Microsoft on Tuesday shipped urgent updates for at least 120 Windows vulnerabilities, including a zero-day in the Windows Common Log File System (CLFS) marked as “actively exploited.”
The CLFS zero-day, tagged as CVE-2025-29824, allows a local attacker to gain SYSTEM privileges by exploiting a use-after-free bug, Redmond’s security response team warned.
The issue carries a CVSS severity score of 7.8/10 and requires only low-level privileges with no user interaction.
Microsoft credited its internal threat intelligence team with discovering the issue, suggesting it was being exploited by professional hacking teams. The software maker said a patch for Windows 10 is not yet available and will be shipped at a later date.
In separate documentation, Microsoft blamed a ransomware group for the attacks and said targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.
“In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware,” the company said.
Over the last few years, there have been at least 26 documented vulnerabilities in the Windows CLFS subsystem used for data and event logging and Microsoft has responded with a major new security mitigation to block these attacks.
The company’s plans include the addition of Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS log files and cover one of the most attractive attack surfaces for APTs and ransomware attacks.
The monster Patch Tuesday rollout also includes fixes for a use-after-free memory corruption flaw in Windows Hyper-V that allows an authorized attacker to execute code over a network. The issue is rated critical and carries remote code execution risks.
Microsoft also documented a pair of critical remote code execution flaws haunting its Windows Remote Desktop Services and warned that unauthorized attackers can execute code over a network.
The Microsoft Excel spreadsheet product also received a major security makeover to cover at least three vulnerabilities that the company says introduced remote code execution risks.
The company also fixed critical issues with remote code execution paths in the Microsoft Office productivity suite.
In addition to Microsoft, Adobe also released a massive batch of security updates alongside warnings that critical-severity vulnerabilities can be exploited to remotely take control of computer systems.
The Adobe Patch Tuesday rollout covers a total of 54 documented bugs and addresses major code execution defects in enterprise-facing products like Adobe ColdFusion, Adobe FrameMaker, Adobe Photoshop and Adobe Commerce.
The company called urgent attention to a fix for the ColdFusion web development platform, warning that at least 15 documented vulnerabilities put organizations at risk to arbitrary file system read, arbitrary code execution and security feature bypasses.
Related: Microsoft Patches Another Already-Exploited Windows Zero-Day
Related: Microsoft Ships Urgent Patch for Exploited Windows CLFS Zero-Day
Related: Microsoft Tackling Windows Logfile Flaws With New Mitigation
Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers