Wormable means no human interplay is required for the cyber assault to unfold.
Of the present crop of Microsoft vulnerabilities being disclosed, Adam Barnett, lead software program engineer at Rapid7, mentioned: “The Home windows Widespread Log File System (CLFS) Driver is firmly again on our radar right now with CVE-2025-29824, a zero-day native elevation of privilege vulnerability.”
That is the vulnerability that Childs put major deal with in his submit.
Barnett mentioned: “First, the excellent news: the Acknowledgements part credit the Microsoft Risk Intelligence Heart, so the exploit was efficiently reproduced by Microsoft; the less-good information is that somebody aside from Microsoft was first to find the exploit, as a result of in any other case Microsoft wouldn’t be itemizing CVE-2025-29824 as exploited within the wild. The advisory doesn’t specify what privilege stage is achieved upon profitable exploitation, however it’ll be System, as a result of that’s the prize for all the opposite CLFS [Common Log File System] elevation of privilege zero-day vulnerabilities.
“Defenders chargeable for an LDAP server – which implies nearly any organisation with a non-trivial Microsoft footprint – ought to add patching for CVE-2025-26663 to their to-do listing. With no privileges required, no want for consumer interplay, and code execution presumably within the context of the LDAP server itself, profitable exploitation can be a pretty shortcut to any attacker.”
He added this additional observe of warning: “Should you breathe a sigh of reduction whenever you see LDAP server essential RCE vulnerabilities like CVE-2025-26663, since you’re sure that you just don’t have any Home windows LDAP servers in your property, how about LDAP purchasers? CVE-2025-26670 describes a essential RCE [Remote Code Execution] within the LDAP shopper, though the FAQ confusingly states that exploitation would require an attacker to ‘ship specifically crafted requests to a weak LDAP server’; this looks like it is perhaps a knowledge entry error on the advisory FAQ, so hold a watch out for an replace to that part of the advisory.”
The complete listing of CVEs launched by Microsoft for April 2025 will be discovered right here.
The CVEs embody, in keeping with Childs’ enumeration, Home windows and Home windows Parts, Workplace and Workplace Parts, Azure, .Web and Visible Studio, BitLocker, Kerberos, Home windows Hiya, OpenSSH, and Home windows Light-weight Listing Entry Protocol.
