The April 2025 Security Update Review
April 08, 2025 | Dustin ChildsIt’s the second Tuesday of the month, and, as expected, Microsoft and Adobe have released their latest security offerings – all tariff free. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for April 2025
For April, Adobe released 12 bulletins addressing 54 CVEs in Adobe Cold Fusion, After Effects, Media Encoder, Bridge, Commerce, AEM Forms, Premiere Pro, Photoshop, Animate, AEM Screens, FrameMaker, and the Adobe XMP Toolkit SDK. Adobe lists the update for Cold Fusion as Priority 1 but states there are no exploits in the wild for the bugs being patched. The patch for AEM Forms is set to Priority 2. These aren’t new CVEs; just updates to dependencies. The patch for Commerce is also marked as Priority 2, although the CVEs being addressed are Important and Moderate. Still, the security bypasses shouldn’t be ignored. All of the other patches from Adobe are listed as Priority 3.
The patch for After Effects fixes seven bugs, two of which are Critical code execution flaws. The fix for Media Encoder corrects two code execution bugs. There’s just a single Critical fix in the Bridge update. That’s the same for the patches for Premiere Pro and Photoshop. The patch for Animate addresses two Critical and two Important bugs. The AEM Screens patch fixes a single cross-site scripting (XSS) bug. The update for FrameMaker fixes 10 CVEs, including several code execution bugs. Finally, the patch for the Adobe XMP Toolkit SDK fixes five different Out-of-Bounds (OOB) Read memory leaks.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.
Microsoft Patches for April 2025
This month, Microsoft released a whopping 124 new CVEs in Windows and Windows Components, Office and Office Components, Azure, .NET and Visual Studio, BitLocker, Kerberos, Windows Hello, OpenSSH, and Windows Lightweight Directory Access Protocol (LDAP). One of these bugs was reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 134 CVEs.
Of the patches released today, 11 are rated Critical, two are rated Low, and the rest are rated Important in severity. The April release tends to be heavier, and this level of output doesn’t disappoint. It’s a small comfort that only one of these bugs is listed as publicly known or under active attack at the time of release.
Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerability currently being exploited in the wild:
- CVE-2025-29824 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
This privilege escalation bug is listed as under active attack and allows a threat actor to execute their code with SYSTEM privileges. These types of bugs are often paired with code execution bugs to take over a system. Microsoft gives no indication of how widespread these attacks are. Regardless, test and deploy this update quickly.
- CVE-2025-26663/CVE-2025-26670 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
These bugs allow a remote, unauthenticated attacker to execute their code on affected systems just by sending a specially crafted LDAP message. They would need to win a race condition, but we’ve seen plenty of exploits work around this requirement. Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable. LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone. Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.
- CVE-2025-27480/CVE-2025-27482 - Windows Remote Desktop Services Remote Code Execution Vulnerability
Here are some more Critical-rated bugs that don’t rely on user interaction. An attacker just needs to connect to an affected system with the Remote Desktop Gateway role to trigger another race condition, resulting in code execution. RDS is popular for remote management, so it is often reachable from the Internet. If you must leave it open to the world, consider IP restricting it to known users, then test and deploy these patches.
- CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability
There are several security feature bypass (SFB) bugs in this release, but this one stands out above the others. A local attacker could abuse this vulnerability to leak Kerberos credentials. And you may need to take actions beyond just patching. If you rely on Virtualization-Based Security (VBS), you’ll need to read this document and then redeploy with the updated policy.
Here’s the full list of CVEs released by Microsoft for April 2025:
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
CVE-2025-26670 | Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2025-27752 | Microsoft Excel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2025-29791 | Microsoft Excel Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2025-27745 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2025-27748 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2025-27749 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2025-27491 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | 7.1 | No | No | RCE |
CVE-2025-26663 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability | Critical | 7.5 | No | No | RCE |
CVE-2025-27740 | Active Directory Certificate Services Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
CVE-2025-29810 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.5 | No | No | EoP |
CVE-2025-26682 | ASP.NET Core and Visual Studio Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-25002 | Azure Local Cluster Information Disclosure Vulnerability | Important | 6.8 | No | No | Info |
CVE-2025-26628 | Azure Local Cluster Information Disclosure Vulnerability | Important | 7.3 | No | No | Info |
CVE-2025-27489 | Azure Local Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-26637 | BitLocker Security Feature Bypass Vulnerability | Important | 6.8 | No | No | SFB |
CVE-2025-29812 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27473 | HTTP.sys Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-27479 | Kerberos Key Distribution Proxy Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-29800 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-29801 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-24060 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-24062 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-24073 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-24074 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-29821 | Microsoft Dynamics Business Central Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2025-29815 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important | 7.6 | No | No | RCE |
CVE-2025-27750 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-27751 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-29823 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-26641 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-27744 | Microsoft Office Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-29792 | Microsoft Office Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
CVE-2025-26642 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-27746 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-29822 | Microsoft OneNote Security Feature Bypass Vulnerability | Important | 7.8 | No | No | SFB |
CVE-2025-27731 | Microsoft OpenSSH for Windows Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-29793 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2025-29794 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2025-27471 | Microsoft Streaming Service Denial of Service Vulnerability | Important | 5.9 | No | No | DoS |
CVE-2025-27743 † | Microsoft System Center Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-26688 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27747 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-29820 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-29816 | Microsoft Word Security Feature Bypass Vulnerability | Important | 7.5 | No | No | SFB |
CVE-2025-27483 | NTFS Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27733 | NTFS Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27741 | NTFS Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27742 | NTFS Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2025-29805 | Outlook for Android Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2025-27487 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
CVE-2025-26679 | RPC Endpoint Mapper Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-20570 | Visual Studio Code Elevation of Privilege Vulnerability | Important | 6.8 | No | No | EoP |
CVE-2025-29802 | Visual Studio Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
CVE-2025-29804 | Visual Studio Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
CVE-2025-29803 | Visual Studio Tools for Applications and SQL Server Management Studio Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
CVE-2025-26681 | Win32k Elevation of Privilege Vulnerability | Important | 6.7 | No | No | EoP |
CVE-2025-26687 | Win32k Elevation of Privilege Vulnerability | Important | 7.5 | No | No | EoP |
CVE-2025-29819 | Windows Admin Center in Azure Portal Information Disclosure Vulnerability | Important | 6.2 | No | No | Info |
CVE-2025-27490 | Windows Bluetooth Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-29808 | Windows Cryptographic Services Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2025-26678 | Windows Defender Application Control Security Feature Bypass Vulnerability | Important | 8.4 | No | No | SFB |
CVE-2025-26640 | Windows Digital Media Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-27467 | Windows Digital Media Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27476 | Windows Digital Media Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27730 | Windows Digital Media Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-24058 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27732 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-26635 | Windows Hello Security Feature Bypass Vulnerability | Important | 6.5 | No | No | SFB |
CVE-2025-26644 | Windows Hello Spoofing Vulnerability | Important | 6.2 | No | No | Spoofing |
CVE-2025-27727 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-26647 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
CVE-2025-29809 † | Windows Kerberos Security Feature Bypass Vulnerability | Important | 7.1 | No | No | SFB |
CVE-2025-26648 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27739 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27728 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-26673 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-27469 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-21191 | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-27478 | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-26651 | Windows Local Session Manager (LSM) Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2025-27472 | Windows Mark of the Web Security Feature Bypass Vulnerability | Important | 5.4 | No | No | SFB |
CVE-2025-26666 | Windows Media Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-26674 | Windows Media Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-29811 | Windows Mobile Broadband Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-21197 | Windows NTFS Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-27736 | Windows Power Dependency Coordinator Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2025-21204 | Windows Process Activation Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-26671 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Important | 8.1 | No | No | RCE |
CVE-2025-27738 | Windows Resilient File System (ReFS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-21203 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-26664 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-26667 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | RCE |
CVE-2025-26669 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 8.8 | No | No | Info |
CVE-2025-26672 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-26676 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-27474 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2025-26668 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
CVE-2025-26649 | Windows Secure Channel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-27492 | Windows Secure Channel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-27737 | Windows Security Zone Mapping Security Feature Bypass Vulnerability | Important | 8.6 | No | No | SFB |
CVE-2025-27729 | Windows Shell Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2025-21174 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-26652 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-26680 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-27470 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-27485 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-27486 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2025-26675 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-21205 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2025-21221 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2025-21222 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2025-27477 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2025-27481 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2025-27484 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability | Important | 7.5 | No | No | EoP |
CVE-2025-27475 | Windows Update Stack Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-26665 | Windows upnphost.dll Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2025-26639 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2025-27735 | Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability | Important | 6 | No | No | SFB |
CVE-2025-25001 | Microsoft Edge for iOS Spoofing Vulnerability | Low | 4.3 | No | No | Spoofing |
CVE-2025-29796 | Microsoft Edge for iOS Spoofing Vulnerability | Low | 4.7 | No | No | Spoofing |
CVE-2025-3066 * | Chromium: CVE-2025-3066 Use after free in Navigations | High | N/A | No | No | RCE |
CVE-2025-3067 * | Chromium: CVE-2025-3067 Inappropriate implementation in Custom Tabs | Medium | N/A | No | No | N/A |
CVE-2025-3068 * | Chromium: CVE-2025-3068 Inappropriate implementation in Intents | Medium | N/A | No | No | N/A |
CVE-2025-3069 * | Chromium: CVE-2025-3069 Inappropriate implementation in Extensions | Medium | N/A | No | No | N/A |
CVE-2025-3070 * | Chromium: CVE-2025-3070 Insufficient validation of untrusted input in Extensions | Medium | N/A | No | No | N/A |
CVE-2025-3071 * | Chromium: CVE-2025-3071 Inappropriate implementation in Navigations | Low | N/A | No | No | N/A |
CVE-2025-3072 * | Chromium: CVE-2025-3072 Inappropriate implementation in Custom Tabs | Low | N/A | No | No | N/A |
CVE-2025-3073 * | Chromium: CVE-2025-3073 Inappropriate implementation in Autofill | Low | N/A | No | No | N/A |
CVE-2025-3074 * | Chromium: CVE-2025-3074 Inappropriate implementation in Downloads | Low | N/A | No | No | N/A |
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Looking at the other Critical-rated patches, there are several impacting Office and Excel. For all of these bugs, the Preview Pane is an attack vector, but Microsoft lists that user interaction is required. I’m not sure how to reconcile that other than to think maybe a user needs to manually preview an attachment from the Preview Pane. And Mac users are out of luck because the updates for
Microsoft Office LTSC for Mac 2021 and 2024 are not available yet. There’s a Critical-rated Hyper-V bug, but it relies on authentication and social engineering, so it’s unlikely to be exploited in the wild. The final Critical bug is for TCP/IP and sounds intriguing. It centers around DHCPv6. An attacker could send a crafted response to a legitimate DHCPv6 request to execute code on the target system. That would usually require a Machine-in-the-Middle (MitM) type of attack. I would love to know how a crafted response leads to code execution. Hopefully, the researcher who reported this to Microsoft will publish their findings now that the bug is patched.
Moving on to the other code execution bugs, there are additional open-and-own bugs in Office components, but these do not have a Preview Pane vector. There’s also this month’s crop of RRAS and Telephony Service bugs. These seem to be a staple of every release now. There’s a bug in the RDP client, but it requires someone to connect to a malicious server. There are two bugs in SharePoint that confuse me. Both say that “Site Owner” permissions are required for exploitation, but one lists this as Low privilege while the other lists it as High. This lack of consistency from Microsoft is frustrating. Speaking of inconsistencies, there’s another RDS Gateway bug identical to the two already documented above. However, this one is rated Important instead of Critical. Same description. Same CVSS score. Even the same researcher. ¯\_(ツ)_/¯
There are nearly 50 privilege escalation bugs in this month’s release, and most of these simply either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code (or ROOT in the case of Microsoft AutoUpdate for Mac). As always, there are some notable exceptions. The bug in Azure could allow the loading of DLLs into an enclave, which could then be used for code execution within that enclave. The bugs in Visual Studio could allow an attacker to escalate to a targeted user’s level. The bugs in Digital Media could allow for escalating code to run at Medium integrity. One of the bugs in the kernel could allow for an escalation to Secure Kernel. This is a newer feature, and if I’m not mistaken, this is the first bug of its kind. The bug in Kerberos is interesting as it allows an attacker to gain additional privileges from the Key Distribution Center. However, there are quite a few extra steps involved, including having a MitM. The final EoP this month is in System Center, however, there is no patch available as no existing System Center deployments are impacted. In the spirit of consistency, Microsoft also notes that only customers who re-use existing System Center installer files to deploy new instances in their environment are affected by this vulnerability – so maybe some versions are impacted. Instead of a patch, Microsoft recommends users delete the existing installer setup files (.exe) and then download the latest version of their System Center product. You can find the links in the bulletin.
In addition to the one SFB already discussed, there are eight additional patches for security feature bypasses. Mostly, you can tell what’s being bypassed in the title. The BitLocker bugs bypass Bitlocker. The Hello bug bypasses Hello. The bug in Mark of the Web (MotW) bypasses MotW defenses. The bug in Security Zone Mapping allows content to be treated as if it were in a different zone. The bug in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. The bugs in OneNote and Word allow for the opening of files that should otherwise be blocked. Again, Mac users will have to wait for their patches. Finally, the bug in Defender would allow applications to run that would otherwise be blocked.
Looking at the information disclosure bugs in the April release, a few of these merely result in info leaks consisting of unspecified memory contents. There are also some that lead to the disclosure of the ever-nebulous “sensitive information.” The bugs in Azure Local Cluster could allow the disclosure of device information such as a token, credentials, resource IDs, SAS tokens, user properties, and other sensitive information. The bug in Dynamics Business Central could allow an attacker to recover cleartext passwords from memory. The bug in NTFS allows an authenticated attacker to disclose file path information under a folder where the attacker doesn't have permission to list content. That is also the case for the bug in ReFS. The vulnerability in Admin Center in Azure could allow unauthorized read-only access to the local file system. The final info disclosure bug for April resides in Outlook for Android. If exploited, it could allow an attacker to read targeted e-mails.
Moving on to the 14 Denial-of-Service (DoS) bugs getting patches this month, many simply state that an attacker could deny service over a network to that component. Again, there’s no indication if that’s temporary or a permanent DoS. Does the system blue screen? Is a reboot needed? Does the service recover if the attack stops? I suppose we’ll never know.
Finally, there are three spoofing bugs receiving patches this month, and two of these are rated Low in severity. The bugs in Edge for iOS can be used to trick users into clicking something they thought was safe. One also requires that multiple instances of the browser be opened, which sounds unlikely. The Important-rate bug in Windows Hello just states unauthorized attackers could perform spoofing locally, but Microsoft provides no details on what sort of spoofing.
No new advisories are being released this month.
Looking Ahead
The next Patch Tuesday of 2025 will be on May 13. I’ll be in Germany setting up for Pwn2Own Berlin, but I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!