Microsoft’s Patch Tuesday Security Update for April included 134 errors, one of which is an actively utilized zero-day error.
Windows 10 security patches were not available as Windows 11 patches were released. Windows 10 patches have since arrived but the delay was unusual.
Tyler Reguly, Associated Director of Security F&U at Global CyberSecurity Software and Services Provider Falm, suggested in an email to TechPublic that the two separate releases and a 40-minute delay in the Windows 11 update could point to something unusual behind the scenes.
SEE: What’s the patch tuesday? Microsoft’s monthly update explained
CVE-2025-29824 has been detected in nature
Zero-Day’s vulnerability was CVE-2025-29824, an increase in privilege errors in Windows Common Log File System (CLFS) Driver.
“This vulnerability is significant because it affects a core component of Windows affecting a wide range of environments, including business systems and critical infrastructure,” Mike Walters, president and co-founder of Patch Automation Company Action1, wrote in an email. “If utilized, it allows the privilege of privilege to system level -the highest privilege of a Windows system.”
The increase in privilege attacks requires the threat actor first to have a foothold in the system.
“The increase in privilege errors in CLFs has become particularly popular with ransomware operators over the years,” said Satnam Narang, Tenable’s Senior Staff Research Engineer, in an E email.
“What makes this vulnerability special about is that Microsoft has confirmed active exploitation in nature, but at this point no Patch has been released for Windows 10 32-bit or 64-bit systems,” Ben McCarthy added main cyber security engineer at Security Training Company. “The lack of a patch leaves a critical gap in the defense of a broad part of the Windows ecosystem.”
The delayed roll-out of the Windows 10-Patches pair with a 40-minute delay in the Windows 11 update additional emphasis on concerns about internal disturbances or challenges at Microsoft. While the cause of the delay remains unclear, security researchers note the timing, especially given the active exploitation of CVE-2025-29824.
CVE-2025-29824 has been exploited against “a small number of goals” in “organizations in the information technology (IT) and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company and the retail sector in Saudi Arabia,” Microsoft revealed.
“I recently discussed CLF’s vulnerable and how they seem to be in waves,” Regular noted. “When a vulnerability in CLFS is patched, people tend to dig around and look at what’s going on and encounter other vulnerabilities in the process. If I was a gambler, I would bet on CLFs that appeared again next month.”
Remote code execution and Microsoft Office -Error are common patterns
Other notable parts of April’s patch Tuesday include a solution for CVE-2025-26663, a critical error that could affect organizations running Windows Lightweight Directory Access Protocol (LDAP) servers.
Reguly highlighted CVE-2025-27472, a vulnerability in Mark on the web (Motw), which Microsoft built as exploitation more likely. “It is common to see Motw vulnerability used by threat players,” he said. “I would not be surprised if this is a vulnerability that we see exploited in the future.”
See: Select the right security applications for your business by balancing features, data storage and costs.
Microsoft released several patches to CVE’s in the office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748 and CVE-2025-27745). Microsoft Office’s popularity means that these vulnerabilities have the potential of widespread problems, although they all require successful social technology or remote code execution to inject a malicious file.
While some of these CVE’s activated Remote Code Execution (RCE), this month’s patch on Tuesday told another story in general.
“For the first time since August 2024, vulnerabilities on Tuesday flushed more to the height of privilege bugs that accounted for over 40% (49) of all patched vulnerabilities,” Narang said. “We typically see Remote Code Performance Error (RCE) Errors that dominate Patch Tuesday Refreshments, but only a quarter of defects (31) were RCEs this month.”
Regular noted that office, browsers and Motw have often appeared in Patch Tuesday updates recently.
“If I was an Infosec buyer, think ciso, I would look at trends in Microsoft – vulnerable – recurring and often utilized technologies such as office, edge, CLFs and Motw – and I would ask my suppliers how they help me defend against these types of vulnerabilities,” he said.
Apple releases great security update
As crayfish curity pointed out, Apple users should not forget security fixes.
Apple released a major security update on March 31 and addressed some actively exploited vulnerabilities. Generally, Patch Tuesday is a good time for organizations to push updates to business -owned devices.
Consider backing up devices before updating if something breaks into the newly installed software.