By – Satnam Narang, sr. staff research engineer at Tenable

“Microsoft patched over 100 CVEs for the second time this year. For the first time since August 2024, Patch Tuesday vulnerabilities skewed more towards elevation of privilege bugs, which accounted for over 40% (49) of all patched vulnerabilities. We typically see remote code execution (RCE) flaws dominate Patch Tuesday releases, but only a quarter of flaws (31) were RCEs this month.

“CVE-2025-29824, an elevation of privilege bug in Windows Common Log File System (CLFS) Driver, was the lone zero-day vulnerability exploited in the wild this month. CLFS is no stranger to Patch Tuesday – since 2022, Microsoft has patched 32 CLFS vulnerabilities, averaging 10 each year, with six exploited in the wild. The last CLFS zero-day flaw exploited in the wild was patched in December 2024 (CVE-2024-49138).

“From an attacker’s perspective, post-compromise activity requires obtaining requisite privileges to conduct follow-on activity on a compromised system, such as lateral movement. Therefore, elevation of privilege bugs are typically popular in targeted attacks. However, elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years.

“While RCEs flaws are consistently top overall Patch Tuesday figures, the data is reversed for zero-day exploitation. For the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited.

“Microsoft also patched three RCE vulnerabilities in Windows Remote Desktop Services (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482. The latter two are rated critical and the former is rated important. Exploiting all three vulnerabilities requires an attacker to win a race condition. Despite this limitation, Microsoft curiously marked the two critical flaws as “Exploitation More Likely.””