Industrial-strength April Patch Tuesday covers 135 CVEs

Microsoft on Tuesday released 135 patches affecting 19 product families. Ten of the addressed issues, all remote code execution issues, are considered by Microsoft to be of Critical severity, and 18 have a CVSS base score of 8.0 or higher. One, an Important-severity elevation of privilege issue touching the Windows Common Log File system driver, is known to be under active exploit in the wild.  

At patch time, 11 additional CVEs are more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below.  

In addition to these patches, sixteen Important-severity Adobe Reader issues affecting ColdFusion are covered in the release. Those are listed in Appendix D below. In a departure from usual procedure, we are including all Edge CVEs in our numbers this month where possible, though those patches were for the most part made available separately from today’s release. 

We are as always including at the end of this post additional appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family; an appendix covering the advisory-style updates; and a breakout of the patches affecting the various Windows Server platforms still in support.  

By the numbers 

• Total CVEs: 135
• Publicly disclosed: 0
• Exploit detected: 1
• Severity
  • Critical: 10
  • Important: 114
  • Low: 2
  • High / Medium / Low: 9 (Edge-related CVEs issued by Chromium; see Appendix C)
• Impact
  • Elevation of Privilege: 48
  • Remote Code Execution: 33
  • Information Disclosure: 18
  • Denial of Service: 14
  • Security Feature Bypass: 9
  • Spoofing: 4
  • Unknown: 9 (Edge-related CVEs issued by Chromium; see Appendix C)
• CVSS score 9.0 or greater: 0
• CVSS base score 8.0 or greater: 18

Figure 1: Elevation of privilege accounts for over a third of all April patches, but all the Critical-severity items are remote code execution. (Please note that nine of the Edge updates covered in this issue are not released with full impact information and follow a different severity schema, and thus do not appear in this chart; please see Appendix C) 

Products 

• Windows: 89
• 365: 15
• Office: 15
• Edge: 13
• SharePoint: 6
• Visual Studio: 5
• Azure: 4
• Excel: 3
• Microsoft AutoUpdate (MAU) for Mac: 2
• Word: 2
• Access: 1
• ASP.NET: 1
• Dynamics 365: 1
• OneNote: 1
• Outlook for Android: 1
• Power Automate for Desktop: 1
• SQL Server: 1
• System Center: 1
• Visual Studio Tools for Applications (VSTA): 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. It should be noted that CVE names in April don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: Nineteen product families are affected by April’s patches; as noted above, nine of the Edge updates covered in this issue are not released with full impact information and follow a different severity schema, and thus appear here as “unknown” in impact; please see Appendix C 

Notable April updates 

In addition to the issues discussed above, a variety of specific items merit attention.  

CVE-2025-26642, CVE-2025-27745, CVE-2025-27747, CVE-2025-27748, CVE-2025-27749, CVE-2025-27750, CVE-2025-27751, CVE-2025-2772, CVE-2025-29791, CVE-2025-29816, CVE-2025-29820, CVE-2025-29822 (12 CVEs) – assorted Office issues 

Office takes a heavy patch load this month, and the news is particularly not good for users of Office LTSC for Mac 2021 and 2024. All twelve CVEs listed above are applicable to those versions, but the update isn’t ready yet; affected parties are advised to monitor those CVEs for update availability. Worse, five of the twelve (CVE-2025-27745, CVE-2025-27748, CVE-2025-27749, CVE-2025-27752, CVE-2025-29791) include the Preview Pane as a vector, raising four of them from Important to Critical severity.  

CVE-2025-26647 — Windows Kerberos Elevation of Privilege Vulnerability 

An Important-severity elevation of privilege issue, this one appears to hinge on the attacker’s ability to compromise a trusted CA (Certificate Authority). If the attacker can do so and then issue a certificate with a specific Subject Key Identifier (SKI) value, they could then use that certificate to connect to the system, ultimately assuming the identity of any account. This one comes with recommended mitigations, including updating of all Windows machines and domain controllers to the patch released today, monitoring audit events to spot any machine or device that escapes that update, and enabling Enforcement Mode once your environment no longer uses certificates issued by authorities not in the NTAuth store. CA compromise is of course a longstanding problem in the ecosystem; with this CVE marked by Microsoft as more likely to be exploited within the next 30 days, it’s worth prioritizing in your estate. 

CVE-2025-27743 — Microsoft System Center Elevation of Privilege Vulnerability 

An Important-severity elevation-of-privilege issue, this CVE touches a constellation of System Center products (Operations Manager, Service Manager, Orchestrator, Data Protection Manager, Virtual Machine Manager) and affects customers who re-use existing System Center .exe installer files to deploy new instances in their environments. The problem stems from an untrusted search path in System Center, which an attacker could, with authorized access and some facility with DLL hijacking, use to elevate their privileges. Microsoft advises affected users to delete their existing installer setup files (.exe) and then download the latest version of their System Center product (.ZIP). 

CVE-2025-29809 — Windows Kerberos Security Feature Bypass Vulnerability 

Another issue potentially requiring extra care from administrators, this Important-severity security feature bypass requires rollback of a previous policy. To quote Microsoft’s guidance, “The policy described in Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates has been updated to account for the latest changes. If you deployed this policy, then you’ll need to redeploy using the updated policy.” 

Also, for any readers who missed the announcement, contrary to previous plans Microsoft is not deprecating driver update synchronization via WSUS (Windows Server Update Services) just yet. Those still relying on the service to do that work (particularly for “disconnected” devices) have a reprieve for now, but should continue planning to move to the cloud-based services Microsoft now prioritizes. 

Figure 3: As remote code execution did last month, elevation of privilege issues passed the 100-CVE mark with this month’s Patch Tuesday release 

Sophos protections 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number. 

Appendix A: Vulnerability Impact and Severity 

This is a list of April patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.  

Elevation of Privilege (48 CVEs) 

Remote Code Execution (33 CVEs) 

Information Disclosure (18 CVEs) 

Denial of Service (14 CVEs) 

Security Feature Bypass (9 CVEs) 

Spoofing (4 CVE) 

Appendix B: Exploitability and CVSS 

This is a list of the April CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is further arranged by CVE.  

This is a list of April’s CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema. 

Appendix C: Products Affected 

This is a list of April’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Issues affecting Windows Server are further sorted in Appendix E.  

Windows (89 CVEs) 

365 (15 CVEs) 

Office (15 CVEs) 

Edge (13 CVEs) 

SharePoint (6 CVEs) 

Visual Studio (5 CVEs) 

Azure (4 CVEs) 

Excel (3 CVEs) 

Microsoft AutoUpdater for Mac (2 CVEs) 

Word (2 CVEs) 

Access (1 CVE) 

ASP.NET (1 CVE) 

Dynamics 365 (1 CVE) 

OneNote (1 CVE) 

Outlook for Android (1 CVE) 

Power Automate Desktop (1 CVE) 

SQL Server (1 CVE) 

System Center (1 CVE) 

VSTA (1 CVE) 

Appendix D: Advisories and Other Products 

There are 16 Adobe advisories in this month’s release. 

Appendix E: Affected Windows Server versions 

This is a table of the CVEs in the April release affecting nine Windows Server versions, 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft. Please note that CVE-2025-27475 is a client-only Windows issue and thus appears in this chart, but with no server versions marked.