April 2021 Patch Tuesday – 108 Vulnerabilities, 19 Critical, Adobe

This month’s Microsoft Patch Tuesday addresses 108 vulnerabilities, of which 19 are rated critical severity and 88 are rated high severity. Adobe released patches for its Photoshop, Digital Editions, and Bridge products.

CVE-2021-28310: Win32k Elevation of Privilege Vulnerability

Microsoft released patches addressing another 0-day vulnerability (CVE-2021-28310). CVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). There is a public exploit available which is being used in the wild. BITTER APT group is suspected of exploiting this CVE in the wild. This CVE has a temporal score of 7.2 from the vendor and should be prioritized for patching.

Microsoft Exchange Server Remote Code Execution (RCE) Vulnerabilities

Microsoft released patches to fix critical RCE vulnerabilities in MS Exchange Server: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. CVE-2021-28480 and CVE-2021-28481 have a critical severity score of 9.8 out of 10 and could be exploited without authentication.

Workstation Patches

Microsoft Office vulnerabilities should be prioritized for workstation-type devices.


Adobe issued patches today covering multiple vulnerabilities in Photoshop, Digital Editions, and Bridge products. Patching Adobe Photoshop for CVE-2021-28542, CVE-2021-28549 and Digital Editions for CVE-2021-21100 should be prioritized due to their critical impact.

Webinar Series: This Month in Patches

To help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is excited to announce the start of a new monthly webinar series “This Month in Patches.”

In this new monthly webinar series, which will occur on every Thursday after Patch Tuesday, Qualys Research team will discuss some of the key vulnerabilities disclosed in the past month (including Microsoft Patch Tuesday) and how to patch them.

About Patch Tuesday

Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.