Report Name: Microsoft Patch Tuesday, April 2025
Generated: 2025-04-09 10:53:29

Product Name	Prevalence	U	C	H	M	L	A	Comment
Active Directory	0.9			2			2	Active Directory is a directory service developed by Microsoft for Windows domain networks
Microsoft Message Queuing	0.9				1		1	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
Windows Kernel	0.9			9	23		32	Windows Kernel
Windows LDAP	0.9			1			1	Windows LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication
Windows TCP/IP	0.9			1			1	Windows component
Windows Win32k	0.9			1	1		2	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
.NET Core	0.8				1		1	.NET Core
BitLocker	0.8				1		1	A full volume encryption feature included with Microsoft Windows versions starting with Windows Vista
Chromium	0.8	1	1	7	11	1	21	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
DirectX Graphics Kernel	0.8				1		1	DirectX Graphics Kernel
Microsoft AutoUpdate	0.8			1	1		2	Microsoft AutoUpdate (MAU) is a utility designed to keep Microsoft applications up-to-date on macOS.
Microsoft Edge	0.8				1		1	Web browser
Microsoft Local Security Authority Server	0.8				2		2	LSASS, the Windows Local Security Authority Server process, handles Windows security mechanisms
Microsoft Office	0.8			14	4		18	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Streaming Service	0.8				1		1	Windows component
OpenSSH	0.8				1		1	OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture
Windows Admin Center	0.8				1		1	Windows component
Windows Bluetooth	0.8				1		1	Windows component
Windows Common Log File System Driver	0.8		1				1	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows Cryptographic	0.8				1		1	Windows component
Windows DWM Core Library	0.8				5		5	Windows component
Windows Defender Application Control	0.8			1			1	Windows component
Windows Graphics Component	0.8				1		1	Windows component
Windows HTTP.sys	0.8				1		1	Windows component
Windows Hello	0.8				2		2	Windows component
Windows Installer	0.8				1		1	Windows component
Windows Kerberos	0.8				3		3	Windows component
Windows Kernel-Mode Driver	0.8				1		1	Windows component
Windows Lightweight Directory Access Protocol (LDAP)	0.8			1	2		3	Windows component
Windows Local Session Manager (LSM)	0.8				1		1	Windows component
Windows Mark of the Web	0.8				1		1	Windows component
Windows Media	0.8			2			2	Windows component
Windows NTFS	0.8				5		5	The default file system of the Windows NT family
Windows Remote Desktop Client	0.8			1			1	Remote Desktop Protocol Client
Windows Remote Desktop Services	0.8			3			3	Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection
Windows Resilient File System (ReFS)	0.8				1		1	Windows component
Windows Secure Channel	0.8				2		2	Windows component
Windows Shell	0.8			1			1	Windows component
Windows Subsystem for Linux	0.8				1		1	Windows component
Windows Update	0.8				2		2	Windows Update is a service that automates downloading and installing Windows software updates over the Internet
Kubernetes	0.7		4	1			5	Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management
RPC Endpoint Mapper Service	0.7				1		1	RPC Endpoint Mapper Service
Windows Hyper-V	0.6				1		1	Hardware virtualization component of the client editions of Windows NT
Microsoft Partner Center	0.5			1			1	Microsoft Partner Center is a powerful, all-in-one platform that Microsoft provides for managing your partnership with them.
Microsoft System Center	0.5				1		1	Microsoft System Center is a suite of software products designed to simplify the deployment, configuration and management of IT infrastructure and virtualized software-defined data centers (SDDCs).
Microsoft Virtual Hard Disk	0.5				1		1	The Virtual Hard Disk (VHD) format is a publicly-available image format specification that allows encapsulation of the hard disk into an individual file.
Outlook for Android	0.5				1		1	Outlook for Android
SQL Server Management Studio	0.5				1		1	SQL Server Management Studio
Azure	0.4				5		5	Azure
Dynamics Business Central	0.4				1		1	Dynamics Business Central
Visual Studio	0.3				3		3	Integrated development environment
Microsoft Dataverse	0.2				2		2	Microsoft Dataverse

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		5	32	3		40
Authentication Bypass	0.98			5	5		10
Command Injection	0.97				1		1
Security Feature Bypass	0.9	1		6	18		25
Elevation of Privilege	0.85		1	2	35		38
Information Disclosure	0.83			1	12		13
Cross Site Scripting	0.8				1		1
Denial of Service	0.7				14		14
Memory Corruption	0.5			1	5		6
Spoofing	0.4				4		4
Unknown Vulnerability Type	0					1	1

Source	U	C	H	M	L	A
MS PT Extended	1	5	9	16	1	32
Qualys		1	11	7		19
Tenable		1	8	3		12
Rapid7		1	4	1		6
ZDI		1	4	1		6

Urgent (1)

1. Security Feature Bypass - Chromium (CVE-2025-2783) - Urgent [913]

Description: Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)

MS PT Extended: CVE-2025-2783 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

Critical (6)

2. Remote Code Execution - Kubernetes (CVE-2025-1974) - Critical [735]

Description: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

MS PT Extended: CVE-2025-1974 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

3. Elevation of Privilege - Windows Common Log File System Driver (CVE-2025-29824) - Critical [716]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability. Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Qualys: CVE-2025-29824: Windows Common Log File System Driver Elevation of Privilege Vulnerability The Common Log File System (CLFS) is a general-purpose logging service used by software clients running in user or kernel mode. CLFS can be used for data management, database systems, messaging, Online Transactional Processing (OLTP), and other transactional systems. The use after free flaw in the Windows Common Log File System Driver could allow an authenticated attacker to elevate privileges locally. Upon successful exploitation, an attacker may gain SYSTEM privileges. CISA added the CVE-2025-29824 to its Known Exploited Vulnerabilities Catalog, acknowledging its active exploitation. CISA urges users to patch the vulnerability before April 29, 2025.

Tenable: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)

Tenable: CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

Tenable: CVE-2025-29824 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day. Microsoft identified this vulnerability in ransomware deployed by the PipeMagic malware via the group tracked as Storm-2460.

Rapid7: The Windows Common Log File System (CLFS) Driver is firmly back on our radar today with CVE-2025-29824, a zero-day local elevation of privilege vulnerability. First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft; the less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn’t be listing CVE-2025-29824 as exploited in the wild. The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be SYSTEM, because that’s the prize for all the other CLFS elevation of privilege zero-day vulnerabilities. As usual, some form of less-privileged local access is a pre-requisite, but attack complexity is low, so this is the sort of vulnerability which goes into any standard break-and-enter toolkit. Given the long history of similar vulnerabilities, it would be more surprising if exploit code wasn’t publicly available in the not-too-distant future. Although December 2024 Patch Tuesday seems as though it must have been a very long time ago, any standard calendar will tell us that only 119 days have elapsed since the last zero-day CLFS local elevation of privilege. Rapid7 discussed the history of CLFS zero-day elevation of privilege vulnerabilities at the time. All versions of Windows receive a patch, except for the venerable LTSC Windows 10 1507, which is listed on the advisory as vulnerable, but left out in the cold with no update; the FAQ says to check back later. Windows 10 LTSC 1507 is scheduled for end of servicing on 2025-10-14, so the clock is ticking regardless.

ZDI: CVE-2025-29824 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This privilege escalation bug is listed as under active attack and allows a threat actor to execute their code with SYSTEM privileges. These types of bugs are often paired with code execution bugs to take over a system. Microsoft gives no indication of how widespread these attacks are. Regardless, test and deploy this update quickly.

4. Remote Code Execution - Kubernetes (CVE-2025-1098) - Critical [652]

Description: {'ms_cve_data_all': 'Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller. Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.\nAzure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.\nCustomers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.\n', 'nvd_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2025-1098 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

5. Remote Code Execution - Kubernetes (CVE-2025-24514) - Critical [652]

Description: {'ms_cve_data_all': 'Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller. Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.\nAzure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.\nCustomers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.\n', 'nvd_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2025-24514 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

6. Remote Code Execution - Chromium (CVE-2025-24201) - Critical [645]

Description: Chromium: CVE-2025-24201 Out of bounds write in GPU on Mac. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2025-24201 exists in the wild.

MS PT Extended: CVE-2025-24201 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

7. Remote Code Execution - Kubernetes (CVE-2025-1097) - Critical [640]

Description: {'ms_cve_data_all': 'Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller. Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.\nAzure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.\nCustomers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.\n', 'nvd_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2025-1097 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

High (47)

8. Security Feature Bypass - Kubernetes (CVE-2025-24513) - High [551]

Description: {'ms_cve_data_all': 'Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller. Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.\nAzure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.\nCustomers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.\n', 'nvd_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2025-24513 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

9. Remote Code Execution - Chromium (CVE-2025-29806) - High [511]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

MS PT Extended: CVE-2025-29806 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

10. Security Feature Bypass - Microsoft Partner Center (CVE-2025-29814) - High [479]

Description: Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

MS PT Extended: CVE-2025-29814 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

11. Elevation of Privilege - Windows Win32k (CVE-2025-26681) - High [466]

Description: Win32k Elevation of Privilege Vulnerability. Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

12. Remote Code Execution - Chromium (CVE-2025-25000) - High [466]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

MS PT Extended: CVE-2025-25000 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

13. Remote Code Execution - Windows Kernel (CVE-2025-21205) - High [435]

Description: Windows Telephony Service Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network.

14. Remote Code Execution - Windows Kernel (CVE-2025-21221) - High [435]

Description: Windows Telephony Service Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network.

15. Remote Code Execution - Windows Kernel (CVE-2025-21222) - High [435]

Description: Windows Telephony Service Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network.

16. Remote Code Execution - Windows Kernel (CVE-2025-27477) - High [435]

Description: Windows Telephony Service Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network.

17. Remote Code Execution - Windows Kernel (CVE-2025-27481) - High [435]

Description: Windows Telephony Service Remote Code Execution Vulnerability. Stack-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network.

18. Authentication Bypass - Active Directory (CVE-2025-27740) - High [432]

Description: Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.

Tenable: CVE-2025-27740 | Active Directory Certificate Services Elevation of Privilege Vulnerability

Tenable: CVE-2025-27740 is an EoP vulnerability affecting Active Directory Certificate Services. It was assigned a CVSSv3 score of 8.8 and is rated as important. According to Microsoft, successful exploitation would allow an attacker to gain domain administrator privileges by manipulating computer accounts. This vulnerability is assessed as “Exploitation Less Likely.”

19. Remote Code Execution - Chromium (CVE-2025-29815) - High [430]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.

MS PT Extended: CVE-2025-29815 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

20. Memory Corruption - Chromium (CVE-2025-2476) - High [425]

Description: Chromium: CVE-2025-2476 Use after free in Lens. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-2476 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

21. Security Feature Bypass - Chromium (CVE-2025-3068) - High [425]

Description: Inappropriate implementation in Intents in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-3068 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

22. Security Feature Bypass - Chromium (CVE-2025-3069) - High [425]

Description: Inappropriate implementation in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-3069 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

23. Remote Code Execution - Windows Kernel (CVE-2025-26668) - High [423]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

24. Remote Code Execution - Windows LDAP (CVE-2025-26670) - High [423]

Description: Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability. Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-26663 and CVE-2025-26670: Windows Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability An LDAP client is a software application or tool that uses the Lightweight Directory Access Protocol (LDAP) to interact with a directory service, enabling tasks like searching, retrieving, and managing information stored in a hierarchical structure. The use after free flaw in Lightweight Directory Access Protocol could allow an unauthenticated attacker to achieve remote code execution. An unauthenticated attacker may exploit the vulnerabilities by sending specially crafted requests to a vulnerable LDAP server.

Tenable: CVE-2025-26663 and CVE-2025-26670 | Multiple Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerabilities

Tenable: CVE-2025-26663 and CVE-2025-26670 are critical RCE vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP) and LDAP Client respectively. These vulnerabilities were assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation of either requires winning a race condition via a specially crafted request resulting in a use after free. If successful, the attacker could achieve RCE on an affected host.

Rapid7: If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to “send specially crafted requests to a vulnerable LDAP server”; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker win a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it’s still a critical RCE which Microsoft rates as “exploitation more likely”. On that basis, patching is always recommended.

ZDI: CVE-2025-26663/CVE-2025-26670 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. These bugs allow a remote, unauthenticated attacker to execute their code on affected systems just by sending a specially crafted LDAP message. They would need to win a race condition, but we’ve seen plenty of exploits work around this requirement. Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable. LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone. Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.

25. Remote Code Execution - Windows TCP/IP (CVE-2025-26686) - High [423]

Description: Windows TCP/IP Remote Code Execution Vulnerability. Sensitive data storage in improperly locked memory in Windows TCP/IP allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-26686: Windows TCP/IP Remote Code Execution Vulnerability TCP/IP stands for Transmission Control Protocol/Internet Protocol and is a suite of communication protocols used to interconnect network devices on the Internet. TCP/IP is also used as a communications protocol in a private computer network — an intranet or extranet. An attacker must win a race condition to exploit the vulnerability. Sensitive data storage in improperly locked memory in Windows TCP/IP allows an unauthorized attacker to execute code over a network.

26. Authentication Bypass - Active Directory (CVE-2025-29810) - High [420]

Description: Improper access control in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

27. Remote Code Execution - Microsoft Office (CVE-2025-29794) - High [419]

Description: Microsoft SharePoint Remote Code Execution Vulnerability. Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Qualys: Other Microsoft Vulnerability Highlights  CVE-2025-27727 is an elevation of privilege vulnerability in Windows Installer. An attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2025-29792 is an elevation of privilege vulnerability in Microsoft Office. Upon successful exploitation, an attacker could gain SYSTEM privileges. CVE-2025-29793 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29794 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29809 is a security feature bypass vulnerability in Windows Kerberos. An attacker who successfully exploited this vulnerability could bypass the Windows Defender Credential Guard feature to leak Kerberos’s credentials. CVE-2025-27472 is a security feature bypass vulnerability in Windows Mark of the Web. Protection mechanism failure in Windows Mark of the Web (MOTW) could allow an unauthenticated attacker to bypass a security feature over a network. CVE-2025-29812 is an elevation of privilege vulnerability in the DirectX Graphics Kernel. An attacker may exploit the vulnerability to gain SYSTEM privileges.

Tenable: CVE-2025-29793 and CVE-2025-29794 | Microsoft SharePoint Remote Code Execution Vulnerability

Tenable: CVE-2025-29793 and CVE-2025-29794 are RCE vulnerabilities affecting Microsoft SharePoint Server. The most severe of these vulnerabilities was assigned a CVSSv3 score of 8.8 and both were rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. According to Microsoft, an attacker would need to be authenticated in order to exploit this vulnerability.

28. Security Feature Bypass - Windows Kernel (CVE-2025-27737) - High [417]

Description: Windows Security Zone Mapping Security Feature Bypass Vulnerability. Improper input validation in Windows Security Zone Mapping allows an unauthorized attacker to bypass a security feature locally.

29. Elevation of Privilege - Chromium (CVE-2025-3067) - High [416]

Description: Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted app. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-3067 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

30. Remote Code Execution - Microsoft Office (CVE-2025-26642) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.

31. Remote Code Execution - Microsoft Office (CVE-2025-27745) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-27745, CVE-2025-27748, and CVE-2025-27749: Microsoft Office Remote Code Execution Vulnerability The use after free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

32. Remote Code Execution - Microsoft Office (CVE-2025-27746) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

33. Remote Code Execution - Microsoft Office (CVE-2025-27747) - High [407]

Description: Microsoft Word Remote Code Execution Vulnerability. Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

34. Remote Code Execution - Microsoft Office (CVE-2025-27748) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-27745, CVE-2025-27748, and CVE-2025-27749: Microsoft Office Remote Code Execution Vulnerability The use after free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

35. Remote Code Execution - Microsoft Office (CVE-2025-27749) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-27745, CVE-2025-27748, and CVE-2025-27749: Microsoft Office Remote Code Execution Vulnerability The use after free flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

36. Remote Code Execution - Microsoft Office (CVE-2025-27750) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

37. Remote Code Execution - Microsoft Office (CVE-2025-27751) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

38. Remote Code Execution - Microsoft Office (CVE-2025-27752) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-27752: Microsoft Excel Remote Code Execution Vulnerability The heap-based buffer overflow flaw in Microsoft Office Excel could allow an unauthenticated attacker to achieve remote code execution. 

39. Remote Code Execution - Microsoft Office (CVE-2025-29791) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-29791: Microsoft Excel Remote Code Execution Vulnerability The type confusion in Microsoft Office Excel could allow an unauthenticated attacker to achieve remote code execution.

40. Remote Code Execution - Microsoft Office (CVE-2025-29820) - High [407]

Description: Microsoft Word Remote Code Execution Vulnerability. Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

41. Remote Code Execution - Microsoft Office (CVE-2025-29823) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

42. Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2025-26663) - High [407]

Description: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-26663 and CVE-2025-26670: Windows Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability An LDAP client is a software application or tool that uses the Lightweight Directory Access Protocol (LDAP) to interact with a directory service, enabling tasks like searching, retrieving, and managing information stored in a hierarchical structure. The use after free flaw in Lightweight Directory Access Protocol could allow an unauthenticated attacker to achieve remote code execution. An unauthenticated attacker may exploit the vulnerabilities by sending specially crafted requests to a vulnerable LDAP server.

Tenable: CVE-2025-26663 and CVE-2025-26670 | Multiple Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerabilities

Tenable: CVE-2025-26663 and CVE-2025-26670 are critical RCE vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP) and LDAP Client respectively. These vulnerabilities were assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation of either requires winning a race condition via a specially crafted request resulting in a use after free. If successful, the attacker could achieve RCE on an affected host.

Rapid7: Although it has been many months since we’ve seen a critical zero-day vulnerability from Microsoft, there is no shortage of critical remote code execution (RCE) vulnerabilities published today. Defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker. Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.

Rapid7: If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to “send specially crafted requests to a vulnerable LDAP server”; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker win a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it’s still a critical RCE which Microsoft rates as “exploitation more likely”. On that basis, patching is always recommended.

ZDI: CVE-2025-26663/CVE-2025-26670 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. These bugs allow a remote, unauthenticated attacker to execute their code on affected systems just by sending a specially crafted LDAP message. They would need to win a race condition, but we’ve seen plenty of exploits work around this requirement. Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable. LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone. Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.

43. Remote Code Execution - Windows Media (CVE-2025-26666) - High [407]

Description: Windows Media Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally.

44. Remote Code Execution - Windows Media (CVE-2025-26674) - High [407]

Description: Windows Media Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally.

45. Remote Code Execution - Windows Remote Desktop Client (CVE-2025-27487) - High [407]

Description: Remote Desktop Client Remote Code Execution Vulnerability. Heap-based buffer overflow in Remote Desktop Client allows an authorized attacker to execute code over a network.

Tenable: Microsoft also patched an RCE vulnerability in Remote Desktop Client (CVE-2025-27487).

46. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-26671) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability. Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.

Tenable: CVE-2025-26671, CVE-2025-27482 and CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in Windows Remote Desktop Gateway Service. Each was assigned a CVSSv3 score of 8.1 and two were rated as critical, with CVE-2025-26671 having a rating of Important. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed CVE-2025-27482 and CVE-2025-27480 as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

47. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-27480) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability. Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-27480: Windows Remote Desktop Services Remote Code Execution Vulnerability The use after free flaw in Remote Desktop Gateway Service could allow an unauthenticated attacker to execute code remotely. An attacker could successfully exploit this vulnerability by connecting to a system with the Remote Desktop Gateway role, triggering the race condition to create a use-after-free scenario, and then execute arbitrary code.

Tenable: CVE-2025-26671, CVE-2025-27482 and CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in Windows Remote Desktop Gateway Service. Each was assigned a CVSSv3 score of 8.1 and two were rated as critical, with CVE-2025-26671 having a rating of Important. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed CVE-2025-27482 and CVE-2025-27480 as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: The prolific Windows vulnerability pioneers at Kunlun Lab are credited with a pair of critical RCE vulnerabilities in Windows Remote Desktop Services. Although both CVE-2025-27480 and CVE-2025-27482 share a CVSSv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary severity ranking scale. Both vulnerabilities require that an attacker win a race condition. If you’ve ever read Microsoft’s guide to deploying the Remote Desktop Gateway role, you probably have some systems to patch.

ZDI: CVE-2025-27480/CVE-2025-27482 - Windows Remote Desktop Services Remote Code Execution Vulnerability. Here are some more Critical-rated bugs that don’t rely on user interaction. An attacker just needs to connect to an affected system with the Remote Desktop Gateway role to trigger another race condition, resulting in code execution. RDS is popular for remote management, so it is often reachable from the Internet. If you must leave it open to the world, consider IP restricting it to known users, then test and deploy these patches.

48. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-27482) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability. Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-27482: Windows Remote Desktop Services Remote Code Execution Vulnerability In Remote Desktop Gateway Service, sensitive data storage in improperly locked memory can allow an unauthenticated attacker to execute remote code.

Tenable: CVE-2025-26671, CVE-2025-27482 and CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in Windows Remote Desktop Gateway Service. Each was assigned a CVSSv3 score of 8.1 and two were rated as critical, with CVE-2025-26671 having a rating of Important. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed CVE-2025-27482 and CVE-2025-27480 as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: The prolific Windows vulnerability pioneers at Kunlun Lab are credited with a pair of critical RCE vulnerabilities in Windows Remote Desktop Services. Although both CVE-2025-27480 and CVE-2025-27482 share a CVSSv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary severity ranking scale. Both vulnerabilities require that an attacker win a race condition. If you’ve ever read Microsoft’s guide to deploying the Remote Desktop Gateway role, you probably have some systems to patch.

ZDI: CVE-2025-27480/CVE-2025-27482 - Windows Remote Desktop Services Remote Code Execution Vulnerability. Here are some more Critical-rated bugs that don’t rely on user interaction. An attacker just needs to connect to an affected system with the Remote Desktop Gateway role to trigger another race condition, resulting in code execution. RDS is popular for remote management, so it is often reachable from the Internet. If you must leave it open to the world, consider IP restricting it to known users, then test and deploy these patches.

49. Remote Code Execution - Windows Shell (CVE-2025-27729) - High [407]

Description: Windows Shell Remote Code Execution Vulnerability. Use after free in Windows Shell allows an unauthorized attacker to execute code locally.

50. Information Disclosure - Windows Kernel (CVE-2025-26669) - High [405]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

51. Security Feature Bypass - Windows Kernel (CVE-2025-29811) - High [405]

Description: Improper input validation in Windows Mobile Broadband allows an authorized attacker to elevate privileges locally.

52. Authentication Bypass - Microsoft AutoUpdate (CVE-2025-29801) - High [403]

Description: Incorrect default permissions in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.

53. Authentication Bypass - Microsoft Office (CVE-2025-27744) - High [403]

Description: Improper access control in Microsoft Office allows an authorized attacker to elevate privileges locally.

54. Authentication Bypass - Windows Defender Application Control (CVE-2025-26678) - High [403]

Description: Improper access control in Windows Defender Application Control (WDAC) allows an unauthorized attacker to bypass a security feature locally.

Medium (98)

55. Elevation of Privilege - Windows Kernel (CVE-2025-26639) - Medium [397]

Description: Windows USB Print Driver Elevation of Privilege Vulnerability. Integer overflow or wraparound in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.

56. Elevation of Privilege - Windows Kernel (CVE-2025-26648) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability. Sensitive data storage in improperly locked memory in Windows Kernel allows an authorized attacker to elevate privileges locally.

57. Elevation of Privilege - Windows Kernel (CVE-2025-27467) - Medium [397]

Description: Windows Digital Media Elevation of Privilege Vulnerability. Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

58. Elevation of Privilege - Windows Kernel (CVE-2025-27476) - Medium [397]

Description: Windows Digital Media Elevation of Privilege Vulnerability. Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

59. Elevation of Privilege - Windows Kernel (CVE-2025-27484) - Medium [397]

Description: Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability. Sensitive data storage in improperly locked memory in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over a network.

60. Elevation of Privilege - Windows Kernel (CVE-2025-27730) - Medium [397]

Description: Windows Digital Media Elevation of Privilege Vulnerability. Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

61. Elevation of Privilege - Windows Kernel (CVE-2025-27739) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability. Untrusted pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.

62. Elevation of Privilege - Windows Win32k (CVE-2025-26687) - Medium [397]

Description: Win32k Elevation of Privilege Vulnerability. Use after free in Windows Win32K - GRFX allows an unauthorized attacker to elevate privileges over a network.

63. Remote Code Execution - Microsoft Office (CVE-2025-29793) - Medium [395]

Description: Microsoft SharePoint Remote Code Execution Vulnerability. Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Qualys: Other Microsoft Vulnerability Highlights  CVE-2025-27727 is an elevation of privilege vulnerability in Windows Installer. An attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2025-29792 is an elevation of privilege vulnerability in Microsoft Office. Upon successful exploitation, an attacker could gain SYSTEM privileges. CVE-2025-29793 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29794 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29809 is a security feature bypass vulnerability in Windows Kerberos. An attacker who successfully exploited this vulnerability could bypass the Windows Defender Credential Guard feature to leak Kerberos’s credentials. CVE-2025-27472 is a security feature bypass vulnerability in Windows Mark of the Web. Protection mechanism failure in Windows Mark of the Web (MOTW) could allow an unauthenticated attacker to bypass a security feature over a network. CVE-2025-29812 is an elevation of privilege vulnerability in the DirectX Graphics Kernel. An attacker may exploit the vulnerability to gain SYSTEM privileges.

Tenable: CVE-2025-29793 and CVE-2025-29794 | Microsoft SharePoint Remote Code Execution Vulnerability

Tenable: CVE-2025-29793 and CVE-2025-29794 are RCE vulnerabilities affecting Microsoft SharePoint Server. The most severe of these vulnerabilities was assigned a CVSSv3 score of 8.8 and both were rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. According to Microsoft, an attacker would need to be authenticated in order to exploit this vulnerability.

64. Elevation of Privilege - Chromium (CVE-2025-29795) - Medium [392]

Description: Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability. Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.

MS PT Extended: CVE-2025-29795 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

65. Authentication Bypass - Windows Hello (CVE-2025-26635) - Medium [391]

Description: Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.

66. Authentication Bypass - Windows NTFS (CVE-2025-21197) - Medium [391]

Description: Improper access control in Windows NTFS allows an authorized attacker to disclose file path information under a folder where the attacker doesn't have permission to list content.

67. Authentication Bypass - Windows Resilient File System (ReFS) (CVE-2025-27738) - Medium [391]

Description: Improper access control in Windows Resilient File System (ReFS) allows an authorized attacker to disclose information over a network.

68. Remote Code Execution - Microsoft Dataverse (CVE-2025-29807) - Medium [390]

Description: Microsoft Dataverse Remote Code Execution Vulnerability. Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network.

MS PT Extended: CVE-2025-29807 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

69. Security Feature Bypass - Chromium (CVE-2025-3070) - Medium [389]

Description: Chromium: CVE-2025-3070 Insufficient validation of untrusted input in Extensions. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-3070 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

70. Security Feature Bypass - Microsoft Office (CVE-2025-29816) - Medium [389]

Description: Microsoft Word Security Feature Bypass Vulnerability. Improper input validation in Microsoft Office Word allows an unauthorized attacker to bypass a security feature over a network.

71. Security Feature Bypass - Microsoft Office (CVE-2025-29822) - Medium [389]

Description: Microsoft OneNote Security Feature Bypass Vulnerability. Incomplete list of disallowed inputs in Microsoft Office OneNote allows an unauthorized attacker to bypass a security feature locally.

72. Security Feature Bypass - OpenSSH (CVE-2025-27731) - Medium [389]

Description: Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally.

73. Security Feature Bypass - Windows DWM Core Library (CVE-2025-24058) - Medium [389]

Description: Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

74. Security Feature Bypass - Windows DWM Core Library (CVE-2025-24060) - Medium [389]

Description: Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

75. Security Feature Bypass - Windows DWM Core Library (CVE-2025-24062) - Medium [389]

Description: Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

76. Security Feature Bypass - Windows DWM Core Library (CVE-2025-24073) - Medium [389]

Description: Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

77. Security Feature Bypass - Windows DWM Core Library (CVE-2025-24074) - Medium [389]

Description: Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

78. Security Feature Bypass - Windows Kerberos (CVE-2025-26647) - Medium [389]

Description: Improper input validation in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network.

79. Elevation of Privilege - Microsoft Dataverse (CVE-2025-24053) - Medium [385]

Description: Microsoft Dataverse Elevation of Privilege Vulnerability. Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.

MS PT Extended: CVE-2025-24053 was published before April 2025 Patch Tuesday from 2025-03-12 to 2025-04-07

80. Elevation of Privilege - Windows Kernel (CVE-2025-26640) - Medium [385]

Description: Windows Digital Media Elevation of Privilege Vulnerability. Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

81. Elevation of Privilege - Windows Kernel (CVE-2025-26665) - Medium [385]

Description: Windows upnphost.dll Elevation of Privilege Vulnerability. Sensitive data storage in improperly locked memory in Windows upnphost.dll allows an authorized attacker to elevate privileges locally.

82. Security Feature Bypass - Windows Kernel (CVE-2025-27735) - Medium [382]

Description: Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability. Insufficient verification of data authenticity in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.

83. Information Disclosure - Windows Kernel (CVE-2025-21203) - Medium [381]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

84. Information Disclosure - Windows Kernel (CVE-2025-26664) - Medium [381]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

85. Information Disclosure - Windows Kernel (CVE-2025-26667) - Medium [381]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

86. Information Disclosure - Windows Kernel (CVE-2025-26672) - Medium [381]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

87. Information Disclosure - Windows Kernel (CVE-2025-26676) - Medium [381]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

88. Information Disclosure - Windows Kernel (CVE-2025-27474) - Medium [381]

Description: Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability. Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

89. Elevation of Privilege - DirectX Graphics Kernel (CVE-2025-29812) - Medium [380]

Description: DirectX Graphics Kernel Elevation of Privilege Vulnerability. Untrusted pointer dereference in Windows Kernel Memory allows an authorized attacker to elevate privileges locally.

Qualys: Other Microsoft Vulnerability Highlights  CVE-2025-27727 is an elevation of privilege vulnerability in Windows Installer. An attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2025-29792 is an elevation of privilege vulnerability in Microsoft Office. Upon successful exploitation, an attacker could gain SYSTEM privileges. CVE-2025-29793 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29794 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29809 is a security feature bypass vulnerability in Windows Kerberos. An attacker who successfully exploited this vulnerability could bypass the Windows Defender Credential Guard feature to leak Kerberos’s credentials. CVE-2025-27472 is a security feature bypass vulnerability in Windows Mark of the Web. Protection mechanism failure in Windows Mark of the Web (MOTW) could allow an unauthenticated attacker to bypass a security feature over a network. CVE-2025-29812 is an elevation of privilege vulnerability in the DirectX Graphics Kernel. An attacker may exploit the vulnerability to gain SYSTEM privileges.

90. Elevation of Privilege - Microsoft AutoUpdate (CVE-2025-29800) - Medium [380]

Description: Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability. Improper privilege management in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.

91. Elevation of Privilege - Windows Bluetooth (CVE-2025-27490) - Medium [380]

Description: Windows Bluetooth Service Elevation of Privilege Vulnerability. Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.

92. Elevation of Privilege - Windows Installer (CVE-2025-27727) - Medium [380]

Description: Windows Installer Elevation of Privilege Vulnerability. Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to elevate privileges locally.

Qualys: Other Microsoft Vulnerability Highlights  CVE-2025-27727 is an elevation of privilege vulnerability in Windows Installer. An attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2025-29792 is an elevation of privilege vulnerability in Microsoft Office. Upon successful exploitation, an attacker could gain SYSTEM privileges. CVE-2025-29793 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29794 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29809 is a security feature bypass vulnerability in Windows Kerberos. An attacker who successfully exploited this vulnerability could bypass the Windows Defender Credential Guard feature to leak Kerberos’s credentials. CVE-2025-27472 is a security feature bypass vulnerability in Windows Mark of the Web. Protection mechanism failure in Windows Mark of the Web (MOTW) could allow an unauthenticated attacker to bypass a security feature over a network. CVE-2025-29812 is an elevation of privilege vulnerability in the DirectX Graphics Kernel. An attacker may exploit the vulnerability to gain SYSTEM privileges.

93. Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2025-27728) - Medium [380]

Description: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability. Out-of-bounds read in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

94. Elevation of Privilege - Windows NTFS (CVE-2025-27483) - Medium [380]

Description: NTFS Elevation of Privilege Vulnerability. Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

95. Elevation of Privilege - Windows NTFS (CVE-2025-27733) - Medium [380]

Description: NTFS Elevation of Privilege Vulnerability. Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

96. Elevation of Privilege - Windows NTFS (CVE-2025-27741) - Medium [380]

Description: NTFS Elevation of Privilege Vulnerability. Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

97. Elevation of Privilege - Windows Subsystem for Linux (CVE-2025-26675) - Medium [380]

Description: Windows Subsystem for Linux Elevation of Privilege Vulnerability. Out-of-bounds read in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.

98. Elevation of Privilege - Windows Update (CVE-2025-21204) - Medium [380]

Description: Windows Process Activation Elevation of Privilege Vulnerability. Improper link resolution before file access ('link following') in Windows Update Stack allows an authorized attacker to elevate privileges locally.

99. Security Feature Bypass - BitLocker (CVE-2025-26637) - Medium [377]

Description: BitLocker Security Feature Bypass Vulnerability. Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

100. Security Feature Bypass - Windows Kerberos (CVE-2025-29809) - Medium [377]

Description: Windows Kerberos Security Feature Bypass Vulnerability. Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally.

Qualys: Other Microsoft Vulnerability Highlights  CVE-2025-27727 is an elevation of privilege vulnerability in Windows Installer. An attacker may exploit the vulnerability to gain SYSTEM privileges. CVE-2025-29792 is an elevation of privilege vulnerability in Microsoft Office. Upon successful exploitation, an attacker could gain SYSTEM privileges. CVE-2025-29793 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29794 is a remote code execution vulnerability in Microsoft SharePoint. An authenticated attacker with Site Owner permissions may exploit the vulnerability to execute code remotely in the context of SharePoint Server. CVE-2025-29809 is a security feature bypass vulnerability in Windows Kerberos. An attacker who successfully exploited this vulnerability could bypass the Windows Defender Credential Guard feature to leak Kerberos’s credentials. CVE-2025-27472 is a security feature bypass vulnerability in Windows Mark of the Web. Protection mechanism failure in Windows Mark of the Web (MOTW) could allow an unauthenticated attacker to bypass a security feature over a network. CVE-2025-29812 is an elevation of privilege vulnerability in the DirectX Graphics Kernel. An attacker may exploit the vulnerability to gain SYSTEM privileges.

ZDI: CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability. There are several security feature bypass (SFB) bugs in this release, but this one stands out above the others. A local attacker could abuse this vulnerability to leak Kerberos credentials. And you may need to take actions beyond just patching. If you rely on Virtualization-Based Security (VBS), you’ll need to read this document and then redeploy with the updated policy.

101. Denial of Service - Microsoft Message Queuing (CVE-2025-26641) - Medium [370]

Description: Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability. Uncontrolled resource consumption in Windows Cryptographic Services allows an unauthorized attacker to deny service over a network.

102. Denial of Service - Windows Kernel (CVE-2025-21174) - Medium [370]

Description: Windows Standards-Based Storage Management Service Denial of Service Vulnerability. Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network.

103. Denial of Service - Windows Kernel (CVE-2025-26652) - Medium [370]

Description: Windows Standards-Based Storage Management Service Denial of Service Vulnerability. Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network.