Microsoft patched 57 vulnerabilities affecting its foundational systems and core products, including six actively exploited zero-day vulnerabilities, the company said in its latest security update Tuesday. Four of the six zero-days, which were all added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, are high-severity on the CVSS scale.
The software defects impact fundamental drivers, kernels and dozens of products, including Microsoft Office, Windows components and multiple remote desktop services. More than three-quarters of the vulnerabilities covered in the update are high-severity flaws on the CVSS scale.
“This is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication,” Adam Barnett, lead software engineer at Rapid7, said in an email.
Four of the zero-day vulnerabilities affect core Windows file system components. This includes CVE-2025-24985, a combination of integer overflow and heap-based buffer overflow defects in the Windows Fast FAT File System Driver, and a trio of zero-days affecting Windows NTFS (new technology file system): a remote code execution vulnerability CVE-2025-24984, heap-based buffer overflow flaw CVE-2025-24993 and out-of-bound read defect CVE-2025-24991.
“These vulnerabilities exist in fundamental operating system drivers critical to Windows operations, making them a global security risk,” Mike Walters, president and co-founder of Action1, said in an email.
“Since these vulnerabilities allow attackers to bypass application-level security entirely, gaining kernel-level or direct memory access, they pose severe and long-term operational risks,” he said. “Their active exploitation suggests that advanced persistent threat groups and cybercriminal organizations are already leveraging them.”
Threat groups are likely privately sharing a proof of concept for CVE-2025-24984, an actively exploited vulnerability, which has a CVSS score of 4.6, according to Action1.
The remaining zero-days in Microsoft’s security update include high-severity vulnerabilities CVE-2025-26633, an improper neutralization flaw in Microsoft Management Console, and CVE-2025-24983 in Windows Win32 Kernel Subsystem.
Filip Jurčacko, a researcher at ESET who discovered the zero-day exploit cataloged as CVE-2025-24983, said the use-after-free vulnerability is related to improper memory usage during software operation. Attackers can exploit the flaw for privilege escalation on previously compromised machines and run malicious code, Jurčacko said in an email.
The vendor’s monthly release of patches addresses 10 vulnerabilities that Microsoft designates as “more likely” to be exploited. This batch of more concerning flaws includes a pair of software defects that could allow for remote code execution in Windows Remote Desktop Services — sensitive data storage in improperly locked memory vulnerabilities CVE-2025-24035 and CVE-2025-24045.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
