Full Report
Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft has marked as “critical”.
Analysis Summary
# Vulnerability: Microsoft April 2025 Cumulative Security Updates Summary
## CVE Details
- **CVE ID:** Multiple (See Affected Systems section for specific IDs)
- **CVSS Score:** Varied (Critical: 7.1 to 8.1, Important: Not explicitly listed for all)
- **CWE:** Use-After-Free (UAF), Type Confusion, Heap Overflow (Implied for RCEs)
## Affected Systems
- **Products:** Windows Remote Desktop Services (Gateway Role), Windows Lightweight Directory Access Protocol (LDAP), Windows TCP/IP, Windows Hyper-V, Microsoft Excel, Microsoft Office, Windows Mark of the Web Security Feature, Windows Installer, SharePoint, Kerberos Security Feature, DirectX Graphics Kernel, OneNote.
- **Versions:** Specific vulnerable versions are not detailed in the summary, but are addressed by the April 2025 Microsoft Security Updates.
- **Configurations:** Specific Windows components (e.g., systems running the Remote Desktop Gateway role).
## Vulnerability Description
Microsoft released 126 vulnerabilities in its April 2025 security updates, including 11 rated as "Critical" RCE flaws. Several critical vulnerabilities leverage memory corruption techniques:
* **CVE-2025-27480 & CVE-2025-27482 (RD Gateway):** Triggering a race condition to create a Use-After-Free (UAF) scenario.
* **CVE-2025-26663 (Windows LDAP):** Triggering a UAF via a specially crafted LDAP call.
* **CVE-2025-26670 (LDAP Client):** Requires winning a race condition to cause a UAF via sequential crafted LDAP requests.
* **CVE-2025-26686 (Windows TCP/IP):** Improperly locked memory allowing RCE over the network via a response to a crafted DHCPv6 request after a user initiates a connection.
* **CVE-2025-29791 (Excel):** Type confusion when opening a malicious document.
* **CVE-2025-27752 (Excel):** Heap overflow allowing local code execution.
* **CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 (Office):** Triggering a UAF scenario.
## Exploitation
- **Status:** None of the 126 disclosed vulnerabilities have been observed by Microsoft to be **exploited in the wild**.
- **Complexity:** Varies. RCEs affecting RD Gateway, LDAP components (CVE-2025-26670, CVE-2025-26663) are rated "High" complexity, though exploitation is "More likely." TCP/IP (CVE-2025-26686) and Hyper-V (CVE-2025-27491) are rated "Less likely."
- **Attack Vector:** Network (RD Gateway, LDAP, TCP/IP), Local (Excel/Office Heap Overflow), or requires prerequisites (Hyper-V guest privileges).
## Impact
- **Confidentiality:** High (For RCE vulnerabilities).
- **Integrity:** High (For RCE vulnerabilities).
- **Availability:** High (For RCE vulnerabilities).
## Remediation
### Patches
Microsoft has released updates addressing all disclosed vulnerabilities in the April 2025 security update cycle. Users should apply the relevant patches for all affected products.
### Workarounds
No specific workarounds were detailed in the summary for these specific CVEs, highlighting the need for immediate patching.
## Detection
- **Indicators of Compromise:** Not explicitly listed, but successful exploitation would likely manifest as unauthorized process execution or service crash/unexpected behavior related to the affected component (e.g., LDAP service, RDP Gateway).
- **Detection Methods and Tools:** Talos has released new Snort rule sets:
* **Snort (Legacy/SID):** 58316, 58317, 64432, 64746 - 64757, 64760 - 64762.
* **Snort 3:** 301176 - 301179.
* Cisco Security Firewall customers should update their SRU (Security Update Release).
## References
- Microsoft Security Update Guide (April 2025) (Link specified in article is not defanged)
- Snort.org (Link specified in article is not defanged)