Microsoft has launched safety fixes to deal with an enormous set of 126 flaws affecting its software program merchandise, together with one vulnerability that it stated has been actively exploited within the wild.
Of the 126 vulnerabilities, 11 are rated Vital, 112 are rated Vital, and two are rated Low in severity. Forty-nine of those vulnerabilities are categorised as privilege escalation, 34 as distant code execution, 16 as data disclosure, and 14 as denial-of-service (DoS) bugs.
The updates are other than the 22 flaws the corporate patched in its Chromium-based Edge browser for the reason that launch of final month’s Patch Tuesday update.
The vulnerability that has been flagged as below energetic assault is an elevation of privilege (EoP) flaw impacting the Home windows Frequent Log File System (CLFS) Driver (CVE-2025-29824, CVSS rating: 7.8) that stems from a use-after-free situation, permitting a licensed attacker to raise privileges regionally.
CVE-2025-29824 is the sixth EoP vulnerability to be found in the identical part that has been exploited within the wild since 2022, the others being CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-49138 (CVSS scores: 7.8).
“From an attacker’s perspective, post-compromise exercise requires acquiring requisite privileges to conduct follow-on exercise on a compromised system, akin to lateral motion,” Satnam Narang, senior employees analysis engineer at Tenable, stated.
“Subsequently, elevation of privilege bugs are usually in style in focused assaults. Nonetheless, elevation of privilege flaws in CLFS have turn out to be particularly in style amongst ransomware operators through the years.”
Mike Walters, president and co-founder of Action1, said the vulnerability permits privilege escalation to the SYSTEM degree, thereby giving an attacker the power to put in malicious software program, modify system settings, tamper with security measures, entry delicate information, and keep persistent entry.
“What makes this vulnerability significantly regarding is that Microsoft has confirmed energetic exploitation within the wild, but at the moment, no patch has been launched for Home windows 10 32-bit or 64-bit methods,” Ben McCarthy, lead cyber safety engineer at Immersive, stated. “The shortage of a patch leaves a essential hole in protection for a large portion of the Home windows ecosystem.”
“Below sure reminiscence manipulation circumstances, a use-after-free might be triggered, which an attacker can exploit to execute code on the highest privilege degree in Home windows. Importantly, the attacker doesn’t want administrative privileges to take advantage of the vulnerability – solely native entry is required.”
The energetic exploitation of the flaw, per Microsoft, has been linked to ransomware assaults towards a small variety of targets. The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add it to the Identified Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the repair by April 29, 2025.
A number of the different notable vulnerabilities patched by Redmond this month embody a safety characteristic bypass (SFB) flaw affecting Home windows Kerberos (CVE-2025-29809), in addition to distant code execution flaws in Home windows Distant Desktop Providers (CVE-2025-27480, CVE-2025-27482), and Home windows Light-weight Listing Entry Protocol (CVE-2025-26663, CVE-2025-26670)
Additionally of word are a number of Vital-severity distant code execution flaws in Microsoft Workplace and Excel (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745, and CVE-2025-27752) that could possibly be exploited by a foul actor utilizing a specifically crafted Excel doc, leading to full system management.
Capping off the checklist of Vital flaws are two distant code execution vulnerabilities impacting Home windows TCP/IP (CVE-2025-26686) and Home windows Hyper-V (CVE-2025-27491) that might permit an attacker to execute code over a community below sure circumstances.
It is price noting that a number of of the vulnerabilities are but to obtain patches for Home windows 10. Microsoft stated the updates could be “launched as quickly as attainable, and when they’re out there, clients might be notified by way of a revision to this CVE data.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
Source link