Microsoft has released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
Of the 126 vulnerabilities, 11 are rated Critical, 112 are rated Important, and two are rated Low in severity. Forty-nine of these vulnerabilities are classified as privilege escalation, 34 as remote code execution, 16 as information disclosure, and 14 as denial-of-service (DoS) bugs.
The updates are aside from the 22 flaws the company patched in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The vulnerability that has been flagged as under active attack is an elevation of privilege (EoP) flaw impacting the Windows Common Log File System (CLFS) Driver (CVE-2025-29824, CVSS score: 7.8) that stems from a use-after-free scenario, allowing an authorized attacker to elevate privileges locally.
CVE-2025-29824 is the sixth EoP vulnerability to be discovered in the same component that has been exploited in the wild since 2022, the others being CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-49138 (CVSS scores: 7.8).
“From an attacker’s perspective, post-compromise activity requires obtaining requisite privileges to conduct follow-on activity on a compromised system, such as lateral movement,” Satnam Narang, senior staff research engineer at Tenable, said.
“Therefore, elevation of privilege bugs are typically popular
Source: The Hacker News