April Patch Tuesday appears to be a high count of resolved CVEs, but a low number of high priority risks. Microsoft has resolved 121 new unique CVEs this month, 11 of which are rated critical and one known to be exploited. The zero-day vulnerability is in the Windows OS this month, making that your top priority.

In addition, Adobe has released 12 updates resolving 54 CVEs. Adobe ColdFusion was rated highest (Priority 1) and resolves 15 CVEs. Adobe Commerce and Experience Manager Forms were rated Priority 2 and resolved five CVEs and two CVEs respectively. The rest of the Adobe lineup was Priority 3.

Update your browsers! Google Chrome updated this Patch Tuesday resolving two additional CVEs. On April 1, both Mozilla Firefox and Google Chrome updated. Mozilla Firefox resolved eight CVEs, and Chrome resolved thirteen CVEs. Microsoft Edge (Chromium) updated on April 3 in response to the April 1 Chrome update, which means we will have an additional Edge update coming later this week.

Oracle is due to release their quarterly CPU on April 15, so keep an eye out for Oracle updates including Java, which will kick off the domino effect of alternative Java frameworks getting updates through the end of April and into early May.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2025-29824) that could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Third-party vulnerabilities

  • Adobe released updates for most of the Creative Suite including After Effects, Animate, Bridge, Illustrator, Media Encoder, Photoshop and Premiere Pro.
  • Google Chrome released an update resolving two CVEs. Expect Edge to be released later this week.
  • Oracle’s quarterly CPU is scheduled for April 15, 2025. Expect updates for a number of Oracle products, but this release will also kick off the domino effect on all Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Ivanti security advisory

Ivanti has released one update for April Patch Tuesday resolving a total of six CVEs. The affected products include Ivanti EPM 2022 and EPM 2024. For more details you can view the updates and information provided in the April Security Update on the Ivanti blog.

April update priorities

  • The Windows OS is your top priority this month, with the only zero-day exploit reported (CVE-2025-29824).
  • Update all of your browsers! Last week Mozilla, Chrome and Edge received updates, and an additional Chrome update was released on Patch Tuesday. If you have not already, you should consider moving browser updates to a weekly cadence to reduce exposure time, as Chrome and Edge will receive weekly updates, and Firefox typically has two to three updates per month.
  • Expect Oracle updates on April 15 and additional updates for Java frameworks over the next few weeks.