Microsoft’s mighty bundle of 124 April fixes for Common Vulnerabilities and Exposures (CVEs) in its codebase includes 11 that are rated “critical” and two rated “low”, with the rest rated “important” in severity.
Dustin Childs of the Zero Day Initiative noted that “only one of these bugs is listed as publicly known or under active attack at the time of release”, but that this will be of little comfort.
In a blog post, Childs said of the vulnerability being listed by Microsoft as under active attack: “This privilege escalation bug [CVE-2025-29824] … allows a threat actor to execute their code with System privileges. These types of bugs are often paired with code execution bugs to take over a system. Microsoft gives no indication of how widespread these attacks are.”
Two of the other bugs Childs picked out – CVE-2025-26663 and CVE-2025-26670 – “allow a remote, unauthenticated attacker to execute their code on affected systems just by sending a specially crafted LDAP [Lightweight Directory Access Protocol] message”. He added: “Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable.” Wormable means no human interaction is required for the cyber attack to spread.
Of the current crop of Microsoft vulnerabilities being disclosed, Adam Barnett, lead software engineer at Rapid7, said: “The Windows Common Log File System (CLFS) Driver is firmly back on our radar today with CVE-2025-29824, a zero-day local elevation of privilege vulnerability.”
This is the vulnerability that Childs put primary focus on in his post.
Barnett said: “First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft; the less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn’t be listing CVE-2025-29824 as exploited in the wild. The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be System, because that’s the prize for all the other CLFS [Common Log File System] elevation of privilege zero-day vulnerabilities.
“Defenders responsible for an LDAP server – which means almost any organisation with a non-trivial Microsoft footprint – should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker.”
He added this further note of caution: “If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE [Remote Code Execution] in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to ‘send specially crafted requests to a vulnerable LDAP server’; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory.”
The full list of CVEs released by Microsoft for April 2025 can be found here.
The CVEs encompass, according to Childs’ enumeration, Windows and Windows Components, Office and Office Components, Azure, .Net and Visual Studio, BitLocker, Kerberos, Windows Hello, OpenSSH, and Windows Lightweight Directory Access Protocol.
