Microsoft Patch's security update for April included 134 defects, one of which is a zero day defect actively exploited.
The safety patches for Windows 10 were not available when the Windows 11 patches were launched since then, Windows 10 patches have arrived, but the delay was unusual.
Tyler Regulation, associate director of R&D of security at the Global Cyber Safety Software and Safety Services, Fortra, suggested in an email to Techrepublic that the two separate releases and a 40 -minute delay in the Windows 11 update could point to something unusual behind the scene.
Look: What is Patch Tuesday? Microsoft's monthly update explained
CVE-2025-29824 has been detected in nature
The vulnerability of zero day was CVE-2025-29824, an elevation of a privilege error in the Windows common registration file system (CLFS).
“This vulnerability is significant because it affects a central Windows component, impacting a wide range of environments, including business systems and critical infrastructure,” wrote Mike Walters, president and co -founder of the Action1 patches automation company, in an email. “If it is exploited, it allows privileges escalation at the level of the system, the greatest privilege in a Windows system.”
The elevation of privileges attacks requires that the threat actor have a support point in the first system.
“The elevation of privileges defects in the CLF has become especially popular among ransomware operators over the years,” said Satnam Narag, tenable senior personnel research engineer, in an email.
“What makes this vulnerability particularly worrying is that Microsoft has confirmed the active exploitation in nature, but at this time, no patch has been launched for Windows 10 systems of 32 bits or 64 bits,” added Ben McCarthy, the main cybersecurity engineer of the immersive security training company. “The lack of a patch leaves a critical gap in defense for a large part of the Windows ecosystem.”
The delayed launch of the Windows 10 patches, along with a 40 -minute delay in the Windows 11 update, adds more weight to concerns about internal interruptions or challenges in Microsoft. While the reason for the delay is still clear, security researchers are taking note of the moment, particularly given the active exploitation of CVE-2025-29824.
CVE-2025-29824 has been exploited against “a small number of objectives” in “Organizations in Information Technology (IT) and the real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company and the retail sector in Saudi Arabia,” Microsoft discussion.
“Recently I was discussing the vulnerabilities of CLF and how they seem to come in waves,” said Regulaly. “When a vulnerability is repaired in Clfs, people tend to dig and look at what is happening and find other vulnerabilities in the process. If it were a player, I would bet on the CLFs again next month.”
The execution of the remote code and the Microsoft Office defects are common patterns
Other notable parts of the April patch on Tuesday include a solution for CVE-2025-26663, a critical failure that could affect organizations that execute access servers for Light Board of Directors of Windows (LDAP).
Regulation highlighted CVE-2025-27472, a vulnerability in the web brand (Motw) that Microsoft listed as more likely exploitation. “It is common to see Motw's vulnerabilities used by threat actors,” he said. “I would not be surprised if this is a vulnerability that we see exploited in the future.”
See: Choose the appropriate security applications for your business balancing the characteristics, data storage and cost.
Microsoft launched multiple patches for CVE in Office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748 and CVE-2025-27745). The popularity of Microsoft Office means that these vulnerabilities have the potential of generalized problems, although they all require successful social engineering or a remote code execution to inject a malicious file.
While some of these CVE enabled the execution of remote code (RCE), this month's patch on Tuesday told a different story in general.
“For the first time since August 2024, the vulnerabilities of Patch Tuesday bias more the elevation of privilege errors, which represented more than 40% (49) of all the vulnerabilities patched,” said Orange. “In general, we see execution failures of the remote code (RCE) dominate the launch of the Patch Tuesday, but only a quarter of the defects (31) were this month.”
Regulation said the office, browsers and Motw have often appeared in the updates of Patch Tuesday lately.
“If I were an Infosec buyer, think of Ciso, I would be looking at the trends in Microsoft's vulnerabilities, recurrent and commonly exploited technologies such as Office, Edge, Clfs and Motw, and I would ask my suppliers how they are helping me to defend proactively against this type of vulnerabilities,” he said.
Apple launches a great security update
As Krebsosecury pointed out, Apple users should not forget the security patches.
Apple launched a great security update on March 31, addressing some actively exploited vulnerabilities. In general, Patch Tuesday is a good time for organizations to promote updates to devices owned by the company.
Consider making a device backup before being updated in case something is broken in freshly installed software.
