Patch Tuesday saw Microsoft push fixes for 124 new CVEs. Eleven are rated critical and one exploited in the wild: CVE-2025-29824 is a Windows Common Log File System Driver EOP bug that gives SYSTEM privileges. It is being exploited in the wild by ransomware threat actors, Redmond said.

Technology companies in the US and Spain have been targets, it added.

Worryingly, Windows 10 users don’t have a patch yet. Microsoft said: “The security update for Windows 10 for x64-based Systems and Windows 10 for 32-bit Systems are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information…” 

In a detailed and welcome breakdown of exploitation activity, Microsoft Threat Intelligence said: “It’s notable that the exploit first uses the NtQuerySystemInformation API to leak kernel addresses to user mode. 

“However, beginning in Windows 11, version 24H2, access to certain System Information Classes within NtQuerySystemInformation became available only to users with SeDebugPrivilege, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows 11, version 24H2… The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes,” MTI added.

It said that attacks by a threat actor it calls Storm-2460 have been seen in the US, Saudi Arabia and Venezuela, among other countries, using malware identified by Kaspersky and dubbed “PipeMagic.” MTI hasn’t identified the initial access vector. Notably, last year Kaspersky saw the malware being deployed via a "fake ChatGPT application".

Also particularly noteway was a critical pre-authentication RCE bug (CVE-2025-26663/CVE-2025-26670 affecting the Windows Lightweight Directory Access Protocol (LDAP). Microsoft tags these as “exploitation more likely” and notes that they let an unauthenticated attacker execute code on target systems just by sending a specially crafted LDAP message.

As the Zero Day Initiative’s Dustin Childs notes: “Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable. LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone. Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.”

On which note… As Tyler Reguly, Associate Director, Security R&D at global cybersecurity software and services provider Fortra pointed out: “I think the big question on everyone’s mind this month will be what happened at Microsoft? The updates were released 40-minutes later than usual. This is not a big deal, we wouldn’t even notice a delay that small from most organizations, but Microsoft isn’t most organizations, and their own punctuality made this delay obvious. Once the patches were released, they contained an FAQ note that Windows 10 security updates were not currently available and would be released as soon as possible with a revision to the CVE to notify customers. This really makes you wonder what went wrong with the Windows 10 updates…” he added. 

 Reguly added: “These vulnerabilities have now been announced, malicious actors will be reverse engineering the updates to identify the vulnerabilities and how to exploit them, and Windows 10 users are left without the ability to update… if I were a CISO, I’d be paying attention to how long this delay persists and how impacted my organization is.”

See also: Hitachi Energy wraps up 40,000-device Windows 11 migration