Microsoft is experiencing a busy spring as it delivered 124 security vulnerability fixes to administrators in the latest edition of its Update Tuesday security release schedule.
The update, popularly known as “Patch Tuesday,” sees fixes for 11 vulnerabilities listed as "Critical" importance and one which is believed to already be under active exploitation in the wild.
The exploited flaw, classified as CVE-2025-29824, concerns an elevation of privilege vulnerability in the Windows Common Log File System. The vulnerability was assigned a CVSS designation of 7.8, placing it on the “important” scale, but not necessarily a critical security risk.
Those ratings, however, can be deceiving. Often lower level vulnerabilities can be chained to create full takeover scripts. Dustin Childs, senior researcher with the Trend Micro Zero Day Initiative said that CVE-2025-29824 is likely to be one such condition.
At the time of publication, exploitation of the bug appears to be limited. That said, it is likely that the patch release will bring about additional exploits. A popular adage in the in the security community is that “Patch Tuesday” is followed by “Exploit Wednesday.”
“These types of bugs are often paired with code execution bugs to take over a system,” Childs explained.
Microsoft said in an April 8 blog post that the bug was used against a small number of targets, including organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. The software giant found that the exploit was deployed by PipeMagic malware by the Storm-2460 threat group to deploy ransomware.
The U.S. Cybersecurity and Infrastructure Security Agency listed CVE-2025-29824 in its known exploited vulnerabilities (KEV) catalog April 8.
In addition to the exploited flaw, Microsoft addressed eleven flaws including bugs in Office and Excel assigned as CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, and CVE-2025-27745.
Alex Vovk, CEO and co-founder of security vendor Action1, said that chaining exploits could be a serious risk in the case of the Office flaws as a threat actor could easily poison a file and pass it off to an end user as a run of the mill attachment.
While the flaws themselves are relatively low-severity issues concerning type confusion or use after free errors, in combination they could become a serious issue.
“These CVEs could be combined with social engineering or other remote code execution vulnerabilities. For instance, a phishing email might be used to trick a user into opening a malicious file, which then exploits one of these flaws,” Vovk explained.
“They could also be chained with other exploits to escalate privileges or move laterally within a network.”
A group of 124 vulnerabilities is, to say the least, a hefty load even for Microsoft. This sort of pattern is not unusual, Childs explained. Often, April will see more patches released and administrators will be pressed to test and deploy patches.
“The April release tends to be heavier, and this level of output doesn’t disappoint,” the researcher said.
“It’s a small comfort that only one of these bugs is listed as publicly known or under active attack at the time of release.”
