Microsoft has released security fixes to address a large set of 126 flaws that affect software products.
Of the 126 vulnerabilities, 11 are rated as important, 112 are rated as important, and two are rated as low severity. 49 of these vulnerabilities are classified as privilege escalations, 34 as remote code execution, 16 as information disclosure, and 14 as denial of service (DOS) bugs.
The update apart from the 22 flaws the company has patched on chrome-based edge browser since the release of the patch Tuesday last month.
The vulnerability flagged based on active attacks is the height of the privilege (EOP) flaw that affects the Windows Common Log File System (CLFS) driver (CVE-2025-29824, CVSS score: 7.8).
CVE-2025-29824 is the sixth EOP vulnerability discovered in the same component that has been exploited in the wild since 2022, with others CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-138 (CVE-2024-138) 7.8).
“From an attacker’s perspective, post-competitive activities require the privileges needed to carry out subsequent activities in compromised systems such as lateral movement,” said Satnam Naran, Senior Staff Research Engineer at Tenable.
“Therefore, rising privilege bugs are generally popular in targeted attacks. However, rising privilege flaws in CLF have been particularly popular among ransomware operators over the years.”
Mike Walters, president and co-founder of Action1, offers the ability to allow vulnerabilities to escalate privileges to the system level, install malicious software for attackers, modify system settings, tamper with security features, access sensitive data, and maintain persistent access.
“What is particularly concerning about this vulnerability is that Microsoft has confirmed aggressive exploitation in the wild, but at this time there have been no patches released for Windows 10 32-bit or 64-bit systems,” said a leading cybersecurity engineer at Immersive. “The lack of patches leaves a significant gap in defense against a wider part of the Windows ecosystem.”
“Under certain memory operating conditions, it can be disabled so that an attacker can use it to execute code at the highest privilege level in the window. Importantly, an attacker does not need control to exploit the vulnerability.
The aggressive exploitation of flaws per Microsoft is linked to ransomware attacks on a small number of targets. This development prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to a known Exploited Vulnerability (KEV) catalogue that requires federal agencies to apply the fix by April 29, 2025.
Other notable vulnerabilities that Redmond patched this month include the security feature bypass (SFB) flaws affecting Windows Kerberos (CVE-2025-29809), and the remote code execution flaws in Windows Remote Desktop Services (CVE-2025-27480, CVE-2025-27482), and the Windows Lightweight Directory Access Tocot. (CVE-2025-26663, CVE-2025-26670)
It is also worth noting that multiple critical remote code execution flaws for Microsoft Office and Excel (CVE-2025-29791, CVE-2025-27748, CVE-2025-27748, CVE-2025-27748, CVE-2025-27748, CVE-2025-27752, and CVE-2025-27752.
Capping a list of critical flaws is two remote code execution vulnerabilities affecting Windows TCP/IP (CVE-2025-26686) and Windows Hyper-V (CVE-2025-27491), which can allow attackers to execute code on the network under certain conditions.
It is worth noting that some of the vulnerabilities have not yet received a patch for Windows 10. Microsoft said the update will be “released as soon as possible and if available, customers will be notified by a revision of this CVE information.”
Software patches from other vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks, rectifying some vulnerabilities.
Source link
