Tenable senior staff research engineer Satnam Narang said this was the biggest number of CVEs patched in a month since the company began tracking this data in 2017.

"The last time there were more than 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs. However, the previous high for total CVEs patched in a month was in July 2023, when Microsoft addressed 130 CVEs," he said.

"It’s been an unusually quiet year in terms of zero-days. This time last year, there were seven zero-day vulnerabilities exploited in the wild. In 2024, we’ve only had two zero-days exploited and both were from February.

"It’s difficult to pinpoint why we’ve seen this decrease, whether it’s just a lack of visibility or if it signifies a trend with attackers utilising known vulnerabilities as part of their attacks on organisations."

Narang said Microsoft had fixed a SmartScreen Prompt security feature bypass vulnerability with CVE-2024-29988, which was found by some of the same researchers who disclosed a similar flaw in February (CVE-2024-21412) that was exploited as a zero-day.

"Social engineering through direct means (email and direct messages) that requires some type of user interaction is a typical route for exploitation for this type of flaw. CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, Nvidia and more.

"Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites. However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware.

He said the April release addressed 24 vulnerabilities in Windows Secure Boot, most of which were considered “Exploitation Less Likely”, according to Microsoft.

"However, the last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for US$5000. BlackLotus can bypass secure boot.

Narang added that while none of the Secure Boot vulnerabilities addressed in April were exploited in the wild, "they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future".

Rapid7's lead software engineer Adam Barnett pointed out that five browser vulnerabilities had been published separately and were not included in the total. "Despite the large number of vulnerabilities published today, Microsoft has ranked only three as critical," he added.

Microsoft was now including two additional data points on advisories: Common Weakness Enumeration (CWE) and Vector String Source assessments, he pointed out.

"The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability; e.g., CVE-2024-21322 is assigned 'CWE-77: Improper Neutralisation of Special Elements used in a Command ('Command Injection')'," Barnett explained.

"By embracing CWE taxonomy, Microsoft is moving away from its own proprietary system to describe root cause. The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle workflows and testing, as well as helping defenders understand where to direct defence-in-depth and deployment-hardening efforts for best return on investment. At the time of writing, the addition of CWE assessments does not appear to be retroactive."

He noted that several products had now moved past the end of mainstream support: Azure DevOps Server 2019, System Center 2019, and Visual Studio 2019. "Additionally, some older products move past the end of extended support, including Microsoft Deployment Agent 2013, Microsoft Diagnostics and Recovery Toolset 8.1, and Visual Studio 2013."

Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said two critical vulnerabilities, CVE-2024-29053 and CVE-2024-21323, had been identified in Microsoft Defender for IoT, "underscoring significant risks to organisations’ Internet of Things security frameworks".

"Revealed on 9 April, these vulnerabilities have been critically rated for their potential impact on the confidentiality, integrity, and availability of the systems they afflict," Walters said.

"Stemming from an absolute path traversal flaw, as categorised by the Common Weakness Enumeration (CWE-36), these vulnerabilities expose a pathway for attackers to access and manipulate directories and files located beyond the web root folder."

He said exploitation of such vulnerabilities could enable an attacker to remotely execute arbitrary code, with the implications being profound, ranging from full system control, service disruptions, sensitive data leakage, to further network propagation.

"With a CVSS v3.1 score of 8.8, the severity of CVE-2024-29053 and CVE-2024-21323 is highlighted by their wide-reaching implications," Walters elaborated. "The exploitation process requires minimal complexity, indicating that attackers could leverage these vulnerabilities with basic user privileges and without any user interaction.

"The exploit code maturity for these vulnerabilities is currently 'Unproven', suggesting that, although their existence is verified, exploit code may not yet be prevalent in the wild."

Walters also pointed to a series of critical remote code execution vulnerabilities in the Microsoft OLE DB Driver for SQL Server, an essential data access technology that facilitates rapid SQL Server data access across diverse applications.

"These vulnerabilities span several driver versions and are collectively deemed 'Important' in terms of severity," he noted.