Microsoft has released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
Of the 126 vulnerabilities, 11 are rated Critical, 112 are rated Important, and two are rated Low in severity. Forty-nine of these vulnerabilities are classified as privilege escalation, 34 as remote code execution, 16 as information disclosure, and 14 as denial-of-service (DoS) bugs.
The updates are aside from the 22 flaws the company patched in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The vulnerability that has been flagged as under active attack is an elevation of privilege (EoP) flaw impacting the Windows Common Log File System (CLFS) Driver (CVE-2025-29824, CVSS score: 7.8) that stems from a use-after-free scenario, allowing an authorized attacker to elevate privileges locally.
CVE-2025-29824 is the sixth EoP vulnerability to be discovered in the same component that has been exploited in the wild since 2022, the others being CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-49138 (CVSS scores: 7.8).
“From an attacker’s perspective, post-compromise activity requires obtaining requisite privileges to conduct follow-on activity on a compromised system, such as lateral movement,” Satnam Narang, senior staff research engineer at Tenable, said.
“Therefore, elevation of privilege bugs are typically popular in targeted attacks. However, elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years.”
Mike Walters, president and co-founder of Action1, said the vulnerability permits privilege escalation to the SYSTEM level, thereby giving an attacker the ability to install malicious software, modify system settings, tamper with security features, access sensitive data, and maintain persistent access.
“What makes this vulnerability particularly concerning is that Microsoft has confirmed active exploitation in the wild, yet at this time, no patch has been released for Windows 10 32-bit or 64-bit systems,” Ben McCarthy, lead cyber security engineer at Immersive, said. “The lack of a patch leaves a critical gap in defense for a wide portion of the Windows ecosystem.”
“Under certain memory manipulation conditions, a use-after-free can be triggered, which an attacker can exploit to execute code at the highest privilege level in Windows. Importantly, the attacker does not need administrative privileges to exploit the vulnerability – only local access is required.”
The active exploitation of the flaw, per Microsoft, has been linked to ransomware attacks against a small number of targets. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fix by April 29, 2025.
Some of the other notable vulnerabilities patched by Redmond this month include a security feature bypass (SFB) flaw affecting Windows Kerberos (CVE-2025-29809), as well as remote code execution flaws in Windows Remote Desktop Services (CVE-2025-27480, CVE-2025-27482), and Windows Lightweight Directory Access Protocol (CVE-2025-26663, CVE-2025-26670)
Also of note are multiple Critical-severity remote code execution flaws in Microsoft Office and Excel (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745, and CVE-2025-27752) that could be exploited by a bad actor using a specially crafted Excel document, resulting in full system control.
Capping off the list of Critical flaws are two remote code execution vulnerabilities impacting Windows TCP/IP (CVE-2025-26686) and Windows Hyper-V (CVE-2025-27491) that could allow an attacker to execute code over a network under certain conditions.
It’s worth noting that several of the vulnerabilities are yet to receive patches for Windows 10. Microsoft said the updates would be “released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.”
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
