In April 2025, Microsoft rolled out a hefty bundle of 124 fixes for vulnerabilities, including 11 critical issues and a couple marked low, while the rest fall into the important category.
Dustin Childs from the Zero Day Initiative pointed out that, of these vulnerabilities, only one is known publicly or currently under attack. He zeroed in on a serious privilege escalation flaw, CVE-2025-29824, which allows attackers to run their code with system-level privileges. This kind of vulnerability often goes hand-in-hand with other exploits that let attackers seize control over a system. Unfortunately, Microsoft hasn’t detailed how widespread these attacks might be.
Two additional bugs Childs highlighted, CVE-2025-26663 and CVE-2025-26670, enable remote attackers to execute code on vulnerable systems through specially crafted LDAP messages. Since nearly every organization might have an LDAP service, these vulnerabilities present numerous potential targets. The kicker? They don’t need any user interaction, making them wormable—meaning they can spread on their own.
Adam Barnett, lead software engineer at Rapid7, echoed Childs’ concerns over CVE-2025-29824. While it’s good that Microsoft has confirmed they can reproduce the exploit, it’s concerning that another party found it first. The advisory doesn’t specify the exact privileges gained through this exploit, but it’s likely to be system access, which is the ultimate goal with these types of vulnerabilities.
Barnett urged organizations with LDAP servers—essentially any company with a significant Microsoft presence—to prioritize patching CVE-2025-26663. Since it requires no privileges or user interaction, it presents an enticing opportunity for attackers.
He also added a note of caution for those who believe they’re safe just because they don’t operate any Windows LDAP servers. CVE-2025-26670 is a critical remote code execution vulnerability that affects LDAP clients. The advisory’s FAQ suggests exploitation involves sending crafted requests to vulnerable LDAP servers, but there’s some confusion there that’s likely a miscommunication. Keep an eye out for updates on that.
For the complete list of April 2025 CVEs, Microsoft has all the details available. The vulnerabilities include a range of products, from Windows components to Office, Azure, .Net, Visual Studio, and more.