Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive Labs' Cyber Threat Research Team reviews these patch notes for the standout vulnerabilities you need to know about.
CVE-2025-29812 -7.8 - DirectX Graphics Kernel Elevation of Privilege Vulnerability
A vulnerability has been identified in the Windows Kernel Memory subsystem, specifically in how DirectX components handle memory references. The flaw allows an authorized local attacker to exploit an untrusted pointer dereference, potentially escalating privilege to SYSTEM level.
While this vulnerability has not yet been publicly disclosed or exploited in the wild, Microsoft has rated it as “Exploitation More Likely,” indicating a high potential for future abuse. The nature of the bug suggests attackers could weaponize it in post-exploitation scenarios where low-privileged access has already been established.
The core issue lies in how the Windows kernel processes memory pointers without proper validation. If an attacker can trigger a kernel call that dereferences a crafted or attacker-controlled pointer, they may be able to execute code with kernel-level privileges. Because this flaw occurs in a core Windows component used for graphics handling (DirectX), it may be exploitable through user-space interactions under specific conditions.
Successful exploitation would allow an attacker to bypass standard user-level restrictions and take full control of the target system. As with other local privilege escalation vulnerabilities, this bug is particularly valuable to attackers who have already gained a foothold on a system.
At present, no updates are available for this vulnerability, and Microsoft has not indicated when a patch for affected systems will be released. In the meantime, defenders are advised to monitor systems for suspicious interactions with DirectX APIs and kernel-mode drivers.
CVE-2025-27480 & CVE-2025-27482 - 8.1 - Windows Remote Desktop Services Remote Code Execution Vulnerability
A newly disclosed vulnerability in the Remote Desktop Gateway (RD Gateway) Service has been identified. The vulnerability stems from sensitive data being stored in improperly locked memory. This flaw introduces the potential for remote code execution (RCE) by an unauthorized attacker over a network.
Despite the CVSS metric designating this as High Attack Complexity (AC:H), the vulnerability is considered more likely to be exploited due to the nature of the bug and the potential impact. Attackers are likely to spend time exploiting vulnerabilities related to these protocols due to the service being remotely accessible. There have been a few remote desktop gateway vulnerabilities over the past few years, which have seen exploitation in the wild.
The high complexity rating is attributed to the need for an attacker to successfully win a race condition, leading to a use-after-free scenario. If this condition is met, arbitrary code execution could be achieved remotely.
An attacker would target a system configured with the Remote Desktop Gateway role. By carefully timing interactions to exploit the race condition, they could gain unauthorized execution capabilities on the affected host—posing serious risks to enterprise environments where RD Gateway is used to manage secure remote access.
Organizations using RD Gateway should prioritize applying relevant patches as soon as they are made available and monitor for unusual access patterns or memory anomalies on systems running the role.
CVE-2025-29824 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
A critical vulnerability has been identified in the Windows Common Log File System (CLFS) driver that allows for local privilege escalation (LPE) through a use-after-free condition. This flaw enables a locally authenticated attacker to elevate privileges to SYSTEM level, granting full control over the affected system.
What makes this vulnerability particularly concerning is that Microsoft has confirmed active exploitation in the wild, yet at this time, no patch has been released for Windows 10 32-bit or 64-bit systems. The lack of a patch leaves a critical gap in defense for a wide portion of the Windows ecosystem.
The vulnerability arises from improper memory handling in the CLFS driver (clfs.sys). Under certain memory manipulation conditions, a use-after-free can be triggered, which an attacker can exploit to execute code at the highest privilege level in Windows. Importantly, the attacker does not need administrative privileges to exploit the vulnerability — only local access is required.
This type of vulnerability is especially dangerous in post-compromise scenarios. Once an attacker has a foothold on a machine — via phishing, malware, or other vectors — they can exploit the CLFS bug to elevate privileges, maintain persistence, and move laterally across an enterprise network. It is a favored class of vulnerability in targeted attacks and ransomware operations.
In the absence of a security update, organizations should take proactive steps to mitigate risk. Security teams are advised to monitor the CLFS driver closely using EDR/XDR tools. This includes watching for processes interacting with clfs.sys, being spawned by it, or showing anomalous behavior when communicating with other drivers or memory spaces.
Until a patch is made available, visibility and endpoint behavior analysis are the most effective defenses against exploitation of this actively abused vulnerability.
CVE-2025-27727 - 7.8 - Windows Installer Elevation of Privilege Vulnerability
A newly disclosed vulnerability has been identified in the Windows Installer component that allows for local privilege escalation (LPE) due to improper link resolution before file access, often referred to as a 'link following' issue. This flaw enables a locally authenticated attacker to gain SYSTEM-level privileges potentially, granting them complete control of the affected device.
The vulnerability stems from how Windows Installer handles symbolic links (symlinks), hard links, and NTFS junctions during installation processes. If attackers can manipulate these links before the service resolves them, they can redirect privileged file operations to unintended locations. This opens the door to overwriting protected files or executing malicious payloads with elevated privileges.
At the time of disclosure, the vulnerability has not been publicly disclosed or exploited in the wild, but Microsoft has assessed exploitation as “more likely”. This indicates that the issue is accessible enough for attackers to weaponize in the near future, especially in targeted post-exploitation scenarios.
Compounding the risk, no security update is currently available for Windows 10 32-bit or 64-bit systems. Microsoft has acknowledged the delay and committed to releasing patches as soon as possible, with affected customers to be notified via CVE updates. In the meantime, the lack of a patch exposes systems to potential privilege escalation attacks.
Security teams should monitor endpoints for unusual use of symbolic links or installer-related file operations, especially those that touch protected directories or attempt privilege boundaries. As a precaution, organizations are advised to review the usage of Windows Installer in their environments and restrict write access to locations commonly abused in LPE chains (e.g., C:\ProgramData, %TEMP%, etc.).
Until updates are available, system hardening and continuous endpoint monitoring remain key in reducing the likelihood of successful exploitation.
CVE-2025-26663 - 8.1 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Microsoft is patching a Remote Code Execution (RCE) vulnerability affecting the LDAP service, which is most commonly found on Domain Controllers in an Enterprise environment.
An unauthenticated attacker who is able to access this service can achieve code execution in the context of the privileges of which the LDAP service runs, which is the SYSTEM account by default, using a specially crafted LDAP request to exploit a Use After Free (UAF) memory corruption vulnerability. In the case of access to a Domain Controller, this will result in complete control of the Windows environment within an Enterprise network.
Typically, it is expected that clients and servers will have access to LDAP on Domain Controllers - so an attacker first needs to successfully gain a foothold in a network via means of a phishing attack or another initial access vector before utilizing this vulnerability. Due to the level of access it affords, this vulnerability will be of keen interest to threat actors who require the highest levels of permission to achieve an objective on target, such as ransomware groups.
While Microsoft acknowledges that this vulnerability will be complicated to exploit, as the attacker needs to win a race condition and conditions required for a successful exploit may not be routinely present or will take time to create, Defenders should still look to prioritize patching of the condition given the level of access it can afford if exploitation is successful. It should be noted that Microsoft has not released patches for Windows 10 yet, so any users running the LDAP service on Windows 10 should be mindful to watch for when those patches are released and consider mitigating the risk by limiting exposure to LDAP if it is in use on that version of Windows.
CVE-2025-27745 (and various) - 7.8 - Microsoft Office Remote Code Execution Vulnerability
Microsoft is patching a number of issues across the Microsoft Office suite that could lead to Remote Code Execution (RCE). Interestingly, all of the identified CVE’s appear to relate to memory corruption issues in some manner. This means that an attacker would need to create a specially crafted office document or file and deliver them to a target to open. In comparison to a malicious macro payload usually associated with phishing via office documents, it is assessed that a user will only need to open the document in order to achieve code execution.
These vulnerabilities affect all versions of Office from 2016 onwards, both 32-bit and 64-bit, and patching should be prioritized by Defenders where possible. Phishing remains a prominent technique for attackers to gain access to a target environment, and threat actors could look for conditions like this to exploit so that they’re not using office macros which may be blocked depending on the target and environment.
Immerser
Immerser