April 2025 Patch Tuesday overview
Microsoft addressed 121 vulnerabilities—significantly more than last month—including 11 rated as critical. However, only one zero-day was fixed, a notable drop.
In this Vulnerability Digest, we cover both Microsoft vulnerabilities, including third-party updates from web browsers, WinRAR, Apple, Linux Bootloaders, Splunk. Next.js, VMware Tools, NGINX Ingress, Veeam, Cisco, Apache Tomcat, and Fortinet.
EXPLORE VULNERABILITY DIGEST BLOG POST WATCH VULNERABILITY DIGEST WEBINAR RECORDING
Next Patch Tuesday webinar – May 14
Don’t miss the next “Vulnerability Digest from Action1” webinar on May 14 at 11 AM EDT / 5 PM CEST to be among the first to get all the updates and strategies to protect your systems from potential cyber threats and ensure the smooth functioning of your servers and workstations.
Recent Updates
March 2025
Microsoft has released 57 security updates, six critical and six zero-days. Also inside: updates from web browsers, Android, VMware, Cisco, Paragon Partition Manager, Parallels Desktop, MongoDB, Ivanti, Citrix, Microsoft Bing & Power Pages, Juniper Networks, OpenSSH, Fortinet, and Progress Software LoadMaster.
February 2025
56 vulnerabilities from Microsoft, two zero-days, and two proof of concepts. Also inside: updates from web browsers,
WordPress, Ivanti, Cloudflare, Cisco, Apple, Android, 7-Zip, Cacti, Rsync, and SimpleHelp.
January 2025
Microsoft has addressed 159 vulnerabilities, three zero-days, ten critical. Also inside: third-party updates from web browsers, WordPress, Ivanti, Palo Alto, Apache, Adobe, Sophos, Fortinet, and Apple.
December 2024
Fixes for 70 vulnerabilities from Microsoft, 16 critical, only one zero-day. Third-party vulnerabilities include updates from web browsers, Mitel MiCollab, Cisco, Veeam, Zabbix, WordPress, 7-Zip, Linux, Citrix, Apple, Palo Alto Networks, VMware, and Ivanti.
November 2024
Microsoft patched 88 vulnerabilities, two zero-days, one with a proof of concept. Also inside: third-party updates from web browsers, Apple, Cisco, Android, WordPress, GitLab, IBM, NVIDIA, VMware, Atlassian, Samsung, Kubernetes, and GitHub.
October 2024
118 patched vulnerabilities from Microsoft, two zero-days, both with proof of concept. Also inside: third-party updates from Mozilla Firefox, Apple, Zimbra, NVIDIA, Cisco, ESET, GitLab, VMware, Adobe, and Ivanti.
September 2024
Microsoft has addressed 79 vulnerabilities, including four zero-days. Also inside: updates for web browsers, Veeam, GitHub, Fortra FileCatalyst, Adobe, Ivanti, and Industrial Control Systems.
August 2024
Fixes for 87 vulnerabilities were announced, including six zero-days, Also inside: vulnerabilities uncovered in Windows Kernel and Windows SmartScreen and third-party updates from web browsers, Progress Software WhatsUp Gold, Mailcow and Roundcube, Android, VMware ESXi, Zoho, etc.
July 2024
Microsoft addressed a record 142 vulnerabilities for the year, two are zero-days and five are critical. Third-party vulnerabilities include Google Chrome, Android, OpenSSH, Splunk, CocoaPods for Swift, Cisco, Juniper, GitLab, FileCatalyst, Siemens, MOVEit Transfer, and VMware.
June 2024
Microsoft patched 51 vulnerabilities, one critical, no zero-days. Third-party vulnerabilities covered: Google Chrome, Mozilla Firefox, PHP, Azure, Check Point, GitHub, Rockwell, Veeam, Fluent Bit, and QNAP.
May 2024
61 vulnerabilities addressed by Microsoft, two zero-days, one of which has a proof of concept (PoC) available. Also inside: issues found in Intel, AMD Processors, Aruba, WordPress, Artificial Intelligence, Cisco, Ivanti, Putty, Palo Alto, and LG WebOS, web browsers, etc.
April 2024
Fixes for 151 vulnerabilities were announced, no zero-days, three critical. Also inside: issues found in HTTP 2.0, Flowmon, Ivanti, Linux, Splunk, Anyscale Ray AI, Apple, GLPI, Fortinet, Atlassian, Fortra, Cisco, Kubernetes, web browsers, etc.
March 2024
Microsoft has fixed a total of 60 vulnerabilities, no zero-days, two critical. Also inside: issues found in Jet Brains Team City, Zeek, VMware, Apple, Smart Toys, ConnectWise ScreenConnect, Joomla, SolarWinds, ESET, Linux, and Node.js., web browsers, etc.
February 2024
Microsoft has addressed a total of 73 vulnerabilities, two zero-days, five critical. Also inside: issues found in GitLab, Jenkins, Android, Vinchin Backup & Recovery, ModSecurity, WhatsApp, Apple, JetBrains, Cisco, VMware, Linux, Fortinet, Ivanti, web browsers, etc.
January 2024
Microsoft has addressed a total of 48 vulnerabilities, two critical vulnerabilities. Also inside: issues found in Google Chrome, Google Web Toolkit, Mozilla Firefox, Apache solutions, Barracuda, ESG, Apple, Linux, ESET, Ivanti, OpenSSH, Perforce Helix Core Server, and Dell.
December 2023
Microsoft patched 34 vulnerabilities, no zero-days, and four critical. Also inside: issues found in Chrome, Firefox, WordPress, Web Password Managers, Atlassian, Cisco, Bluetooth, VMware, Zyxel, Apple, Qlik Sense, ownCloud, CrushFTP, FortiSIEM, AMD, and Intel.
November 2023
Microsoft patched 63 vulnerabilities, three zero-days, and three critical. Also inside: issues found in Google Chrome, Mozilla, Firefox, Veeam ONE, Apache ActiveMQ, Atlassian, Kubernetes ingress-nginx, Cisco, Citrix, VMware, SolarWinds, Oracle, Exim, and SysAid.
October 2023
Microsoft released patches for 103 vulnerabilities, including three zero-days, 16 considered critical. Also inside: issues found in Google Chrome, Firefox, Apple, Linux, Atlassian, Progress Software WS_FTP, Jet Brains Team City, Exim, Cisco, Nagios, and Kubernetes.
September 2023
Microsoft has addressed 61 vulnerabilities, including two zero-days and five critical. Also inside: issues found in Android, Google Chrome, Firefox, Ivanti, SCADA, Citrix, Splunk, Notepad++, Juniper, Apple, Skype, WinRAR, Intel, AMD, and Siemens.
August 2023
Microsoft has addressed 74 vulnerabilities, including one zero-day and six critical. Also inside: issues found in Azure, Chrome, Firefox, Ivanti, Canon, Ubuntu Linux, AMD, MikroTik, Atlassian, Apple, and Adobe ColdFusion.
July 2023
Microsoft has resolved a record-breaking number of 142 vulnerabilities, including six zero-days and 9 critical. You will find inside: issues found in MOVEit, Firefox, Android, Cisco, Microsoft Teams, Linux, ChatGPT, FortiGate, VMware and Apple.
June 2023
Microsoft has resolved 86 vulnerabilities, fixes for new and existing issues. Also: updates for Windows Protected Process Light, Google Chrome, Firefox, Gitlab, Mikrotik RouterOS, Mobile Devices Fingerprint, Barracuda Email Gateway, Libre Office, Linux, and Apple.
May 2023
This Patch Tuesday, Microsoft has resolved 39 vulnerabilities, two zero-days and six critical vulnerabilities. In this issue you’ll also find updates about fixes for Google Chrome, Mozilla Firefox, Apache, Service Location Protocol, VMware, Apple, Intel and Linux.
April 2023
In this Patch Tuesday release, Microsoft has addressed a total of 102 vulnerabilities, two zero-days and seven critical. In this issue you’ll also find updates about fixes for Microsoft Snipping Tool, Google Chrome, Firefox, Android, Bing, IEEE 802.11 Wi-Fi protocol, and Apple.
March 2023
This Patch Tuesday, Microsoft fixed a total of 74 vulnerabilities, nine critical fixes, and two zero-days. Explore this issue also for updates about fixes for Microsoft Office and Intel Processors in Windows OS fixes, TPM 2.0, Google Chrome, Jenkins, Veeam and Android.
February 2023
The February Patch Tuesday brought 75 fixed vulnerabilities, six critical updates and three zero-day vulnerabilities. Zoom in for details about fixes for Google Chrome, Mozilla Firefox, OpenSSL, Jira, Oracle and Apple.
January 2023
The first Patch Tuesday of 2023 brings us 98 fixed vulnerabilities from Microsoft, 11 critical fixes, and one zero-day. In this issue, you’ll also find updates about fixes for Google Chrome, Mozilla Firefox, Citrix, Linux, WordPress, Foxit Reader, and VMware.
December 2022
December Patch Tuesday brings us 52 fixes from Microsoft. There are seven critical updates, including one zero-day. In this issue, you’ll also find updates about fixes for Internet Explorer, Google Chrome, Mozilla Firefox, Avast, Foxit Reader, VLC Media Player and Zoom.
November 2022
68 vulnerabilities were fixed by Microsoft in November, ten critical updates and six fixed zero-days. In this issue, you’ll also find updates about fixes for Google Chrome, Mozilla Firefox, Oracle, Zoom and Cisco.
Frequently asked questions
What is Patch Tuesday?
Patch Tuesday is a scheduled release day for software patches, primarily used by Microsoft, to fix security vulnerabilities, bugs, and performance issues in its software products like Windows, Office, and Azure. It occurs monthly and aims to standardize the process of delivering security updates to ensure devices remain protected. Coordinating updates in this way allows organizations to prepare in advance, reducing downtime and allowing IT teams to plan maintenance schedules around expected changes. The approach helps maintain a safer software ecosystem, reducing the chances of cyberattacks exploiting known vulnerabilities. Over time, Patch Tuesday has become a widely recognized term across the tech industry, highlighting the importance of regular and predictable software maintenance.
When is Patch Tuesday?
Patch Tuesday happens on the second Tuesday of each month. Microsoft established this monthly schedule to provide a regular cadence for updating its software products. This predictable timing allows IT departments and end-users to prepare for and implement updates with minimal disruption, making it easier to incorporate patches into maintenance plans. By aligning security updates to a set day, Microsoft helps prevent vulnerabilities from remaining unpatched for extended periods. This cycle, often supplemented by additional security advisories, helps secure systems promptly against emerging cyber threats, making Patch Tuesday a crucial date in cybersecurity.
What kind of information is released during Patch Tuesday?
During Patch Tuesday, Microsoft publishes security bulletins detailing the vulnerabilities addressed, their severity levels, and the specific products affected. This information includes patch descriptions, known issues, and any required steps for implementing updates. Each update is rated based on the risk level (e.g., “Critical” or “Important”), allowing IT administrators to prioritize patches accordingly. Sometimes, other technical details like CVE (Common Vulnerabilities and Exposures) IDs, workarounds, and deployment recommendations are provided to help organizations apply updates efficiently. These bulletins are valuable resources for administrators aiming to maintain secure IT infrastructures and protect against potential attacks.
Who started Patch Tuesday?
Microsoft pioneered Patch Tuesday in 2003 as part of its Trustworthy Computing initiative, introduced by Bill Gates. This initiative focused on improving the reliability, security, and privacy of Microsoft products amid increasing concerns over software vulnerabilities and cyber threats. The goal of Patch Tuesday was to bring consistency to security update rollouts, making it easier for organizations to manage patches and proactively secure systems. By consolidating patches to a monthly schedule, Microsoft helped IT departments better prepare and respond to vulnerabilities, establishing a model that other companies have since adopted.
When did Patch Tuesday become popular?
Patch Tuesday gained popularity shortly after its launch in 2003 as it addressed growing concerns around cybersecurity in the early 2000s. With frequent threats like viruses and worms affecting software products, businesses and end-users alike welcomed the structured approach. The concept quickly became ingrained in IT culture as it simplified patch management and provided a predictable schedule for crucial security updates. Over time, the increasing frequency of cyberattacks and reliance on Microsoft software solidified Patch Tuesday’s importance, making it a standard practice not only for Microsoft but also a model followed by other companies like Adobe and Oracle.
