The update includes critical vulnerabilities in Office, Kerberos, LDAP, Hyper-V, and TCP/IP, with a serious flaw exploited by ransomware still pending a patch
Microsoft has released a total of 125 security updates this Tuesday during the April 2025 patch day, which fix issues in multiple products, including a Zero-Day vulnerability actively being exploited that affects millions of devices running Windows 10 and currently has no definitive solution.
Of the reported vulnerabilities, 11 have been classified as critical (all related to remote code execution, RCE), while the remaining 112 are considered important. The patches affect key system components such as Kerberos, Remote Desktop, Microsoft Office, and TCP/IP, among others.
A Zero-Day vulnerability still unpatched
The most alarming case is CVE-2025-29824, a privilege escalation vulnerability in the Windows Common Log File System (CLFS), which has already been exploited in real attacks by groups like RansomEXX. This flaw allows local attackers with limited access to a system to escalate their privileges to the SYSTEM level, equivalent to full control of the system.
Microsoft has confirmed the active exploitation and warned that no patch is currently available for Windows 10 (neither for 32-bit nor 64-bit versions). Updates will be released “soon,” but the risk remains, especially in corporate environments where older system versions are still in use.
Overview of the April patch Tuesday
Below is a breakdown by type of vulnerability included in this massive update:
| Type of Vulnerability | Quantity |
|---|---|
| Privilege Escalation (EoP) | 49 |
| Security Feature Bypass | 9 |
| Remote Code Execution (RCE) | 34 |
| Information Disclosure | 17 |
| Denial of Service (DoS) | 14 |
| Spoofing | 3 |
Additionally, 22 vulnerabilities in Microsoft Edge based on Chromium have been fixed, although these are not included in the main count of the security bulletin.
Critical flaws in Office, Hyper-V, LDAP, and TCP/IP
Among the most concerning flaws fixed are several critical vulnerabilities in the Microsoft Office suite, especially in Excel and Word, which could allow code execution simply by opening a malicious file. The most notable are:
- CVE-2025-29791, CVE-2025-27749, CVE-2025-27752 (Office/Excel): allow remote code execution through specially crafted files.
- CVE-2025-27480 and CVE-2025-27482: critical flaws in Remote Desktop Gateway.
- CVE-2025-26663 and CVE-2025-26670: vulnerabilities in LDAP servers and clients.
- CVE-2025-26686: remote code execution in the TCP/IP component.
- CVE-2025-27491: critical impact on Hyper-V, Windows virtualization system.
Kerberos also under threat
One of the most sensitive vulnerabilities is CVE-2025-29809, which affects the Kerberos authentication system and allows security feature bypassing. Although classified as having “important” severity, its potential impact in corporate environments is high.
The mystery of the “inetpub” folder
A curiosity reported following the installation of the KB5055523 update for Windows 11 is the automatic creation of an empty folder named C:\inetpub, even on machines where Internet Information Services (IIS) is not installed. Although it does not pose a threat or affect system performance, it has caused confusion among IT administrators. Microsoft has yet to clarify whether this is a bug or a planned change.
Other companies also update their systems
Microsoft has not been the only vendor to release updates during April. Other companies that have also published critical patches this month include:
- Adobe
- Apple
- Google (Chrome, Android, Cloud)
- IBM
- AMD, Intel, and Qualcomm
- VMware (Broadcom), Cisco, and Fortinet
- Dell, HP, Lenovo, ASUS
- Amazon Web Services
- Synology, QNAP, and WordPress
- Salesforce, SAP, and Zoom
- Linux distributions such as Ubuntu, Red Hat, and SUSE
Conclusion: a month of high tension in cybersecurity
The mass patching of April highlights once again the complexity of maintaining secure infrastructures in the face of a growing volume of threats. The active exploitation of an unpatched vulnerability for Windows 10 and the presence of multiple critical flaws confirm the urgent need for updating strategies and network segmentation.
Experts from firms like Tenable and Action1 have warned that flaws like the CLFS vulnerability can facilitate lateral movements and persistence in compromised systems, making them particularly attractive to ransomware groups.
Companies and administrators must act quickly: install available patches, monitor systems without immediate updates, and apply mitigation measures until fixes are available.
Sources: Microsoft, The Hacker News, BleepingComputer, Segu-Info.