Microsoft's April 2025 security update addresses 126 vulnerabilities, with 11 marked as critical. These critical vulnerabilities, primarily remote code execution (RCE) issues, affect various Microsoft products. Notably, none have been exploited in the wild yet.

Critical Vulnerabilities Overview

Among the critical vulnerabilities, several impact Windows Remote Desktop Services:

  • CVE-2025-27480 and CVE-2025-27482: RCE vulnerabilities in Remote Desktop Gateway Service, scored 8.1 on CVSS 3.1. Exploitation involves triggering a race condition, leading to a use-after-free scenario.
  • CVE-2025-26663: Affects Windows LDAP, also scored 8.1. This vulnerability can be exploited via a crafted LDAP call, leading to arbitrary code execution.
  • CVE-2025-26670: Targets LDAP Client, with a CVSS score of 8.1. Exploitation requires sending sequential LDAP requests to trigger a use-after-free condition.

Additional Vulnerabilities

Other notable vulnerabilities include:

  • CVE-2025-26686: Affects Windows TCP/IP, scored 7.5. Exploitation involves a DHCPv6 response with a fake IPv6 address.
  • CVE-2025-27491: Impacts Windows Hyper-V, scored 7.1. Exploitation requires convincing a victim to visit a malicious site.
  • CVE-2025-29791 and CVE-2025-27752: Affect Microsoft Excel, both scored 7.8. These involve type confusion and heap overflow vulnerabilities, respectively.
  • CVE-2025-27745, CVE-2025-27748, and CVE-2025-27749: Affect Microsoft Office, each scored 7.8, involving use-after-free scenarios.

Important Vulnerabilities with Higher Exploitation Likelihood

Microsoft has identified several important vulnerabilities with higher exploitation potential:

  • CVE-2025-27472: Windows Mark of the Web Security Feature Bypass
  • CVE-2025-27727: Windows Installer Elevation of Privilege
  • CVE-2025-29792: Microsoft Office Elevation of Privilege
  • CVE-2025-29793 and CVE-2025-29794: Microsoft SharePoint RCE
  • CVE-2025-29809: Windows Kerberos Security Feature Bypass
  • CVE-2025-29812: DirectX Graphics Kernel Elevation of Privilege
  • CVE-2025-29822: Microsoft OneNote Security Feature Bypass

Snort Rules for Detection

In response to these disclosures, Talos has released new Snort rules to detect exploitation attempts. Cisco Security Firewall users should update their rulesets, while open-source users can download the latest rule pack from Snort.org.

The new Snort rules include: 58316, 58317, 64432, 64746 - 64757, 64760 - 64762, and Snort 3 rules: 301176 - 301179.

The link has been copied!