Exploited Windows zero-day addressed on April Patch Tuesday

Microsoft corrects exploited Windows zero-day

This month's most pressing vulnerability is a Windows Common Log File System Driver elevation-of-privilege flaw, CVE-2025-29824, rated important with a CVSS rating of 7.8. It affects most Windows Server and desktop systems, but patches for Windows 10 for x64-based and 32-bit systems were not immediately available.

An attacker with local access -- either physically or via some remote access tool -- only needs a regular user account to use the exploit code.

"In this case, the attacker will gain full system privileges, so they own the box. That puts Windows as our highest-risk update this month," said Chris Goettl, vice president of product management for security products at Ivanti.

Microsoft said a ransomware group called Storm-2460 targeted organizations across the U.S., Venezuela, Spain and Saudi Arabia. Storm-2460 would infiltrate vulnerable systems, gain system-level privileges for unrestricted control of the machine and then deploy its malware.

3 vulnerabilities will require extra work

In some instances, applying the Microsoft security updates will not completely stop a threat. Administrators must take additional steps with mitigations for three vulnerabilities this month to keep their Windows systems safe.

The first is a Windows Kerberos elevation-of-privilege vulnerability, CVE-2025-26647, rated important with an 8.1 CVSS score. This flaw only affects Windows Server systems.

Until corrected in vulnerable systems, Kerberos -- the network authentication protocol in Windows -- will not properly validate input, which an attacker can exploit to escalate their privileges. The attacker only needs network access, but Microsoft rates the attack complexity as high, meaning that the threat actor must set the right conditions to trigger the exploit.

"An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server," Microsoft wrote.

Even after installing the April Patch Tuesday update, Windows domain controllers will still be vulnerable until administrators enable protections by manually changing registry settings. This is the first step in another three-phase rollout designed to help organizations avoid authentication failures and service outages by performing an audit on systems to find noncompliant certificates.

"For this one in particular, Microsoft is concerned that the fix is going to cause problems for organizations," Goettl said. "So, while they've pushed the update, it is not turned on until you choose to do so. So, there is an additional step that needs to be taken there."

In the next phase, slated to start on July 8, installing that month's security update on the domain controllers will start the Enforced by Default phase, which gives admins the option to switch a system back to Audit mode to make any adjustments. In the final phase, on Oct. 14, Microsoft will switch domain controllers to Enforcement mode and remove the ability to make further registry changes.

The second flaw requiring further mitigation work is a Windows New Technology File System (NTFS) information disclosure vulnerability, CVE-2025-21197, rated important with a CVSS score of 6.5. It affects Windows Server and desktop systems. Patches for Windows 10 systems were not immediately available.

"To mitigate against possible application compatibility risks, the fix to address this vulnerability has been released as disabled by default. However, administrators have been given the ability to enable this behavior if needed through a registry key," Microsoft wrote.

Related to this vulnerability is a Windows Resilient File System (ReFS) information disclosure flaw, CVE-2025-27738, rated important for Windows Server and desktop systems with a CVSS rating of 6.5.

Microsoft is disabling the fix for both CVE-2025-27738 and CVE-2025-21197 by default to avoid potential application compatibility issues. The company instructs customers to follow the directions at this link to manually enable the correction via a registry key. The fix will enhance access checks on NTFS and ReFS volumes to prevent unauthorized users from viewing the full file path to a resource.

Other security updates of note for April Patch Tuesday

• Two Microsoft SharePoint remote code execution vulnerabilities, CVE-2025-29793 and CVE-2025-29794, are rated important with CVSS 7.2 and 8.8 scores, respectively. Microsoft gave the flaws an exploitability assessment of "exploitation more likely." These vulnerabilities are particularly dangerous due to the low attack complexity, lack of requiring user interaction and fact that the threat actor only needs basic user privileges.
• Microsoft released four fixes in its developer tools ecosystem: Visual Studio (CVE-2025-29802, CVSS rating 7.3), Visual Studio (CVE-2025-29804, CVSS rating 7.3), Visual Studio Code (CVE-2025-20570, CVSS rating 6.8) and Visual Studio Tools for Applications and SQL Server Management Studio (CVE-2025-29803, CVSS rating 7.3). While they all have an exploitability assessment of "exploitation less likely," it is important for enterprises to quickly close security holes in developer tools to prevent a threat actor from accessing sensitive information or adding malicious code to a product.
• A Microsoft System Center elevation-of-privilege vulnerability, CVE-2025-27743, is rated important with a CVSS score of 7.8. Microsoft said the flaw is triggered by reusing System Center installer .exe files, and customers should delete the files and download the latest version of their System Center product as a .zip file.

Microsoft cancels plan to stop driver support in WSUS

Microsoft said it would delay its plan to end driver update synchronization to Windows Server Update Services (WSUS) servers planned this month on April 18. The company said feedback from customers with disconnected device scenarios spurred Microsoft to change its decision.

Microsoft deprecated WSUS driver synchronization, but will continue to support it. The company recommends that customers explore other options, such as Microsoft Intune and Windows Autopatch.

Tom Walat is the site editor for Informa TechTarget's SearchWindowsServer site.