Microsoft Releases April 2025 Security Updates

Scheduled updates for Microsoft products, including security updates for 126 vulnerabilities, of which one is reported as exploited.

Threat ID:: CC-4642
Threat Severity:: Medium
Published:: 9 April 2025 12:09 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled updates for Microsoft products, including security updates for 126 vulnerabilities, of which one is reported as exploited.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

The following platforms are also known to be affected:

Active Directory Domain Services
ASP.NET Core
Dynamics Business Central
Microsoft AutoUpdate (MAU)
Microsoft Office
Microsoft Office Excel
Microsoft Office OneNote
Microsoft Office SharePoint
Microsoft Office Word
Microsoft Streaming Service
Microsoft Virtual Hard Drive
OpenSSH for Windows
Remote Desktop Client
Remote Desktop Gateway Service
RPC Endpoint Mapper Service
Servicing Stack Updates
System Center
Visual Studio
Visual Studio Code
Visual Studio Tools for Applications and SQL Server Management Studio
Windows Active Directory Certificate Services
Windows BitLocker
Windows Bluetooth Service
Windows Cryptographic Services
Windows Defender Application Control (WDAC)
Windows Digital Media
Windows DWM Core Library
Windows Hello
Windows HTTP.sys
Windows Hyper-V
Windows Installer
Windows Kerberos
Windows Kernel
Windows Kernel Memory
Windows Kernel-Mode Drivers
Windows LDAP - Lightweight Directory Access Protocol
Windows Local Security Authority (LSA)
Windows Local Session Manager (LSM)
Windows Mark of the Web (MOTW)
Windows Media
Windows Mobile Broadband
Windows NTFS
Windows Power Dependency Coordinator
Windows Remote Desktop Services
Windows Resilient File System (ReFS)
Windows Routing and Remote Access Service (RRAS)
Windows Secure Channel
Windows Security Zone Mapping
Windows Shell
Windows Standards-Based Storage Management Service
Windows Subsystem for Linux
Windows TCP/IP
Windows Telephony Service
Windows Universal Plug and Play (UPnP) Device Host
Windows Update Stack
Windows upnphost.dll
Windows USB Print Driver
Windows Virtualization-Based Security (VBS) Enclave
Windows Win32K - GRFX

Threat details

Windows 10 Approaching End-of-Support

Microsoft has announced plans to discontinue support for Windows 10 after 14 October 2025, after which no security updates will be received. The NHS England National CSOC strongly encourages organisations to ensure they implement a plan to upgrade to a supported platform before this date to continue receiving security updates.

CVE-2025-29824 Under Active Exploitation

Microsoft has reported that CVE-2025-29824 (Windows Common Log File System Driver Elevation of Privilege Vulnerability) is under active exploitation by ransomware operations. The NHS England National CSOC assesses further exploitation as likely.

Introduction

Microsoft has released security updates to address 126 vulnerabilities in Microsoft products. Five vulnerabilities are highlighted below, of which one is exploited and four are considered critical.

Vulnerability details

CVE-2025-29824 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2025-2982 is a 'use-after-free' vulnerability in the Windows Common Log File System driver with a CVSSv3 score of 7.8. Successful exploitation could allow an attacker to escalate privileges and gain SYSTEM privileges. Microsoft reports that this vulnerability is under exploitation.

CVE-2025-27480 - Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2025-27480 is a 'use-after-free' vulnerability in Windows Remote Desktop Services with a CVSSv3 score of 8.1. Successful exploitation could allow an unauthorised remote attacker to execute arbitrary code.

CVE-2025-27482 - Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2025-27482 is a 'sensitive data storage in improperly locked memory' vulnerability in Windows Remote Desktop Services with a CVSSv3 score of 8.1. Successful exploitation could allow an unauthorised remote attacker to execute arbitrary code.

CVE-2025-26670 - Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability

CVE-2025-26670 is a 'use-after-free' vulnerability in Windows LDAP with a CVSSv3 score of 8.1. Successful exploitation could allow an unauthorised remote attacker to execute arbitrary code.

CVE-2025-26663 - Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability

CVE-2025-26663 is a 'use-after-free' vulnerability in Windows LDAP with a CVSSv3 score of 8.1. Successful exploitation could allow an unauthorised remote attacker to execute arbitrary code.

Remediation advice

Affected organisations are encouraged to review Microsoft's April 2025 Security Updates and apply the relevant updates as soon as practicable.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-29824

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Status Published

CVE-2025-27480

Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

Status Published

CVE-2025-27482

Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

Status Published

CVE-2025-26670

Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.

Status Published

CVE-2025-26663

Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.

Last edited: 9 April 2025 12:10 pm