Tenable Commentary: April Patch Tuesday

Exposure Management | Security Operations | Threat Intelligence

Microsoft patched 121 CVEs in its April 2025 Patch Tuesday release, with 11 rated critical and 110 rated as important. Elevation of privilege vulnerabilities accounted for 40.5% of the vulnerabilities patched this month, followed by remote code execution vulnerabilities at 25.6%. CVE-2025-29824, an elevation of privilege bug in Windows Common Log File System (CLFS) Driver, […]

Posted: Wednesday, Apr 09

KBI.Media
$
Tenable Commentary: April Patch Tuesday

Tenable Commentary: April Patch Tuesday

Microsoft patched 121 CVEs in its April 2025 Patch Tuesday release, with 11 rated critical and 110 rated as important. Elevation of privilege vulnerabilities accounted for 40.5% of the vulnerabilities patched this month, followed by remote code execution vulnerabilities at 25.6%. CVE-2025-29824, an elevation of privilege bug in Windows Common Log File System (CLFS) Driver, was the lone zero-day vulnerability exploited in the wild this month. From an attacker’s perspective elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years.

Satnam Narang, sr. staff research engineer at Tenable and a full analysis of this month’s Patch Tuesday by Tenable here.

“Microsoft patched over 100 CVEs for the second time this year. For the first time since August 2024, Patch Tuesday vulnerabilities skewed more towards elevation of privilege bugs, which accounted for over 40% (49) of all patched vulnerabilities. We typically see remote code execution (RCE) flaws dominate Patch Tuesday releases, but only a quarter of flaws (31) were RCEs this month.

“CVE-2025-29824, an elevation of privilege bug in Windows Common Log File System (CLFS) Driver, was the lone zero-day vulnerability exploited in the wild this month. CLFS is no stranger to Patch Tuesday – since 2022, Microsoft has patched 32 CLFS vulnerabilities, averaging 10 each year, with six exploited in the wild. The last CLFS zero-day flaw exploited in the wild was patched in December 2024 (CVE-2024-49138).

“From an attacker’s perspective, post-compromise activity requires obtaining requisite privileges to conduct follow-on activity on a compromised system, such as lateral movement. Therefore, elevation of privilege bugs are typically popular in targeted attacks. However, elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years.

“While RCEs flaws are consistently top overall Patch Tuesday figures, the data is reversed for zero-day exploitation. For the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploi

“Microsoft also patched three RCE vulnerabilities in Windows Remote Desktop Services (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482. The latter two are rated critical and the former is rated important. Exploiting all three vulnerabilities requires an attacker to win a race condition. Despite this limitation, Microsoft curiously marked the two critical flaws as “Exploitation More Likely.”” — Satnam Narang, sr. staff research engineer at Tenable