Today, as part of the March 2025 Patch Tuesday, Microsoft has released a significant security update addressing 57 vulnerabilities, including 6 actively exploited Zero-Day flaws. Additionally, the update fixes 3 critical vulnerabilities that allowed remote code execution, one of the most dangerous types of cyberattacks.
Vulnerability Breakdown by Category
Here’s a quick overview of the issues by category:
- 23 privilege escalation vulnerabilities
- 3 security feature bypass vulnerabilities
- 23 remote code execution vulnerabilities
- 4 information disclosure vulnerabilities
- 1 denial-of-service vulnerability
- 3 spoofing vulnerabilities
It's important to note that these numbers do not include issues related to Mariner or the 10 Microsoft Edge vulnerabilities fixed earlier this month.
Six Actively Exploited Zero-Day Vulnerabilities
This month’s update addresses six Zero-Day vulnerabilities that cybercriminals were actively exploiting, plus one additional flaw that was publicly disclosed before a fix was available — making a total of seven Zero-Day vulnerabilities patched in this release.
If you're unfamiliar with the term, a Zero-Day vulnerability is a security flaw that attackers discover before the software developer has a chance to release a fix, leaving systems exposed to potential attacks.
Some of these vulnerabilities are linked to issues within the Windows NTFS file system, particularly those involving the mounting of VHD (Virtual Hard Disk) files.
CVE-2025-24983 – Privilege Escalation in Windows Win32 Kernel Subsystem
This vulnerability allows attackers with local access to escalate their privileges to SYSTEM-level control — essentially giving them full control over the compromised device.
While Microsoft hasn’t disclosed the exact method of exploitation, the flaw was discovered by Filip Jurčacko from the security firm ESET, so further details may emerge soon.
1. CVE-2025-24984 – Information Disclosure in Windows NTFS
This flaw can be exploited if an attacker gains physical access to a device and inserts a malicious USB drive. By doing so, they can access parts of the system's memory and extract sensitive information. This vulnerability was reported anonymously.
2. CVE-2025-24985 – Remote Code Execution in Windows Fast FAT Driver
This vulnerability stems from an integer overflow error in the Fast FAT file system driver, which could allow attackers to execute malicious code on the affected system. To exploit this flaw, attackers may trick users into mounting a specially crafted VHD file. This tactic has previously been seen in phishing campaigns and on sites distributing pirated software. This vulnerability was also reported anonymously.
3. CVE-2025-24991 – Information Disclosure in Windows NTFS
This flaw allows attackers to access small portions of the system’s memory to steal sensitive information. Attackers exploit this by convincing users to mount a malicious VHD file, a format commonly used for virtual disk images in Windows. Although this vulnerability may seem minor, any data leak can provide attackers with valuable information for more sophisticated attacks. This flaw was reported anonymously.
4. CVE-2025-24993 – Remote Code Execution in Windows NTFS
This is one of the most serious vulnerabilities addressed this month. It’s caused by a buffer overflow error in the NTFS file system, which can allow attackers to execute malicious code. To exploit this flaw, attackers typically trick victims into mounting a specially crafted VHD file. This method is commonly used in phishing attacks or disguised as legitimate software downloads.
5. CVE-2025-26633 – Security Feature Bypass in Microsoft Management Console
While Microsoft hasn’t shared detailed information on this vulnerability, it’s believed that attackers can bypass security features by manipulating .msc files (used in the Microsoft Management Console).
In this case, an attacker could send a malicious file via email or instant message, hoping to convince the victim to open it. The attacker cannot force the victim to open the file, but they may use social engineering tactics to trick them into doing so — for example, by disguising the file as an important document. This vulnerability was discovered by Aliakbar Zahravi from Trend Micro, so further insights may follow soon.
One Publicly Disclosed Zero-Day Vulnerability
Among the patched issues this month, one vulnerability had already been made public before Microsoft could release a fix:
CVE-2025-26630 – Remote Code Execution in Microsoft Access
This vulnerability affects Microsoft Office Access and is related to improper memory handling. In simple terms, this flaw allows attackers to execute code on the system if they manage to trick the victim into opening a specially crafted Access file.
Attackers often exploit this type of vulnerability through phishing or social engineering tactics, convincing victims to download and open malicious files.
The good news is that this vulnerability cannot be exploited via the preview pane, which slightly reduces the risk. However, remaining vigilant is crucial. Microsoft has not yet disclosed who reported this flaw.
Read More: Benefits of an EDR Solution for Businesses
March 2025 Patch Tuesday Security Updates
In addition to the previously mentioned Zero-Day vulnerability, Microsoft has addressed several other critical issues in its latest update package. Below is the complete list of vulnerabilities resolved this month:
| Product/Service | CVE ID | Vulnerability Title | Severity |
|---|---|---|---|
| .NET | CVE-2025-24043 | Remote Code Execution Vulnerability in WinDbg | Important |
| ASP.NET Core and Visual Studio | CVE-2025-24070 | Privilege Escalation Vulnerability in ASP.NET Core and Visual Studio | Important |
| Azure Agent Installer | CVE-2025-21199 | Privilege Escalation Vulnerability in Azure Agent Installer | Important |
| Azure Arc Installer | CVE-2025-26627 | Privilege Escalation Vulnerability in Azure Arc Installer | Important |
| Azure CLI | CVE-2025-24049 | Privilege Escalation Vulnerability in Azure CLI | Important |
| Azure Promptflow | CVE-2025-24986 | Remote Code Execution Vulnerability in Azure Promptflow | Important |
| Kernel WOW Thunk Service | CVE-2025-24995 | Privilege Escalation Vulnerability in Kernel WOW Thunk Driver | Important |
| Microsoft LSA Server | CVE-2025-24072 | Privilege Escalation Vulnerability in Microsoft LSA Server | Important |
| Microsoft Management Console (MMC) | CVE-2025-26633 | Security Feature Bypass Vulnerability in MMC | Important |
| Microsoft Office | CVE-2025-24083 | Remote Code Execution Vulnerability in Microsoft Office | Important |
| Microsoft Office | CVE-2025-26629 | Remote Code Execution Vulnerability in Microsoft Office | Important |
| Microsoft Office | CVE-2025-24080 | Remote Code Execution Vulnerability in Microsoft Office | Important |
| Microsoft Office | CVE-2025-24057 | Remote Code Execution Vulnerability in Microsoft Office | Critical |
| Microsoft Access | CVE-2025-26630 | Remote Code Execution Vulnerability in Microsoft Access | Important |
| Microsoft Excel | CVE-2025-24081 | Remote Code Execution Vulnerability in Microsoft Excel | Important |
| Microsoft Excel | CVE-2025-24082 | Remote Code Execution Vulnerability in Microsoft Excel | Important |
| Microsoft Excel | CVE-2025-24075 | Remote Code Execution Vulnerability in Microsoft Excel | Important |
| Microsoft Word | CVE-2025-24077 | Remote Code Execution Vulnerability in Microsoft Word | Important |
| Microsoft Word | CVE-2025-24078 | Remote Code Execution Vulnerability in Microsoft Word | Important |
| Microsoft Word | CVE-2025-24079 | Remote Code Execution Vulnerability in Microsoft Word | Important |
| Kernel Streaming Service | CVE-2025-24046 | Privilege Escalation Vulnerability in Kernel Streaming Service Driver | Important |
| Kernel Streaming Service | CVE-2025-24067 | Privilege Escalation Vulnerability in Kernel Streaming Service Driver | Important |
| Microsoft Windows Server | CVE-2025-25008 | Privilege Escalation Vulnerability in Windows Server | Important |
| Windows Remote Desktop Client | CVE-2025-26645 | Remote Code Execution Vulnerability in Windows Remote Desktop Client | Critical |
| Windows DNS Server | CVE-2025-24064 | Remote Code Execution Vulnerability in Windows DNS Service | Critical |
| Windows Hyper-V | CVE-2025-24048 | Privilege Escalation Vulnerability in Windows Hyper-V | Important |
| Visual Studio | CVE-2025-24998 | Privilege Escalation Vulnerability in Visual Studio | Important |
| Windows NTFS | CVE-2025-24993 | Remote Code Execution Vulnerability in Windows NTFS | Important |
| Windows NTFS | CVE-2025-24984 | Information Disclosure Vulnerability in Windows NTFS | Important |
| Windows Remote Desktop Services | CVE-2025-24035 | Remote Code Execution Vulnerability in Windows Remote Desktop Services | Critical |
| Windows Win32 Kernel Subsystem | CVE-2025-24983 | Privilege Escalation Vulnerability in Windows Win32 Kernel Subsystem | Important |
Conclusion
The March 2025 Patch Tuesday stands out for addressing 7 actively exploited Zero-Day vulnerabilities along with 57 additional security flaws across various Microsoft products.
These updates are crucial for protecting your systems from potential cyber threats. Whether you manage a business network or are a home user, installing these security patches should be a top priority to safeguard your data and ensure system stability. Don’t delay — update your devices today to stay secure!
