April 2025 Patch Tuesday has arrived, bringing with it a comprehensive suite of fixes addressing over 120 vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) currently under active exploitation.
CVE-2025-29824
CVE-2025-29824 is identified as a user-after-free vulnerability within the Windows Common Log File System (CLFS). This flaw enables attackers to escalate their privileges to SYSTEM on previously compromised Windows machines. According to Satnam Narang, a senior staff research engineer at Tenable, CLFS has been a recurring focus during Patch Tuesday, with Microsoft having patched 32 CLFS vulnerabilities since 2022, averaging about ten each year. Notably, six of these have been exploited in the wild, with the last zero-day vulnerability patched in December 2024 (CVE-2024-49138).
While the extent of the attacks leveraging this vulnerability remains unclear, the Microsoft Threat Intelligence Center has been credited with its discovery, underscoring the urgency for organizations to prioritize this patch. The vulnerability impacts a range of Windows Server and Windows versions, with security updates rolled out for most systems. However, Microsoft has indicated that updates for Windows 10 (both x64 and 32-bit systems) are not yet available but will be released as soon as possible.
In the interim, Ben McCarthy, lead cyber security engineer at Immersive Labs, advises organizations to take proactive measures to mitigate risks. “Security teams should closely monitor the CLFS driver using EDR/XDR tools, keeping an eye on processes interacting with clfs.sys and looking for any anomalous behavior,” he stated.
Other vulnerabilities of note
In addition to CVE-2025-29824, Microsoft has addressed a range of vulnerabilities leading to elevation of privilege (EOP) and remote code execution (RCE). Among the critical RCE flaws are CVE-2025-26663 and CVE-2025-26670, both of which are unauthenticated user-after-free vulnerabilities in the Windows Lightweight Directory Access Protocol (LDAP). Exploitation of these flaws requires an attacker to successfully navigate a race condition, triggered by specially crafted requests sent sequentially to a vulnerable LDAP server.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, highlights the widespread implications of these vulnerabilities. “Since nearly everything can host an LDAP service, there are numerous potential targets. Moreover, as no user interaction is required, these vulnerabilities are particularly dangerous,” he noted. He further emphasized the importance of quickly testing and deploying updates, especially since patches for Windows 10 are still pending.
Additionally, two RCE vulnerabilities in Windows Remote Desktop Services (RDP)—CVE-2025-27480 and CVE-2025-27482—can also be exploited without user interaction. However, an unauthorized attacker must first connect to a system with the Remote Desktop Gateway role to trigger a race condition that creates an exploitable use-after-free scenario. To enhance security, users are encouraged to restrict RDP access to trusted IP addresses or make it unreachable from the internet.
Among the vulnerabilities deemed “more likely” to be exploited are:
- CVE-2025-27472, which allows attackers to bypass Windows Mark of the Web (MotW) defenses
- CVE-2025-27727, an EOP flaw in the Windows Installer
- CVE-2025-29809, a vulnerability that could enable authorized attackers to bypass Windows Defender Credential Guard and leak Kerberos authentication credentials
It is important to note that none of these vulnerabilities have been patched in Windows 10 for x64-based systems and Windows 10 for 32-bit systems, but updates are forthcoming.
In a related development, Microsoft had initially planned to discontinue support for driver update synchronization to Windows Server Update Services (WSUS) servers but has since reversed this decision. For now, “WSUS will continue to synchronize driver updates from the Windows Update service and import them from the Microsoft Update Catalog,” the company confirmed, while urging organizations to explore alternative in-support technologies for enhanced security and productivity.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
