Microsoft has rolled out patches for a massive 126 security flaws across its software lineup. Among these is a critical Windows vulnerability that’s already being actively exploited — yet remains unpatched on some systems, raising major cybersecurity concerns.
Out of the 126 newly addressed issues, 11 are classified as Critical, 112 as Important, and two as Low in severity. The majority of these flaws fall into the categories of privilege escalation (49 vulnerabilities), remote code execution (34), information disclosure (16), and denial-of-service (14). This update comes in addition to the 22 vulnerabilities fixed in Microsoft’s Chromium-based Edge browser since the last Patch Tuesday release.
Actively Exploited CLFS Vulnerability Draws Serious Attention
The most urgent flaw, tracked as CVE-2025-29824, is a privilege escalation bug in the Windows Common Log File System (CLFS) driver. With a CVSS score of 7.8, this vulnerability stems from a use-after-free memory error. It allows attackers with local access to elevate their privileges — without needing administrative access — to take full control of a targeted system.
This isn’t the first time the CLFS component has been exploited in the wild. Since 2022, at least five other similar privilege escalation vulnerabilities in CLFS have been actively weaponized, including CVE-2022-24521, CVE-2022-37969, and more recently, CVE-2024-49138.
“After compromising a system, attackers typically aim to gain elevated privileges for further attacks like lateral movement,” explained Satnam Narang, senior research engineer at Tenable. “That’s why these privilege escalation bugs are highly favored by ransomware groups.”
Mike Walters, president of Action1, noted that the flaw enables elevation to SYSTEM-level access — the highest user privilege in Windows. Attackers exploiting this bug can disable security features, alter system settings, and even install persistent malware.
No Patch Yet for Windows 10 Users
The most alarming part? CVE-2025-29824 remains unpatched for both 32-bit and 64-bit versions of Windows 10. Ben McCarthy, lead cybersecurity engineer at Immersive, warns that this delay leaves a significant portion of the Windows ecosystem vulnerable to real-world attacks.
“Under certain memory manipulation conditions, a use-after-free can be triggered to execute code with SYSTEM privileges. And the attacker only needs local access — not admin rights,” McCarthy said.
Microsoft has confirmed active exploitation of the flaw in targeted ransomware campaigns. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-29824 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fix by April 29, 2025 — once it’s available.
Critical Flaws Also Target Microsoft Office, Kerberos, Remote Desktop, and More
While the CLFS bug is the most urgent, several other vulnerabilities patched this month pose significant threats, including:
- CVE-2025-29809: A security feature bypass affecting Windows Kerberos
- CVE-2025-27480 & CVE-2025-27482: Remote code execution flaws in Windows Remote Desktop Services
- CVE-2025-26663 & CVE-2025-26670: RCE bugs in Windows LDAP
- CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745, CVE-2025-27752: Critical Excel and Office vulnerabilities that could allow full system compromise through specially crafted Excel files
- CVE-2025-26686 & CVE-2025-27491: Remote code execution flaws in Windows TCP/IP and Hyper-V
Each of these could allow attackers to take over systems remotely, depending on network conditions and user interactions.
Patches Still Pending for Some Systems
Microsoft acknowledged that some updates — especially for Windows 10 — are not yet available. The company said these patches will be released “as soon as possible,” with official notifications to follow through CVE updates.
While Microsoft dominates the headlines this Patch Tuesday, several other vendors have also issued critical updates over the past few weeks. These include fixes for various bugs across third-party platforms and open-source ecosystems.
