{"id":1055,"date":"2025-04-10T01:42:02","date_gmt":"2025-04-10T01:42:02","guid":{"rendered":"https:\/\/www.batteryone.co\/blog\/?p=1055"},"modified":"2025-04-10T01:42:02","modified_gmt":"2025-04-10T01:42:02","slug":"microsofts-april-security-update-fixes-124-vulnerabilities-including-a-dangerous-zero-day-and-wormable-ldap-bugs","status":"publish","type":"post","link":"https:\/\/www.batteryone.co\/blog\/archives\/1055","title":{"rendered":"Microsoft\u2019s April Security Update Fixes 124 Vulnerabilities \u2014 Including a Dangerous Zero-Day and Wormable LDAP Bugs"},"content":{"rendered":"\n<p>Microsoft has released its April patch bundle, addressing a massive&nbsp;<strong>124 Common Vulnerabilities and Exposures (CVEs)<\/strong>&nbsp;across its software stack. Among these,&nbsp;<strong>11 are rated critical<\/strong>,&nbsp;<strong>two are low severity<\/strong>, and the remainder are considered important. While the volume alone makes this update noteworthy, it\u2019s the nature of a few key vulnerabilities that warrants special attention.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2022\/07\/winupdatedate-768x508.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Security researchers are particularly concerned about&nbsp;<strong>CVE-2025-29824<\/strong>, a&nbsp;<strong>privilege escalation flaw<\/strong>&nbsp;in the&nbsp;<strong>Windows Common Log File System (CLFS)<\/strong>&nbsp;driver that has been confirmed as actively exploited in the wild. The vulnerability allows attackers to execute code with&nbsp;<strong>System-level privileges<\/strong>, giving them near-complete control over a compromised machine. Dustin Childs of the Zero Day Initiative highlighted the issue in a recent blog post, noting that while this is the only known in-the-wild exploit in the April release, it\u2019s nonetheless a serious threat.<\/p>\n\n\n\n<p>&gt;&gt;&gt;<a href=\"https:\/\/www.batteryone.co\/detail\/1747298\/ER6\">2000mAh ER6 Replacement Battery for Maxell ER6<\/a><\/p>\n\n\n\n<p>\u201cThese types of bugs are often paired with code execution exploits to take over a system,\u201d Childs wrote, emphasizing that Microsoft has not disclosed the extent of the active exploitation.<\/p>\n\n\n\n<p>The presence of this zero-day is particularly concerning given the track record of the CLFS driver, which has been a repeated source of critical vulnerabilities in recent years. Adam Barnett, lead software engineer at Rapid7, echoed this concern, noting that the exploit appears to have been discovered outside of Microsoft, even though the company\u2019s own threat intelligence team successfully reproduced it. The advisory does not explicitly state the privilege level achieved, but Barnett suggests it&#8217;s safe to assume&nbsp;<strong>System access<\/strong>&nbsp;\u2014 a common outcome for past CLFS-related vulnerabilities.<\/p>\n\n\n\n<p>In addition to the zero-day, two other vulnerabilities stand out for their potential scale and impact:&nbsp;<strong>CVE-2025-26663<\/strong>&nbsp;and&nbsp;<strong>CVE-2025-26670<\/strong>. Both affect Microsoft&#8217;s implementation of&nbsp;<strong>LDAP (Lightweight Directory Access Protocol)<\/strong>. According to Childs, these flaws allow an unauthenticated attacker to remotely execute code on affected systems simply by sending a specially crafted LDAP message.<\/p>\n\n\n\n<p>\u201cThese bugs are wormable,\u201d Childs warned, referring to their ability to propagate automatically without human interaction \u2014 a key feature that makes them especially dangerous in enterprise environments. &#8220;Since just about everything can host an LDAP service, there\u2019s a plethora of targets out there.&#8221;<\/p>\n\n\n\n<p>Barnett also flagged the implications for defenders, especially those responsible for enterprise networks running Microsoft infrastructure. \u201cDefenders responsible for an LDAP server \u2014 which means almost any organisation with a non-trivial Microsoft footprint \u2014 should add patching for CVE-2025-26663 to their to-do list,\u201d he said.<\/p>\n\n\n\n<p>Interestingly,&nbsp;<strong>CVE-2025-26670<\/strong>&nbsp;affects the LDAP&nbsp;<strong>client<\/strong>, not just the server, suggesting that even systems initiating connections to malicious LDAP servers could be at risk. However, Microsoft&#8217;s advisory has caused some confusion. The FAQ section claims exploitation requires sending specially crafted requests&nbsp;<em>to<\/em>&nbsp;a vulnerable server, which seems inconsistent with the nature of a client-side flaw. Barnett noted this inconsistency, suggesting the advisory may be updated for clarification.<\/p>\n\n\n\n<p>&gt;&gt;&gt;<a href=\"https:\/\/www.batteryone.co\/detail\/1747301\/BP0002\">3400mAh BP0002 Replacement Battery for Benco PHONE<\/a><\/p>\n\n\n\n<p>Beyond these headline vulnerabilities, the broader list of CVEs touches nearly every corner of Microsoft\u2019s ecosystem. According to Childs, the affected components include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows and core system components<\/li>\n\n\n\n<li>Office and Office-related components<\/li>\n\n\n\n<li>Azure services<\/li>\n\n\n\n<li>.NET and Visual Studio<\/li>\n\n\n\n<li>BitLocker<\/li>\n\n\n\n<li>Kerberos<\/li>\n\n\n\n<li>Windows Hello<\/li>\n\n\n\n<li>OpenSSH<\/li>\n\n\n\n<li>LDAP (both server and client implementations)<\/li>\n<\/ul>\n\n\n\n<p>While only one vulnerability is known to be under active exploitation, the sheer breadth of this update \u2014 combined with the wormable nature of some bugs and the presence of a privilege escalation zero-day \u2014 makes this month\u2019s patch cycle a critical one for enterprise IT teams.<\/p>\n\n\n\n<p>For organizations with Windows infrastructure, especially those running LDAP services or applications built on CLFS, immediate patching is strongly advised. The alternative could be leaving the door open to attackers already actively exploiting known holes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has released its April patch bundle, addressing a massive&nbsp;124 Common Vulnerabilities and Exposures (CVEs)&nbsp;across its software stack. Among these,&nbsp;11 are rated critical,&nbsp;two are low severity, and the remainder are considered important. While the volume alone makes this update noteworthy, it\u2019s the nature of a few key vulnerabilities that warrants special attention. Security researchers are [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,1],"tags":[42],"class_list":["post-1055","post","type-post","status-publish","format-standard","hentry","category-laptops","category-news","tag-microsoft"],"_links":{"self":[{"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/posts\/1055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/comments?post=1055"}],"version-history":[{"count":1,"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/posts\/1055\/revisions"}],"predecessor-version":[{"id":1056,"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/posts\/1055\/revisions\/1056"}],"wp:attachment":[{"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/media?parent=1055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/categories?post=1055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.batteryone.co\/blog\/wp-json\/wp\/v2\/tags?post=1055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}