Microsoft has released its April 2025 Patch Tuesday security updates, addressing a significant 121 Common Vulnerabilities and Exposures (CVEs). This marks the second time this year that the company has patched over 100 vulnerabilities in a single month. 

According to an analysis by Tenable, this month’s security bulletin shows a notable shift in the types of vulnerabilities addressed. For the first time since August 2024, elevation of privilege (EoP) bugs dominated the release, accounting for 49 of the total patched vulnerabilities – over 40%. This is a departure from the typical Patch Tuesday trend, where remote code execution (RCE) flaws usually take the lead. This month, RCE vulnerabilities comprised only 31 of the addressed issues, representing a quarter of the total.

“Microsoft patched over 100 CVEs for the second time this year. For the first time since August 2024, Patch Tuesday vulnerabilities skewed more toward the elevation of privilege bugs, which accounted for over 40% (49) of all patched vulnerabilities. We typically see remote code execution (RCE) flaws dominate Patch Tuesday releases, but only a quarter of flaws (31) were RCEs this month,” said  Satnam Narang, Sr. Staff research engineer at Tenable

Notably, the April update includes a single zero-day vulnerability that has been exploited in the wild: CVE-2025-29824, an elevation of privilege bug within the Windows Common Log File System (CLFS) Driver.

Satnam Narang, senior staff research engineer at Tenable, highlighted the recurring nature of CLFS vulnerabilities: “CLFS is no stranger to Patch Tuesday – since 2022, Microsoft has patched 32 CLFS vulnerabilities, averaging 10 each year, with six exploited in the wild. The last CLFS zero-day flaw exploited in the wild was patched in December 2024 (CVE-2024-49138).”

Narang further elaborated on the significance of the elevation of privilege vulnerabilities: “From an attacker’s perspective, post-compromise activity requires obtaining requisite privileges to conduct follow-on activity on a compromised system, such as lateral movement. Therefore, the elevation of privilege bugs is typically popular in targeted attacks. However, elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years.”

Interestingly, while RCE flaws typically dominate the overall Patch Tuesday figures, the trend is reversed when looking at zero-day exploitation. Over the past two years, elevation of privilege flaws have been the most commonly exploited zero-day vulnerabilities, and this trend continues in 2025, accounting for over half of all zero-days exploited so far.

Microsoft also addressed three RCE vulnerabilities in Windows Remote Desktop Services (RDP): CVE-2025-26671, CVE-2025-27480, and CVE-2025-27482. The latter two are rated as critical, while the former is marked as important. Exploiting these vulnerabilities requires an attacker to win a race condition. Despite this limitation, Microsoft has curiously labeled the two critical flaws as “Exploitation More Likely.”

This month’s Patch Tuesday underscores the importance of prioritizing the patching of elevation of privilege vulnerabilities, particularly given the active exploitation of a CLFS zero-day and the historical trend of EoP flaws being favored in zero-day attacks. The focus on RDP vulnerabilities, even with the race condition requirement, also warrants attention for security teams. Organizations are strongly advised to review the full list of addressed CVEs and apply the necessary updates promptly to mitigate potential risks.
For a comprehensive analysis of the April 2025 Patch Tuesday, you can refer to Tenable’s full analysis here.