Autonomous IT

Ryan Braunstein (00:00)
All right, anyway... How do I start these things? Yeah. Happy Patch Tuesday, everyone. It's April, 2025 — we're almost halfway through the year here. You know, we're creeping up on it. It's kind of a light month for Microsoft, but we've got some juicy Apple CVEs. They've patched a lot this Tuesday.

Yeah, so we're just gonna jump right into this. Pause for music. you know, jamming out, good tunes.

Henry Smith (00:36)
Do do do do do do do do do do do...

Ryan Braunstein (00:42)
All right. Anyway, so let's just jump right into this. I'll start us off here with our usual co-hosts, Seth and Henry, that work here at Automox. They need no introduction — even though I just gave them one.

Our first CVE up this week is 2025-27480 — a Windows Remote Desktop Services Remote Code Execution vulnerability.
This one stems from a use-after-free vulnerability in the Remote Desktop Gateway. It's exploitable over the network with no login and no user interaction required.

While that sounds scary, it still takes a pretty complex method to pull off. Basically, an attacker connects to an exposed Remote Desktop Gateway and triggers a race condition to access memory that’s been freed. If they win, they can execute arbitrary code and take over the whole server — which, on a Remote Desktop Server, usually leads to lateral movement in the environment.

It really depends on how your environment is set up. If your Remote Desktop Gateway is internal-facing and you're all on-prem, this becomes a much harder vulnerability to exploit. But if it's public-facing — especially in hybrid or remote-heavy environments — there's more risk.

Again, no users, no clicks, no phishing — just pure network-based exploitation. So I'd say, look for signs of Remote Desktop Gateway exposure if you're in a remote-heavy setup. Otherwise, just good to be aware of.

Henry? Seth? Anything to add?

Seth Hoyt (03:10)
Yep, that's pretty much it.

Henry Smith (03:13)
I'm gonna wonder how many gateways are publicly exposed and sitting out there right now. Go on, Shodan it real quick.

Ryan Braunstein (03:21)
Yeah — just run it through Shodan, you know. I’ve worked at so many places that use Remote Desktop, but it’s never been public-facing. Always internal, maybe over VPN at most. So yeah, if you have a public-facing Remote Desktop Gateway... maybe re-evaluate that.

Henry Smith (03:37)
Yeah, right behind some kind of boundary.
We're thinking of you.

Ryan Braunstein (03:48)
We're thinking of you. You're in our thoughts. Maybe reevaluate how you host that — unless it's absolutely necessary. You'll be in our thoughts today.

Henry Smith (03:59)
This is not legal advice.

Ryan Braunstein (04:04)
It definitely is not. I am not qualified to give that.
Seth, you want to take us to the next one?

Seth Hoyt (04:13)
Sure. This one is CVE-2025-29824 — a Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability.

With that mouthful out of the way, let’s call it CLFS. So, what is CLFS? It’s a core component of Windows that handles logging for the OS and its applications. It provides a reliable framework for storing important events and system data.

This vulnerability allows an attacker to gain higher privileges than they’re supposed to have. For example: a regular user becomes a system-level user.

Like the previous CVE, this also involves a use-after-free bug. So that’s two-for-two today. It uses memory after it's been freed, which can lead to bugs, unpredictable behavior, and code execution.

Why is it dangerous? You can combine it with other attacks to gain full control of a system. Especially with privilege escalation, a regular user can get kernel-level access — which is bad news for enterprise environments.

What should you do?
- Patch!
- Keep Windows updates current.
- Monitor for CVEs like this.
- Keep your endpoint protections updated.
- Enable good logging and alerting with SIEM tools.

Ryan Braunstein (06:56)
Yeah. I don’t know if you covered this — does it require an admin user or can a regular user trigger this?

Seth Hoyt (07:03)
No, this one can be triggered by a user-level account. It’s a race condition, so in theory, a non-admin can escalate to system or admin.
Also worth noting: this one has been exploited in the wild — confirmed exploit.

Ryan Braunstein (07:23)
Yeah, literally the only one on today's list that’s been exploited in the wild. Which is scarier for regular users.
That’s wild. I don’t really have much else to add.

Henry, anything to add — or want to take us to our Apple CVEs?

Henry Smith (07:55)
Yeah, not much to add. But when you said CLFS, I had a little trauma flashback — I remember seeing CLFS.SYS on a Blue Screen of Death before. There’s even an older CVE where a low-privilege user could trigger a BSOD using that driver.

Anyway, let’s change gears and talk about Apple for a second.

I read that 131 CVEs were patched this month for macOS Sequoia 15.4 — I think that’s a record. I can’t confirm, but just skimming the notes, there’s a smorgasbord of vulnerabilities: kernel, App Store, authentication services, AirDrop...

One that stood out: CVE-2025-24243 — affected the audio service.
Looks like a classic arbitrary code execution through a maliciously crafted file. Maybe something like a malicious MP3?

I’m really curious how that’s exploited — definitely reading more when info drops.
Overall, I’m impressed Apple patched so much this month. Kudos to them.

Ryan Braunstein (09:52)
Yeah.

Seth Hoyt (10:10)
Apple out there trying to save the trees.

Ryan Braunstein (10:10)
Yeah.

Henry Smith (10:13)
It’s funny because, you know — Sequoia.
Yeah... I’ll leave now.

Seth Hoyt (10:17)
I tried.

Ryan Braunstein (10:18)
Yeah.

Henry Smith (10:23)
But yeah, that’s all I’ve got.

Ryan Braunstein (10:24)
Yeah, that audio one... man, just think back to the LimeWire days — downloading MP3s that were viruses.
Now it’s even more in-depth.

Henry Smith (10:40)
So yeah, if you’re on Sequoia — definitely patch this month.

Ryan Braunstein (10:45)
Yeah, absolutely.
Kind of a light month on the Microsoft side, heavy month on the Apple side.
But good on them for getting everything patched.

Other than that — that’s gonna do it for us.
We’ll see you next month.