![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
Microsoft has addressed 121 vulnerabilities in its April 2025 security update release. This month's patches include fixes for one actively exploited zero-day vulnerability and 11 Critical vulnerabilities, along with 109 additional vulnerabilities of varying severity levels.
This month’s leading risk types by exploitation technique are elevation of privilege with 49 patches (40%) and remote code execution (RCE) with 31 (26%).
Figure 1. Breakdown of April 2025 Patch Tuesday exploitation techniques
Figure 2. Breakdown of product families affected by April 2025 Patch Tuesday
CVE-2025-29824 is an Important elevation of privilege vulnerability affecting Windows Common Log File System and has a CVSS score of 7.8. This could allow a remote attacker to run arbitrary code on a victim machine after tricking a victim into either opening a malicious file from an email or message, or navigating to an adversary-owned website. While this vulnerability proof-of-concept has not been disclosed, Microsoft confirmed it has been actively exploited in the wild.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2025-27480 and CVE-2025-27482 are Critical RCE vulnerabilities affecting the Microsoft Windows Remote Desktop Services, and both have a CVSS score of 8.1. These vulnerabilities allow attackers to remotely run malicious code without authentication by connecting to systems running the Remote Desktop Gateway role. While exploitation requires the adversary to win a race condition, no user interaction is needed, increasing the risk. Both vulnerabilities affect memory handling in the Remote Desktop Gateway Service.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
CVE-2025-26670 and CVE-2025-26663 are Critical RCE vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP), and both have a CVSS score of 8.1. These issues allow attackers to remotely run malicious code without authentication by sending specially crafted network requests. While exploitation requires the adversary to win a race condition, no user interaction is needed, increasing the risk.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-26670 | Windows Lightweight Directory Access Protocol Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-26663 | Windows Lightweight Directory Access Protocol Remote Code Execution Vulnerability |
CVE-2025-27745, CVE-2025-27748, CVE-2025-27749, CVE-2025-27752, and CVE-2025-29791 are Critical RCE vulnerabilities affecting Microsoft Office, and all have a CVSS score of 7.8. Three of these affect Microsoft Office through use-after-free vulnerabilities, while the Excel vulnerabilities involve heap-based buffer overflow and type confusion issues. All five vulnerabilities require an attacker to convince a victim to open a specially crafted file, with the Preview Pane serving as an additional attack vector. We have seen Preview Pane many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025). Updates for Microsoft Office LTSC for Mac 2021 and 2024 are pending release.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-27745 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-27748 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-27749 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-27752 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-29791 | Microsoft Office Remote Code Execution Vulnerability |
CVE-2025-26686 is a Critical RCE vulnerability affecting Windows TCP/IP implementation and has a CVSS score of 7.5. This vulnerability involves memory management issues that could allow an attacker to run malicious code on affected systems. Exploitation requires a user to start a network connection first, after which the attacker could send a specially crafted network response. Exploitation requires precise timing and advance preparation of the target environment, making successful attacks less likely.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability |
CVE-2025-27491 is a Critical RCE vulnerability affecting Windows Hyper-V and has a CVSS score of 7.1. This use-after-free vulnerability allows an authenticated attacker with guest privileges to execute arbitrary code over a network by convincing a victim to open a malicious site. A use-after-free vulnerability occurs when programs access already-freed memory, potentially enabling code execution. Exploitation requires winning a race condition, making this less likely to be exploited in the wild. The vulnerability has not been publicly disclosed or exploited.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.1 | CVE-2025-27491 | Windows Hyper-V Remote Code Execution Vulnerability |
CVE-2025-26647 is an Important elevation of privilege vulnerability affecting Windows Kerberos and has a CVSS score of 8.1. This vulnerability allows network-based privilege escalation through improper input validation. Microsoft recommends a three-step approach: First, update all Windows computers and domain controllers with patches released on or after April 8, 2025; second, monitor audit events visible in Audit mode to identify non-updated devices; and finally, enable Enforcement mode once the environment no longer uses certificates issued by authorities not in the NTAuth store. For more information, review https://support.microsoft.com/help/5057784.
CVE-2025-21197 and CVE-2025-27738 are Important information disclosure vulnerabilities in Windows NTFS and Resilient File System (ReFS), respectively, and both have a CVSS score of 6.5. Microsoft has implemented a fix that's disabled by default to prevent application compatibility issues. Administrators can enable the protection through a registry key detailed in Microsoft's support documentation. For more information, review https://support.microsoft.com/help/5058189.
| Severity | CVSS Score | CVE | Description |
| Important | 8.1 | CVE-2025-26647 | Windows Kerberos Elevation of Privilege Vulnerability |
| Important | 6.5 | CVE-2025-21197 | Windows NTFS Information Disclosure Vulnerability |
| Important | 6.5 | CVE-2025-27738 | Windows Resilient File System (ReFS) Information Disclosure Vulnerability |
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
