Patch Tuesday Fixes An Exploited Bug, But Not For Windows 10

1 week ago

ARTICLE AD BOX

Patch Tuesday Patch Tuesday has arrived, and Microsoft has revealed 1 flaw successful its products nether progressive exploitation and 11 captious issues successful its codification to fix.

Redmond delivered fixes for much than 120 flaws this month; nary are rated pinch a CVSS severity people of 9 aliases higher.

The 1 that deserves astir attraction is CVE-2025-29824, an elevation of privilege (EoP) spread successful nan Windows Common Log File System Driver, because it is already being exploited.

In a abstracted note, Microsoft explained nan vulnerability is being exploited by a unit it has designated arsenic Storm-2460, which uses nan bug to present ransomware it’s dubbed PipeMagic. Victims person been recovered successful nan US, Spain, Venezuela, and Saudi Arabia.

The 7.8-rated flaw allows an attacker to elevate privileges up to strategy level acknowledgment to a use-after-free() flaw successful nan aforementioned driver. The rumor affects each versions of Windows Server up to 2025 and Windows 10 and 11. Windows Server and Windows 11 person been patched, but Windows 10 awaits a fix.

"The updates will beryllium released arsenic soon arsenic possible, and erstwhile they are available, customers will beryllium notified via a revision to this CVE information," Redmond wrote, regarding patches for Windows 10.

Apple belatedly patches actively exploited bugs successful older OSes
Windows Server Update Services unrecorded to spot different day
Windows 11 roadmap awesome for knowing what's coming adjacent week. Not truthful bully for adjacent year
Boeing 787 power package information hole didn't work, says Qatar

This appears to beryllium a communal problem this month, pinch galore of nan patches excluding Windows 10 for nan moment. We've asked Microsoft for explanation connected merchandise dates and what nan rumor is. Windows 10 is approaching extremity of life but it's not location yet.

All of nan captious flaws each let distant codification execution (RCE). Three effect Office, and 2 target Excel, LDAP, and Remote Desktop. A summary, courtesy of Trend Micro's Zero Day Initiative, for nan astir superior holes successful this month's spot batch is beneath successful array form.

CVE-2025-29824	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important	7.8	No	Yes	EoP
CVE-2025-26670	Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability	Critical	8.1	No	No	RCE
CVE-2025-27752	Microsoft Excel Remote Code Execution Vulnerability	Critical	7.8	No	No	RCE
CVE-2025-29791	Microsoft Excel Remote Code Execution Vulnerability	Critical	7.8	No	No	RCE
CVE-2025-27745	Microsoft Office Remote Code Execution Vulnerability	Critical	7.8	No	No	RCE
CVE-2025-27748	Microsoft Office Remote Code Execution Vulnerability	Critical	7.8	No	No	RCE
CVE-2025-27749	Microsoft Office Remote Code Execution Vulnerability	Critical	7.8	No	No	RCE
CVE-2025-27491	Windows Hyper-V Remote Code Execution Vulnerability	Critical	7.1	No	No	RCE
CVE-2025-26663	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	Critical	8.1	No	No	RCE
CVE-2025-27480	Windows Remote Desktop Services Remote Code Execution Vulnerability	Critical	8.1	No	No	RCE
CVE-2025-27482	Windows Remote Desktop Services Remote Code Execution Vulnerability	Critical	8.1	No	No	RCE
CVE-2025-26686	Windows TCP/IP Remote Code Execution Vulnerability	Critical	7.5	No	No	RCE
CVE-2025-29809	Windows Kerberos Security Feature Bypass Vulnerability (NB: Further administrative actions are required to afloat reside nan vulnerability)	Important	7.1	No	No	SFB

Regarding CVE-2025-29809, ZDI's Dustin Childs noted successful his full summary of Patch Tuesday that other steps are needed to spot up nan bug: "There are respective information characteristic bypass (SFB) bugs successful this release, but this 1 stands retired supra nan others. A section attacker could maltreatment this vulnerability to leak Kerberos credentials. And you whitethorn request to return actions beyond conscionable patching. If you trust connected virtualization-based security, you’ll request to publication this document and past redeploy pinch nan updated policy."

As for CVE-2025-26663 and CVE-2025-26670, nan RCE successful Windows LDAP, Childs noted this is simply a wormable bug, and requires a title information to exploit. "LDAP really shouldn’t beryllium allowed done your web perimeter, but don’t trust connected that alone," he wrote. "Test and deploy these updates quickly – unless you’re moving Windows 10. Those patches aren’t disposable yet."

The RDP RCE, CVE-2025-27480 and CVE-2025-27482, besides seems wormable, and arsenic distant desktop is often exposed to nan nationalist internet, spot this 1 ASAP aliases fastener down nan work to trusted networks aliases IP addresses.

Adobe, AMD issues

Adobe released 50-plus fixes this month, covering Cold Fusion, After Effects, Media Encoder, Bridge, Commerce, AEM Forms, Premiere Pro, Photoshop, Animate, AEM Screens, FrameMaker, and nan Adobe XMP Toolkit SDK.

Adobe classed nan bugs it fixed successful Cold Fusion arsenic some captious and important, and urged users to make them their apical privilege contempt uncovering nary grounds of progressive exploitation.

Finally, AMD updated immoderate of its earlier advisories: Uninitialized GPU registry entree (CVE-2024-21969), SMM vulnerabilities (CVE-2024-0179, CVE-2024-21925), a SEV confidential computing vulnerability (CVE-2024-56161), that CPU microcode signature verification vulnerability (CVE-2024-36347), and GPU representation leaks (CVE-2023-4969). Then there's various Ryzen AI package vulnerabilities (CVE-2025-0014, CVE-2024-36337, CVE-2024-36328, CVE-2024-36336) from earlier this month.

The updated advisories fundamentally incorporate further mitigations and information, for those pinch affected products. ®