Microsoft Addresses 130 Vulnerabilities with Latest Patch Tuesday Updates
For the first time this year, Microsoft’s Patch Tuesday on April 8, 2025, did not bundle its updates with fixes for any actively exploited security vulnerabilities. However, the tech giant did acknowledge that one of the flaws addressed had been publicly disclosed prior to the update. This release includes critical security patches aimed at safeguarding systems across various platforms.
Scope of the Patches
This month’s updates target a total of 130 vulnerabilities. Among these, 10 have been classified as critical, and the rest are labeled as important based on severity assessments. Notably, these patches also cover 10 vulnerabilities outside of Microsoft’s direct domain, affecting components like Visual Studio, AMD hardware, and the Chromium-based version of the Edge browser.
Breakdown of Vulnerabilities
Of the 130 vulnerabilities fixed, 53 pertain to privilege escalation issues. Additionally, there are 42 vulnerabilities classified as remote code execution (RCE), 17 related to information disclosure, and 8 identified as bypassing security features. These updates come after Microsoft addressed two flaws in its Edge browser last month.
One significant vulnerability, which has been publicly recognized, is an information disclosure flaw in Microsoft SQL Server (CVE-2025-49719). This vulnerability has a severity score of 7.5 on the Common Vulnerability Scoring System (CVSS) and can potentially allow unauthorized attackers to exploit uninitialized memory, leading to the exposure of sensitive data.
Risks Associated with SQL Server Flaw
In a statement, Adam Barnett, a Lead Software Engineer at Rapid7, commented on the implications of this vulnerability. He pointed out that while an attacker may not retrieve valuable information, the exploit could potentially yield cryptographic keys or other sensitive materials if executed correctly.
Mike Walters, President and Co-founder of Action1, explained that the flaw likely stems from poor input validation in SQL Server’s memory management, which could lead to leakage of sensitive data, including credentials. This vulnerability impacts both SQL Server and applications utilizing OLE DB drivers.
High-Risk Remote Code Execution Vulnerability
Another critical highlight from the patches is a remote code execution vulnerability impacting Windows’ SPNEGO Extended Negotiation (CVE-2025-47981). This flaw carries a staggering CVSS score of 9.8, indicating its severity. Microsoft has warned that an attacker could exploit it by sending a maliciously crafted message to a server, potentially leading to remote code execution.
An anonymous researcher and Yuki Chen have been credited with identifying and addressing this severe flaw. Microsoft clarifies that the vulnerability chiefly affects Windows client machines running version 1607 or later, primarily due to a specific Group Policy Object (GPO) setting.
Concerns Over ‘Wormable’ Vulnerabilities
Experts are particularly alarmed by the potential for this vulnerability to be ‘wormable,’ meaning it could facilitate self-propagating malware, akin to the notorious WannaCry incident. Benjamin Harris, CEO of watchTowr, emphasized the need for organizations to act swiftly by patching their systems to prevent possible exploitation.
Additional Noteworthy Vulnerabilities
Among other critical vulnerabilities addressed, there are remote code execution flaws in the Windows KDC Proxy Service (CVE-2025-49735, CVSS score: 8.1) and Windows Hyper-V (CVE-2025-48822, CVSS score: 8.6). Furthermore, several vulnerabilities were identified within Microsoft Office products (CVE-2025-49695, CVE-2025-496966, and CVE-2025-49697) with CVSS scores ranging from 8.4 to 8.5.
Ben McCarthy, a Lead Cyber Security Engineer, highlighted that the KDC Proxy Service flaw is particularly notable due to its potential for remote compromise without requiring prior authentication.
Importance of Patching Security Feature Bypass Issues
The recent update also addresses five security feature bypass vulnerabilities in BitLocker (CVE-2025-48001 through CVE-2025-48818), each rated at a CVSS score of 6.8. These vulnerabilities allow an attacker with physical access to a device to potentially access encrypted data, posing a substantial risk, especially for organizations dealing with sensitive information.
Jacob Ashdown, a Cyber Security Engineer at Immersive, noted the serious implications if these vulnerabilities are exploited. Attackers could access sensitive files or credentials, disrupting business operations and compromising system integrity.
Upcoming Changes in Support
It is essential to recognize that July 8, 2025, will mark the end of support for SQL Server 2012, signaling that no further security patches will be issued for this version as part of the Extended Security Update (ESU) program, further emphasizing the importance of timely updates and system upgrades.
Updates from Other Vendors
Along with Microsoft, several other vendors have recently released updates to address multiple vulnerabilities across their platforms. Notable names include Adobe, AMD, Cisco, Citrix, and various Linux distributions. Each of these patches is crucial in maintaining the security posture of their corresponding systems and applications.
By keeping systems up to date and addressing vulnerabilities promptly, organizations can mitigate risks and maintain a robust security environment against emerging threats.
