Microsoft’s March 2025 Patch Tuesday includes security updates for a total of 57 vulnerabilities, with a focus on six actively exploited zero-day vulnerabilities. This month’s updates also address three critical remote code execution (RCE) vulnerabilities, alongside a range of other flaws across various Microsoft products.
Breakdown of Vulnerabilities
The updates cover the following vulnerability categories:
- 23 Elevation of Privilege Vulnerabilities
- 3 Security Feature Bypass Vulnerabilities
- 23 Remote Code Execution Vulnerabilities
- 4 Information Disclosure Vulnerabilities
- 1 Denial of Service Vulnerability
- 3 Spoofing Vulnerabilities
Note that the numbers above do not include vulnerabilities related to Mariner flaws or 10 Microsoft Edge vulnerabilities, which were fixed earlier in the month.
To learn more about the non-security updates, including the Windows 11 KB5053598 & KB5053602 cumulative updates, visit the detailed articles released today.
Six Actively Exploited Zero-Days
This Patch Tuesday addresses six actively exploited zero-days and one publicly disclosed flaw, totaling seven zero-days for the month of March. These zero-days are vulnerabilities that have been actively targeted or publicly exposed without a fix at the time of disclosure.
A few of these zero-days are related to Windows NTFS bugs that involve the mounting of VHD (Virtual Hard Disk) drives. Below are the details of the actively exploited zero-days:
CVE-2025-24983 – Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
- Impact: This flaw allows local attackers to gain SYSTEM privileges on the affected device by exploiting a race condition.
- Exploitation: Microsoft has not yet shared specifics on how the vulnerability was exploited. Filip Jurčacko from ESET discovered the flaw. More details are expected in the future.
CVE-2025-24984 – Windows NTFS Information Disclosure Vulnerability
- Impact: Attackers with physical access to the device can exploit this flaw by inserting a malicious USB drive, which enables the attacker to read portions of heap memory, potentially stealing sensitive information.
- Exploitation: This vulnerability was disclosed anonymously.
CVE-2025-24985 – Windows Fast FAT File System Driver Remote Code Execution Vulnerability
- Impact: This RCE vulnerability, caused by an integer overflow or wraparound, allows attackers to execute arbitrary code when a specially crafted VHD is mounted on the system.
- Exploitation: Malicious VHD files have been distributed in phishing attacks and on pirated software sites. This flaw was also disclosed anonymously.
CVE-2025-24991 – Windows NTFS Information Disclosure Vulnerability
- Impact: Similar to CVE-2025-24984, this vulnerability allows attackers to read portions of heap memory and steal sensitive information by exploiting the mounting of a malicious VHD.
- Exploitation: This vulnerability was disclosed anonymously.
CVE-2025-24993 – Windows NTFS Remote Code Execution Vulnerability
- Impact: This RCE vulnerability, caused by a heap-based buffer overflow, allows attackers to execute arbitrary code when mounting a malicious VHD.
- Exploitation: This flaw was also disclosed anonymously.
CVE-2025-26633 – Microsoft Management Console Security Feature Bypass Vulnerability
- Impact: This flaw could allow malicious .msc files to bypass Windows security features and execute code. Attackers would need to convince the user to open a specially crafted file, such as through phishing emails or malicious links.
- Exploitation: Discovered by Aliakbar Zahravi from Trend Micro, this vulnerability is significant but depends on user interaction.
Publicly Disclosed Zero-Day
CVE-2025-26630 – Microsoft Access Remote Code Execution Vulnerability
- Impact: This RCE vulnerability in Microsoft Access is caused by a use-after-free memory bug. Attackers can exploit this flaw by tricking users into opening a specially crafted Access file, typically through phishing or social engineering tactics.
- Exploitation: This flaw cannot be exploited via the preview pane, and Microsoft has not revealed the source of disclosure.
Recommendations for Users and Administrators
It is strongly recommended that users and administrators apply the March 2025 Patch Tuesday updates immediately to mitigate the risk of exploitation, especially regarding the actively exploited zero-day vulnerabilities. Prioritizing the critical vulnerabilities, particularly those related to remote code execution and elevation of privilege, will help secure systems from immediate threats.
For more information, users can consult Microsoft’s security release documentation or reach out to their IT security teams for assistance with applying the patches.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
