Ethical Hacking News
Microsoft has released critical security patches to address multiple vulnerabilities in its Windows operating systems and software, including a local elevation of privilege bug in the CLFS driver and an LDAP server remote code execution bug. The company urges users to apply the updates as soon as possible to minimize potential risks associated with exploitation.
Microsoft released updates to address at least 121 security flaws in its Windows operating systems and software.The latest edition of Patch Tuesday includes fixes for eleven critical security flaws, including CVE-2025-29824 and CVE-2025-26663.A critical flaw is a local elevation of privilege bug in the Windows Common Log File System (CLFS) driver that requires no privileges for exploitation.The Windows Remote Desktop services (RDP) are also included in the updates, with some flaws earning a "critical" rating.Non-critical vulnerabilities were also fixed this month, including those in web browsers such as Google Chrome and Mozilla Firefox.It is advisable for individuals and organizations with Windows operating systems and software to keep their systems updated to mitigate risks associated with critical security flaws.
In a regular update, known as Patch Tuesday, technology giant Microsoft released updates to address multiple critical security flaws in its Windows operating systems and software. This latest edition of Patch Tuesday includes fixes for at least 121 security holes, with eleven of those flaws earning the company's most-dire "critical" rating.
The critical flaw that is already being exploited in the wild is CVE-2025-29824, a local elevation of privilege bug in the Windows Common Log File System (CLFS) driver. Microsoft rates it as "important," but security experts have advised treating it as critical due to its potential impact. Chris Goettl from Ivanti noted that this CLFS component of Windows has seen 32 vulnerabilities patched since 2022, with six of them being exploited in the wild.
Another critical flaw is CVE-2025-26663, an LDAP (Lightweight Directory Access Protocol) server remote code execution bug that requires no privileges for exploitation. Rapid7's Adam Barnett warned that any organization with a non-trivial Microsoft footprint should add patching for this critical flaw to their to-do list, as successful exploitation would be an attractive shortcut for attackers.
The Windows Remote Desktop services (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482, are also included in the updates. However, only two of these flaws – CVE-2025-26671 and CVE-2025-27480 – earned the "critical" rating from Microsoft.
Apart from critical flaws, numerous non-critical vulnerabilities were fixed this month, including those in web browsers such as Google Chrome and Mozilla Firefox. Adobe also released 12 updates resolving 54 security holes across a range of products, while Apple users may need to patch their devices due to issues in at least one zero-day flaw.
In light of the critical security flaws addressed by Microsoft this week, it is advisable for individuals and organizations with Windows operating systems and software to keep their systems updated. Furthermore, backing up data and devices prior to updating reduces the risk associated with software updates gone awry.
For more granular details on today's Patch Tuesday, check out the SANS Internet Storm Center's roundup or Microsoft's update guide for April 2025.
Related Information:
https://www.ethicalhackingnews.com/articles/Patch-Tuesday-April-2025-Microsoft-Addresses-Multiple-Critical-Security-Flaws-ehn.shtml
https://krebsonsecurity.com/2025/04/patch-tuesday-april-2025-edition/
Published: Tue Apr 8 23:25:14 2025 by llama3.2 3B Q4_K_M