It’s the second Tuesday of the month, and, as expected, Microsoft and Adobe have released their latest security offerings – all tariff free. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for April 2025

For April, Adobe released 12 bulletins addressing 54 CVEs in Adobe Cold Fusion, After Effects, Media Encoder, Bridge, Commerce, AEM Forms, Premiere Pro, Photoshop, Animate, AEM Screens, FrameMaker, and the Adobe XMP Toolkit SDK. Adobe lists the update for Cold Fusion as Priority 1 but states there are no exploits in the wild for the bugs being patched. The patch for AEM Forms is set to Priority 2. These aren’t new CVEs; just updates to dependencies. The patch for Commerce is also marked as Priority 2, although the CVEs being addressed are Important and Moderate. Still, the security bypasses shouldn’t be ignored. All of the other patches from Adobe are listed as Priority 3.

The patch for After Effects fixes seven bugs, two of which are Critical code execution flaws. The fix for Media Encoder corrects two code execution bugs. There’s just a single Critical fix in the Bridge update. That’s the same for the patches for Premiere Pro and Photoshop. The patch for Animate addresses two Critical and two Important bugs. The AEM Screens patch fixes a single cross-site scripting (XSS) bug. The update for FrameMaker fixes 10 CVEs, including several code execution bugs. Finally, the patch for the Adobe XMP Toolkit SDK fixes five different Out-of-Bounds (OOB) Read memory leaks.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. 

Microsoft Patches for April 2025

This month, Microsoft released a whopping 124 new CVEs in Windows and Windows Components, Office and Office Components, Azure, .NET and Visual Studio, BitLocker, Kerberos, Windows Hello, OpenSSH, and Windows Lightweight Directory Access Protocol (LDAP). One of these bugs was reported through the Trend ZDI program. With the additional third-party CVEs being documented, it brings the combined total to 134 CVEs.

Of the patches released today, 11 are rated Critical, two are rated Low, and the rest are rated Important in severity. The April release tends to be heavier, and this level of output doesn’t disappoint. It’s a small comfort that only one of these bugs is listed as publicly known or under active attack at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerability currently being exploited in the wild:

-   CVE-2025-29824 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
This privilege escalation bug is listed as under active attack and allows a threat actor to execute their code with SYSTEM privileges. These types of bugs are often paired with code execution bugs to take over a system. Microsoft gives no indication of how widespread these attacks are. Regardless, test and deploy this update quickly.

-   CVE-2025-26663/CVE-2025-26670 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
These bugs allow a remote, unauthenticated attacker to execute their code on affected systems just by sending a specially crafted LDAP message. They would need to win a race condition, but we’ve seen plenty of exploits work around this requirement. Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable. LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone. Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.

-  CVE-2025-27480/CVE-2025-27482 - Windows Remote Desktop Services Remote Code Execution Vulnerability
Here are some more Critical-rated bugs that don’t rely on user interaction. An attacker just needs to connect to an affected system with the Remote Desktop Gateway role to trigger another race condition, resulting in code execution. RDS is popular for remote management, so it is often reachable from the Internet. If you must leave it open to the world, consider IP restricting it to known users, then test and deploy these patches.

-  CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability
There are several security feature bypass (SFB) bugs in this release, but this one stands out above the others. A local attacker could abuse this vulnerability to leak Kerberos credentials. And you may need to take actions beyond just patching. If you rely on Virtualization-Based Security (VBS), you’ll need to read this document and then redeploy with the updated policy.

Here’s the full list of CVEs released by Microsoft for April 2025:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the other Critical-rated patches, there are several impacting Office and Excel. For all of these bugs, the Preview Pane is an attack vector, but Microsoft lists that user interaction is required. I’m not sure how to reconcile that other than to think maybe a user needs to manually preview an attachment from the Preview Pane. And Mac users are out of luck because the updates for Microsoft Office LTSC for Mac 2021 and 2024 are not available yet. There’s a Critical-rated Hyper-V bug, but it relies on authentication and social engineering, so it’s unlikely to be exploited in the wild. The final Critical bug is for TCP/IP and sounds intriguing. It centers around DHCPv6. An attacker could send a crafted response to a legitimate DHCPv6 request to execute code on the target system. That would usually require a Machine-in-the-Middle (MitM) type of attack. I would love to know how a crafted response leads to code execution. Hopefully, the researcher who reported this to Microsoft will publish their findings now that the bug is patched.

Moving on to the other code execution bugs, there are additional open-and-own bugs in Office components, but these do not have a Preview Pane vector. There’s also this month’s crop of RRAS and Telephony Service bugs. These seem to be a staple of every release now. There’s a bug in the RDP client, but it requires someone to connect to a malicious server. There are two bugs in SharePoint that confuse me. Both say that “Site Owner” permissions are required for exploitation, but one lists this as Low privilege while the other lists it as High. This lack of consistency from Microsoft is frustrating. Speaking of inconsistencies, there’s another RDS Gateway bug identical to the two already documented above. However, this one is rated Important instead of Critical. Same description. Same CVSS score. Even the same researcher. ¯\_(ツ)_/¯

There are nearly 50 privilege escalation bugs in this month’s release, and most of these simply either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code (or ROOT in the case of Microsoft AutoUpdate for Mac). As always, there are some notable exceptions. The bug in Azure could allow the loading of DLLs into an enclave, which could then be used for code execution within that enclave. The bugs in Visual Studio could allow an attacker to escalate to a targeted user’s level. The bugs in Digital Media could allow for escalating code to run at Medium integrity. One of the bugs in the kernel could allow for an escalation to Secure Kernel. This is a newer feature, and if I’m not mistaken, this is the first bug of its kind. The bug in Kerberos is interesting as it allows an attacker to gain additional privileges from the Key Distribution Center. However, there are quite a few extra steps involved, including having a MitM. The final EoP this month is in System Center, however, there is no patch available as no existing System Center deployments are impacted. In the spirit of consistency, Microsoft also notes that only customers who re-use existing System Center installer files to deploy new instances in their environment are affected by this vulnerability – so maybe some versions are impacted. Instead of a patch, Microsoft recommends users delete the existing installer setup files (.exe) and then download the latest version of their System Center product. You can find the links in the bulletin.

In addition to the one SFB already discussed, there are eight additional patches for security feature bypasses. Mostly, you can tell what’s being bypassed in the title. The BitLocker bugs bypass Bitlocker. The Hello bug bypasses Hello. The bug in Mark of the Web (MotW) bypasses MotW defenses. The bug in Security Zone Mapping allows content to be treated as if it were in a different zone. The bug in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. The bugs in OneNote and Word allow for the opening of files that should otherwise be blocked. Again, Mac users will have to wait for their patches. Finally, the bug in Defender would allow applications to run that would otherwise be blocked.

Looking at the information disclosure bugs in the April release, a few of these merely result in info leaks consisting of unspecified memory contents. There are also some that lead to the disclosure of the ever-nebulous “sensitive information.” The bugs in Azure Local Cluster could allow the disclosure of device information such as a token, credentials, resource IDs, SAS tokens, user properties, and other sensitive information. The bug in Dynamics Business Central could allow an attacker to recover cleartext passwords from memory. The bug in NTFS allows an authenticated attacker to disclose file path information under a folder where the attacker doesn't have permission to list content. That is also the case for the bug in ReFS. The vulnerability in Admin Center in Azure could allow unauthorized read-only access to the local file system. The final info disclosure bug for April resides in Outlook for Android. If exploited, it could allow an attacker to read targeted e-mails.

Moving on to the 14 Denial-of-Service (DoS) bugs getting patches this month, many simply state that an attacker could deny service over a network to that component. Again, there’s no indication if that’s temporary or a permanent DoS. Does the system blue screen? Is a reboot needed? Does the service recover if the attack stops? I suppose we’ll never know.

Finally, there are three spoofing bugs receiving patches this month, and two of these are rated Low in severity. The bugs in Edge for iOS can be used to trick users into clicking something they thought was safe. One also requires that multiple instances of the browser be opened, which sounds unlikely. The Important-rate bug in Windows Hello just states unauthorized attackers could perform spoofing locally, but Microsoft provides no details on what sort of spoofing.

No new advisories are being released this month.

Looking Ahead

The next Patch Tuesday of 2025 will be on May 13. I’ll be in Germany setting up for Pwn2Own Berlin, but I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!