Microsoft has released its March 2025 security updates, addressing a total of 57 vulnerabilities, including six that were actively being exploited before the patch was available as part of the company’s Patch Tuesday. Additionally, one vulnerability was publicly disclosed before a fix was released, bringing the total number of zero-day flaws to seven.
For your information, Patch Tuesday is the second Tuesday of each month when Microsoft releases security updates, bug fixes, and software patches for Windows, Office, and other Microsoft products. It is a scheduled update cycle aimed at improving security and stability.
The March 2025 Patch Tuesday update addresses several security issues, including 23 elevations of privilege vulnerabilities, 3 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 4 information disclosure vulnerabilities, 1 denial of service vulnerability, and 3 spoofing vulnerabilities. These counts do not include vulnerabilities patched in Mariner or Microsoft Edge earlier in the month.
Six of the zero-day vulnerabilities were being actively exploited. One, tracked as CVE-2025-24983, enables local attackers to gain system-level privileges by exploiting a race condition in the Windows Win32 Kernel Subsystem where multiple processes simultaneously access or modify shared resources. This flaw affects various Windows versions.
CVE-2025-24991 and CVE-2025-24984 are information disclosure vulnerabilities found in Windows NTFS that allow an attacker with physical access to a Windows device to read sensitive information from the system’s memory, and access portions of “heap memory,” a dynamic allocation region, by inserting a malicious USB drive, potentially stealing sensitive data or credentials. The publicly disclosed zero-day vulnerability, CVE-2025-26630, is a remote code execution (RCE) flaw in Microsoft Access caused by a use-after-free memory bug.
Other zero-day vulnerabilities include CVE-2025-24985, another RCE flaw in the Windows Fast FAT File System Driver caused by an integer overflow. CVE-2025-24993 is a remote code execution vulnerability in Windows NTFS caused by a heap-based buffer overflow. These vulnerabilities can be exploited by tricking users into mounting a crafted VHD file, allowing attackers to execute their code.
Finally, CVE-2025-26633, a security feature bypass in the Microsoft Management Console. The attacker must convince a user to interact with a malicious link or file, such as a specially crafted MMC (.msc) file. If successful, the attacker can circumvent security measures and gain unauthorized access to administrative tools and system settings,
The six critical vulnerabilities, all RCE flaws with CVSS scores ranging between 7.8 through 8.8, affect various Microsoft products. Two of these impact Windows Remote Desktop Services (CVE-2025-24045 and CVE-2025-24035), while the others relate to Microsoft Office, Windows Domain Name Service (CVE-2025-24064), Remote Desktop Client, and Windows Subsystem for Linux Kernel (CVE-2025-24084).
The NTFS and FAT RCE flaws are highlighted as particularly concerning, as they are part of an exploit chain that includes the NTFS information disclosure vulnerabilities. These vulnerabilities are related to mounting virtual hard disk (VHD) files, which could be used to deliver malware payloads.
In addition to Microsoft, other vendors have also released security updates or advisories in March 2025. These include Broadcom, Cisco, Edimax, Google, Ivanti, Fortinet, Paragon, and SAP.
Experts emphasize the importance of applying these patches promptly, particularly those addressing zero-day vulnerabilities. CVE-2025-24057 and CVE-2025-26630 require Office updates and users of Office 2016 need to install two specific patches.
Security updates for March 2025 are now available. Details are available here: https://t.co/ItXjYLFR2w #PatchTuesday #SecurityUpdateGuide pic.twitter.com/Wx1JOTwTZ2
— Security Response (@msftsecresponse) March 11, 2025
Expert Insights on Key Vulnerabilities
Cybersecurity experts at Immersive have highlighted several vulnerabilities that warrant immediate attention:
- Windows NTFS / FAT Remote Code Execution (CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993)
These four actively exploited flaws relate to remote code execution via Virtual Hard Disk (VHD) files. While not remotely exploitable over a network, attackers can trick users into mounting malicious VHDs, potentially delivering malware. Organizations should monitor for VHD files in emails or downloads and apply security restrictions where possible. Kev Breen, Senior Director of Threat Research, Immersive.
- Microsoft Management Console Security Bypass (CVE-2025-26633)
Attackers are exploiting this flaw to bypass security restrictions via social engineering. Users may receive malicious
.mscfiles through phishing emails or compromised websites. Security teams should monitor for.mscexecutions from untrusted sources to detect potential exploitation. Kev Breen, Senior Director of Threat Research, Immersive.
- Windows Remote Desktop Services RCE (CVE-2025-24035)
This critical vulnerability enables remote attackers to execute arbitrary code on systems with Remote Desktop Gateway enabled. Successful exploitation could lead to malware deployment, lateral movement, and security tool evasion. Ben Hopkins, Cybersecurity Engineer, Immersive.
- Mark of the Web (MoTW) Bypass (CVE-2025-24061)
Attackers can exploit this flaw to bypass Windows’ security warnings on downloaded files. Malicious
.urlfiles or web-based lures can trick users into executing harmful content. As similar vulnerabilities have been actively exploited in the past, this remains a high-risk issue. Ben Hopkins, Cybersecurity Engineer, Immersive.
- Win32 Kernel Subsystem Privilege Escalation (CVE-2025-24983)
A race condition vulnerability allows attackers to escalate privileges to the SYSTEM level, gaining full control over affected systems. This can enable security evasion and credential theft using tools like Mimikatz. Microsoft has confirmed in-the-wild exploitation, reinforcing the need for immediate patching. Natalie Silva, Lead Cybersecurity Engineer, Immersive.
Security experts emphasize that organizations should prioritize patching these vulnerabilities, especially those actively exploited, to reduce the risk of compromise.
