Privilege escalation

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

126 Microsoft CVEs addressed
9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-04-08
No. of Vulnerabilities Patched	135
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]	CVE-2025-29824	Windows	High	7.8
Remote Desktop Gateway Service RCE Vulnerability	CVE-2025-27480 CVE-2025-27482	Windows	High	8.1
LDAP Service RCE Vulnerability	CVE-2025-26663	Windows	High	8.1
LDAP Client RCE Vulnerability	CVE-2025-26670	Windows	High	8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-29824	Windows 10/11, Windows Server	An elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.	Elevation of Privilege
CVE-2025-27480 CVE-2025-27482	Windows RDS	Race condition in Remote Desktop Gateway; triggers use-after-free allowing code execution	Remote Code Execution
CVE-2025-26663	Windows LDAP	Crafted LDAP call causes use-after-free, leading to arbitrary code execution	Remote Code Execution
CVE-2025-26670	Windows TCP/IP	Memory mismanagement during DHCPv6 handling, complex exploit chain.	Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

PoC Released for High-Severity Linux Kernel UVC Driver Vulnerability

OEM	Linux
Severity	HIGH
CVSS	7.8
CVEs	CVE-2024-53104
Actively Exploited	Yes
Publicly POC Available	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

CVE-2024-53104 is a high-severity out-of-bounds write vulnerability in the Linux kernel’s USB Video Class (UVC) driver, leading to privilege escalation. The issue affects Linux kernel versions 2.6.26 and later. The vulnerability has gained renewed attention as a proof-of-concept (PoC) exploit has now been publicly released, increasing the risk of exploitation. A patch has been released to address this vulnerability, but unpatched systems remain at high risk.

Vulnerability Name	CVE ID	Product Affected	Severity
out-of-bounds write vulnerability	CVE-2024-53104	Linux Kernel	High

Technical Summary

The vulnerability exists in the uvc_parse_format function of the UVC driver (uvc_driver.c). It arises due to improper parsing of UVC_VS_UNDEFINED frames, leading to incorrect buffer allocation and out-of-bounds writes.

An attacker could exploit this flaw by inserting a malicious USB device or manipulating video streams, potentially leading to memory corruption, privilege escalation, or arbitrary code execution.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-53104	Linux Kernel (2.6.26 and later)	Incorrect parsing of `UVC_VS_UNDEFINED` frames in `uvc_parse_format`, leading to miscalculated buffer sizes and memory corruption.	Privilege escalation, system instability, arbitrary code execution

Remediation:

Apply Security Patches: Ensure that the latest security patches provided by the Linux distribution maintainers are promptly applied to mitigate vulnerability.

Recommendations

Implement USB Device Control Policies: Organizations should establish and enforce USB device control policies to prevent unauthorized usage and ensure only approved devices can be connected.
Deploy Log Monitoring and Analysis Tools: Implement security monitoring tools to continuously monitor logs for potential security incidents, such as exploitation attempts or suspicious activity.

Conclusion:

CVE-2024-53104 is a major vulnerability that poses a substantial risk to Linux systems since it allows for privilege escalation and arbitrary code execution. Users and administrators are strongly urged to apply the latest security patches to mitigate the risk of exploitation. Additionally, implementing a multi-layered security approach can further enhance system protection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate remediation.

CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.

References:

https://cybersecuritynews.com/poc-exploit-linux-kernel-write-vulnerability/
https://hackyboiz.github.io/2025/03/08/j0ker/2025-03-08/
https://lore.kernel.org/linux-cve-announce/2024120232-CVE-2024-53104-d781@gregkh/T/

Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately

Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM	Microsoft
Severity	Critical
CVSS Score	7.8
CVE	CVE-2024-49138
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0
Publicly POC Available	Yes

Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name	CVE ID	Product Affected	Severity
CLFS Privilege Escalation	CVE-2024-49138	Microsoft Windows	High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-49138	Windows 10, Windows 11, Windows Server 2008–2025	Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.	Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

Update Systems: Apply Microsoft’s December 2024 patches without delay.
Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

https://securityonline.info/zero-day-vulnerability-in-windows-exploited-cve-2024-49138-poc-code-released/
https://github.com/MrAle98/CVE-2024-49138-POC?tab=readme-ov-file
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49138
https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/