)
![Patch [Fix] Tuesday, Episode 18](https://a.storyblok.com/f/135430/1024x512/6f2e854993/patch-fix-tuesday-e18.png/m/3840x0/filters:quality(70))
Summary
In April 2025's edition of Patch [FIX] Tuesday, the crew dives into April 2025’s patch highlights. Ryan kicks things off with a critical RDP Gateway vulnerability that requires no user interaction—just network access and bad intentions. Seth breaks down a kernel-level CLFS exploit that’s already been seen in the wild, while Henry shifts gears to Apple’s massive 130+ CVE patch dump for macOS Sequoia. From use-after-free bugs to sneaky audio file attacks, this episode covers the month’s biggest risks.
TL;DR: Patch your systems, secure your gateways, and maybe don’t trust that sketchy MP3.
Transcript
Ryan Braunstein:
All right, anyway, how do I start these things? Yeah. Happy Patch Tuesday, everyone. It's April 2025. We're almost halfway through the year. It's kind of a light month for Microsoft, but we’ve got some juicy Apple CVEs. They’ve patched a lot this Tuesday. So we're just gonna jump right into this. Pause for music... jamming out, good tunes.
Ryan Braunstein:
Alright. Anyway, let’s just jump right into this. I’ll start us off here with our usual co-hosts, Seth and Henry, who work here at Automox. They need no introduction—even though I just gave them one.
Our first CVE up this week is 2025-27480, and that’s a Windows Remote Desktop Services Remote Code Execution vulnerability. This one stems from a use-after-free vulnerability in the Remote Desktop Gateway. It's exploitable over the network with no login or user interaction required. And while that sounds scary, it still takes a pretty complex method to get it going.
Basically, an attacker connects to an exposed Remote Desktop Gateway and triggers a race condition to get access to memory that's already been freed. If they win that race, they can execute arbitrary code and take over the whole server. In a Remote Desktop Server, that can lead to lateral movement throughout the environment. Whether or not this is a big concern really depends on your setup.
If your Remote Desktop Gateway is internal-facing and your users are all on-prem, this becomes a lot harder to exploit. But if you do have people accessing the Gateway externally, that's when it becomes a bit more of a concern. Still not easy to pull off, but worth looking into. No phishing, no user clicks—just pure network-based exploitation. So I’d say look for signs of exposure in hybrid or remote-heavy environments. Otherwise, good to know about.
Henry, Seth—anything to add?
Seth Hoyt:
Yep, that’s pretty much it.
Henry Smith:
I’m just wondering how many gateways are publicly exposed and sitting out there right now. Quick Shodan search?
Ryan Braunstein:
Yeah, just running it through Shodan. I've worked at so many places that use Remote Desktop, but it’s never been in a public-facing way. It’s always been internal, over VPN at most. If you’ve got a public-facing Remote Desktop Gateway, maybe reevaluate how you're hosting that—unless it's absolutely necessary. You’re in our thoughts today.
Henry Smith:
Right behind some kind of boundary. We’re thinking of you.
Ryan Braunstein:
You’ll be in our thoughts today.
Henry Smith:
This is not legal advice.
Ryan Braunstein:
It definitely is not. I am not qualified to give that. Seth, want to take us to the next one?
Seth Hoyt:
Sure. This one is CVE-2025-29824. This is a Windows Common Log File System Driver Elevation of Privilege vulnerability. We shorten that to CLFS. So what is CLFS? It’s a core component of Windows that handles logging of operations and events for the OS and its applications. It provides a reliable logging framework.
This particular vulnerability allows an attacker to gain higher permissions than they’re supposed to have—like a regular user becoming a system-level user. Again, this one is another use-after-free bug, just like Ryan's. Two for two on those today.
Use-after-free means using memory after it’s been freed, which can lead to unpredictable behavior and potential code execution. It’s dangerous because you can combine this with other attacks to gain full control over a system.
If someone exploits this, they could elevate privileges from a normal user to full system or kernel-level access. Obviously that’s dangerous in enterprise environments—think lateral movement, full compromise, etc. This one's been exploited in the wild, too.
Best action? Patch it. Keep your Windows updates current, monitor CVEs, and keep your endpoint protection and antivirus up to date. Use your SIEM for logging and alerting.
Ryan Braunstein:
Does it require admin rights or can a regular user trigger it?
Seth Hoyt:
Nope, a regular user can do it. It’s another race condition, and yeah, it’s been confirmed as exploited in the wild.
Ryan Braunstein:
That’s wild. I think it’s the only one on today’s list that’s been confirmed as exploited. That makes it scarier for regular users.
Henry, anything to add? Or want to take us to our closing CVEs?
Henry Smith:
Nothing major to add, except that when you said CLFS, I had a little flashback. I remember seeing "CLFS.SYS" on a blue screen of death before. Sure enough, there was an older CVE where a low-privilege user could trigger a BSOD using that driver.
Let’s shift gears a bit and talk about Apple. I read somewhere that they patched 131 CVEs this month for Sequoia 15. I think that’s a record. I can’t confirm it for sure, but just skimming the release notes—there’s a ton in there. Everything from the kernel to the App Store. I saw some related to authentication services, AirDrop...
One that stood out was CVE-2025-24243, which affected the audio component. It’s an arbitrary code execution vulnerability via a maliciously crafted file. I’m guessing maybe a malicious MP3? That’s just weird. I’m curious to see how that actually works once more info comes out. But major kudos to Apple for getting so many CVEs patched.
Seth Hoyt:
Apple out here trying to save the trees.
Ryan Braunstein:
Yeah.
Henry Smith:
It’s funny—because Sequoia... and yeah, I’ll see myself out.
Seth Hoyt:
I tried.
Ryan Braunstein:
Yeah.
Henry Smith:
That’s all I’ve got.
Ryan Braunstein:
That audio one… man, that brings me back to the LimeWire days. Downloading MP3s that were basically viruses. Now it’s a bit more sophisticated.
Henry Smith:
Yeah, if you’re on Sequoia, definitely patch this month.
Ryan Braunstein:
Absolutely. Again, light month for Microsoft, heavy month for Apple. But good on them for getting it all patched. That’s going to do it for us—see you next month.
)
