Microsoft’s Patch Tuesday security update for April included 134 defects, one of which was actively exploiting.

The security arrangements for Windows 10 were not available when the Windows 11 spots were released. The Windows 10 spots have arrived since then, but the delay was unusual.

Tyler Reguly, co-director of Security R&D at Global CyberSecurity Software and Services supplier Fortra, suggested in an email to TechRepublic that the two separate releases and a 40-minute delay in the Windows 11 update could indicate something unusual behind the scenes.

See: What is Patch Tuesday? Microsoft’s monthly update explained

Cve-2025-29824 was detected in nature

The vulnerability of zero-day was CVE-2025-29824, a height of the privilege in the Windows Common Log File System (CLFS) driver.

“This vulnerability is significant because it affects a core component of Windows, affecting a wide range of environments, including business systems and critical infrastructure,” wrote Mike Walters, president and co-founder of Patch Automation Company Action. “If exploited, it allows the privilege at the system level – the highest privilege on a Windows system.”

The increase in privilege attacks requires the threat actor to first have a foothold in the system.

Tenable research engineer Satnam Narang said in ‘Ne -mail: “Increasing privileges in CLFs has become especially popular with Ransomware operators.

“What makes this vulnerability in particular is that Microsoft has confirmed active exploitation in nature, but at the moment no patch has been released for Windows 10 32-bit or 64-bit systems,” added Ben McCarthy, headline security engineer at the security training company immersive. “The lack of a patch leaves a critical defense in defense for a wide part of the Windows ecosystem.”

The delayed implementation of Windows 10 spots-footed with a 40-minute delay in the Windows 11 Update Dra A further weight up to concerns about internal disruptions or challenges at Microsoft. Although the reason for the delay remains unclear, security researchers take note of the timing, especially given the active exploitation of CVE-2025-29824.

CVE-2025-29824 was exploited against “a small number of targets” in “organizations in the Information Technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software business and the retail sector in Saudi Arabia,” Microsoft has announced.

“I recently discussed the vulnerabilities of CLFS and what they looked like in waves,” Reguly noted. ‘If a vulnerability is patched into CLFs, people tend to dig around and look at what’s going on and encounter other vulnerabilities in the process. If I was a gambler, I would bet that CLFs will reappear next month. ‘

Execution of Distance Code and Microsoft Office errors are common patterns

Other notable parts of April’s patch Tuesday are a solution to CVE-2025-26663, a critical error that may affect the organizations serving Windows Lightweight Directory Access Protocol (LDAP).

Reguly highlights CVE-2025-27472, a vulnerability in the mark of the web (MOTW) that Microsoft as exploitation is more likely. “It is common to see MOTW pleasures used by threat actors,” he said. “I wouldn’t be surprised if it was a vulnerability we exploited in the future.”

See: Choose the right security applications for your business by balancing functions, data storage and costs.

Microsoft has released several spots for Cves in Office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, and CVE-2025-27745). The popularity of Microsoft Office means that these vulnerabilities have the potential for widespread problems, although they all require successful social engineering or performance of distance code to inject a malicious file.

While some of these Cves made the execution of distance code (RCE) possible, the Patch told another story on Tuesday of this month.

“For the first time since August 2024, Patch on Tuesday created vulnerabilities more for raising privileges, which accounted for more than 40% (49) of all vulnerabilities,” Narang said. “We usually see that the execution of distance code execution (RCE) dominates the patch Tuesday releases, but only a quarter of errors (31) was RCE this month.”

Reguly noted that office, browsers and MOTW have appeared regularly in Patch Tuesday updates.

“If I were an Infosec buyer, Ciso thinks, I would look at the trends in Microsoft scams – repetitive and commonly exploited technologies such as Office, Edge, CLFs and MOTW – and I would ask my sellers how they proactively help me defend against these kinds of vulnerabilities,” he said.

Apple releases large security update

As Krebsonsecurity Apple users should not forget about security arrangements.

Apple released a major security update on March 31, which addressed some actively exploited vulnerabilities. Generally, Patch Tuesday is a good time for organizations to push updates to devices owned by the company.

Consider having a backup of devices before updating if something breaks in the newly installed software.