Actively Exploited Zero-Day Vulnerability in Windows Common Log File System
CVE-2025-27491 is a Critical RCE vulnerability affecting Windows Hyper-V and has a CVSS score of 7.1. This use-after-free vulnerability allows an authenticated attacker with guest privileges to execute arbitrary code over a network by convincing a victim to open a malicious site. A use-after-free vulnerability occurs when programs access already-freed memory, potentially enabling code execution. Exploitation requires winning a race condition, making this less likely to be exploited in the wild. The vulnerability has not been publicly disclosed or exploited. Updates for Windows 10 32-bit and x64 systems are pending release; meanwhile, users should monitor endpoints for suspicious activity or consider upgrading to Windows 11.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Critical Vulnerabilities in Windows Remote Desktop Services
CVE-2025-27480 and CVE-2025-27482 are Critical RCE vulnerabilities affecting the Microsoft Windows Remote Desktop Services, and both have a CVSS score of 8.1. These vulnerabilities allow attackers to remotely run malicious code without authentication by connecting to systems running the Remote Desktop Gateway role. While exploitation requires the adversary to win a race condition, no user interaction is needed, increasing the risk. Both vulnerabilities affect memory handling in the Remote Desktop Gateway Service.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Lightweight Directory Access Protocol
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-26670 | Windows Lightweight Directory Access Protocol Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-26663 | Windows Lightweight Directory Access Protocol Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Office Products
CVE-2025-27745, CVE-2025-27748, CVE-2025-27749, CVE-2025-27752, and CVE-2025-29791 are Critical RCE vulnerabilities affecting Microsoft Office, and all have a CVSS score of 7.8. Three of these affect Microsoft Office through use-after-free vulnerabilities, while the Excel vulnerabilities involve heap-based buffer overflow and type confusion issues. All five vulnerabilities require an attacker to convince a victim to open a specially crafted file, with the Preview Pane serving as an additional attack vector. We have seen Preview Pane many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025). Updates for Microsoft Office LTSC for Mac 2021 and 2024 are pending release.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-27745 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-27748 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-27749 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-27752 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-29791 | Microsoft Office Remote Code Execution Vulnerability |
Critical Vulnerability in Windows TCP/IP Implementation
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Hyper-V
CVE-2025-21197 and CVE-2025-27738 are Important information disclosure vulnerabilities in Windows NTFS and Resilient File System (ReFS), respectively, and both have a CVSS score of 6.5. Microsoft has implemented a fix that’s disabled by default to prevent application compatibility issues. Administrators can enable the protection through a registry key detailed in Microsoft’s support documentation. For more information, review https://support.microsoft.com/help/5058189.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.1 | CVE-2025-27491 | Windows Hyper-V Remote Code Execution Vulnerability |
Security Mitigations for Windows Kerberos, Windows NTFS, and Windows Resilient File System
CVE-2025-26670 and CVE-2025-26663 are Critical RCE vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP), and both have a CVSS score of 8.1. These issues allow attackers to remotely run malicious code without authentication by sending specially crafted network requests. While exploitation requires the adversary to win a race condition, no user interaction is needed, increasing the risk. Updates for Windows 10 are pending release; meanwhile, users should monitor endpoints for suspicious activity or consider upgrading to Windows 11.
CVE-2025-26647 is an Important elevation of privilege vulnerability affecting Windows Kerberos and has a CVSS score of 8.1. This vulnerability allows network-based privilege escalation through improper input validation. Microsoft recommends a three-step approach: First, update all Windows computers and domain controllers with patches released on or after April 8, 2025; second, monitor audit events visible in Audit mode to identify non-updated devices; and finally, enable Enforcement mode once the environment no longer uses certificates issued by authorities not in the NTAuth store. For more information, review https://support.microsoft.com/help/5057784.
| Severity | CVSS Score | CVE | Description |
| Important | 8.1 | CVE-2025-26647 | Windows Kerberos Elevation of Privilege Vulnerability |
| Important | 6.5 | CVE-2025-21197 | Windows NTFS Information Disclosure Vulnerability |
| Important | 6.5 | CVE-2025-27738 | Windows Resilient File System (ReFS) Information Disclosure Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
Later this year, Microsoft plans to discontinue support for Microsoft Windows 10 (October 2025). As part of a robust cybersecurity strategy, CrowdStrike encourages organizations to ensure their planning takes this upcoming date into consideration. End of support implies that in the near term, these systems will likely receive no further security updates. Organizations should be planning for and upgrading their systems to newer and supported OS versions to continue receiving critical security updates for issues like those mentioned above.
CVE-2025-26686 is a Critical RCE vulnerability affecting Windows TCP/IP implementation and has a CVSS score of 7.5. This vulnerability involves memory management issues that could allow an attacker to run malicious code on affected systems. Exploitation requires a user to start a network connection first, after which the attacker could send a specially crafted network response. Exploitation requires precise timing and advance preparation of the target environment, making successful attacks less likely. Updates for Windows 10 32-bit and x64 systems are pending release; meanwhile, users should monitor endpoints for suspicious activity or consider upgrading to Windows 11.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
CVE-2025-29824 is an Important elevation of privilege vulnerability affecting Windows Common Log File System and has a CVSS score of 7.8. This could allow a remote attacker to run arbitrary code on a victim machine after tricking a victim into either opening a malicious file from an email or message, or navigating to an adversary-owned website. While this vulnerability proof-of-concept has not been disclosed, Microsoft confirmed it has been actively exploited in the wild. Updates for Windows 10 32-bit and x64 systems are pending release.
Learn More
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
About CVSS Scores
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
