Microsoft’s Patch Tuesday security update for April included 134 flaws, one of which is an actively exploited zero-day flaw.
The security patches for Windows 10 were unavailable when the Windows 11 patches were released. The Windows 10 patches have since arrived, but the delay was unusual.
Tyler Reguly, associate director of security R&D at global cybersecurity software and services provider Fortra, suggested in an email to TechRepublic that the two separate releases and a 40-minute delay in the Windows 11 update might point to something unusual behind the scenes.
SEE: What is Patch Tuesday? Microsoft’s Monthly Update Explained
CVE-2025-29824 has been detected in the wild
The zero-day vulnerability was CVE-2025-29824, an elevation of privilege bug in the Windows Common Log File System (CLFS) Driver.
“This vulnerability is significant because it affects a core component of Windows, impacting a wide range of environments, including enterprise systems and critical infrastructure,” Mike Walters, president and co-founder of patch automation company Action1, wrote in an email. “If exploited, it allows privilege escalation to SYSTEM level—the highest privilege on a Windows system.”
Elevation of privilege attacks require the threat actor to have a foothold in the system first.
“Elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years,” Satnam Narang, Tenable’s senior staff research engineer, said in an email.
“What makes this vulnerability particularly concerning is that Microsoft has confirmed active exploitation in the wild, yet at this time, no patch has been released for Windows 10 32-bit or 64-bit systems,” Ben McCarthy, lead cybersecurity engineer at security training company Immersive, added. “The lack of a patch leaves a critical gap in defense for a wide portion of the Windows ecosystem.”
The delayed rollout of Windows 10 patches — paired with a 40-minute delay in the Windows 11 update — adds further weight to concerns about internal disruptions or challenges at Microsoft. While the reason for the delay remains unclear, security researchers are taking note of the timing, particularly given the active exploitation of CVE-2025-29824.
CVE-2025-29824 has been exploited against “a small number of targets” in “organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft disclosed.
“I was recently discussing CLFS vulnerabilities and how they seem to come in waves,” Reguly noted. “When a vulnerability in CLFS is patched, people tend to dig around and look at what’s going on and come across other vulnerabilities in the process. If I was a gambler, I would bet on CLFS appearing again next month.”
Remote code execution and Microsoft Office flaws are common patterns
Other notable parts of April’s Patch Tuesday include a fix for CVE-2025-26663, a critical flaw that could affect organizations running Windows Lightweight Directory Access Protocol (LDAP) servers.
Reguly highlighted CVE-2025-27472, a vulnerability in Mark of the Web (MOTW) that Microsoft listed as Exploitation More Likely. “It is common to see MOTW vulnerabilities utilized by threat actors,” he said. “I wouldn’t be surprised if this is a vulnerability that we see exploited in the future.”
SEE: Choose the right security applications for your business by balancing features, data storage, and cost.
Microsoft released multiple patches for CVEs in Office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, and CVE-2025-27745). Microsoft Office’s popularity means these vulnerabilities have the potential for widespread problems, although they all require successful social engineering or remote code execution to inject a malicious file.
While some of these CVEs enabled remote code execution (RCE), this month’s Patch Tuesday told a different story overall.
“For the first time since August 2024, Patch Tuesday vulnerabilities skewed more towards elevation of privilege bugs, which accounted for over 40% (49) of all patched vulnerabilities,” Narang said. “We typically see remote code execution (RCE) flaws dominate Patch Tuesday releases, but only a quarter of flaws (31) were RCEs this month.”
Reguly noted that Office, browsers, and MOTW have often appeared in Patch Tuesday updates lately.
“If I were an infosec buyer, think CISO, I’d be looking at the trends in Microsoft vulnerabilities – recurring and commonly exploited technologies like Office, Edge, CLFS, and MOTW – and I’d be asking my vendors how they are helping me proactively defend against these types of vulnerabilities,” he said.
Apple releases large security update
As KrebsonSecurity pointed out, Apple users shouldn’t forget about security patches.
Apple released a large security update on March 31, addressing some actively exploited vulnerabilities. In general, Patch Tuesday is a good time for organizations to push updates to company-owned devices.
Consider backing up devices before updating in case something breaks in the newly installed software.
