Microsoft’s March 2025 Patch Tuesday Addresses Six Actively Exploited Zero-Day Vulnerabilities

Microsoft has released its monthly security updates, addressing a total of 57 vulnerabilities across its software suite. Notably, this update includes fixes for six zero-day vulnerabilities that have been actively exploited in the wild, underscoring the critical need for users and organizations to apply these patches promptly.

The March 2025 Patch Tuesday addresses a variety of vulnerabilities: 

• Elevation of Privilege (EoP): 23 vulnerabilities 
• Remote Code Execution (RCE): 23 vulnerabilities 
• Spoofing: 3 vulnerabilities 
• Information Disclosure: 4 vulnerabilities 
• Security Feature Bypass: 3 vulnerabilities 
• Denial of Service (DoS): 1 vulnerability
• Among these, six are classified as critical, primarily due to their potential for remote code execution, allowing attackers to run malicious code on unpatched systems.

Details on Actively Exploited Zero-Day Vulnerabilities

Microsoft’s March 2025 security update addresses six zero-day vulnerabilities that have been actively exploited in the wild, affecting key components within the Windows ecosystem and posing severe security risks if left unpatched.

The first of these, CVE-2025-26633, is a security feature bypass vulnerability within the Microsoft Management Console (MMC). This flaw allows an attacker to manipulate a user into opening a malicious file, potentially leading to unauthorized system actions. The exploit operates by leveraging security oversights within MMC’s handling of certain files. This is not an isolated incident for the MMC; it marks the second instance of an actively exploited zero-day vulnerability in this component, following CVE-2024-43572, which was addressed in October 2024. The recurrence of similar vulnerabilities in MMC highlights ongoing security concerns with this core Windows feature.

CVE-2025-24985 involves a remote code execution vulnerability within the Windows Fast FAT File System Driver. This flaw enables attackers to execute arbitrary code on a target system if they can convince a user to mount a specially crafted virtual hard disk (VHD). By exploiting the vulnerability, an attacker can gain full control of the system, enabling further malicious activity such as data theft or installation of malware. Notably, this is the first reported vulnerability in this component since 2022 and also the first known instance of its exploitation as a zero-day. The targeting of this subsystem highlights the increasing focus by threat actors on less monitored parts of Windows infrastructure.

The third actively exploited vulnerability, CVE-2025-24983, affects the Windows Win32 Kernel Subsystem. This elevation of privilege flaw enables an authenticated attacker to gain SYSTEM-level privileges by successfully winning a race condition. SYSTEM privileges grant attackers the highest level of access within Windows, allowing for full control of the machine. The exploit’s complexity lies in the timing precision required to manipulate system processes. This vulnerability is particularly severe, as it marks the first recorded zero-day exploit within the Win32 Kernel Subsystem, underscoring how attackers are targeting foundational elements of Windows’ architecture.

CVE-2025-24993 is a remote code execution vulnerability within the Windows New Technology File System (NTFS). It involves a heap-based buffer overflow, which can be triggered when a local user mounts a specially crafted VHD. If successfully exploited, it enables arbitrary code execution on the affected system. This vulnerability’s reliance on social engineering—enticing users to mount malicious VHDs—demonstrates the persistent risk posed by human interaction in cybersecurity breaches. The fact that it has already been exploited in the wild as a zero-day adds urgency to the need for patching.

Another NTFS vulnerability, CVE-2025-24991, facilitates information disclosure. This flaw allows an attacker to perform an out-of-bounds read, potentially exposing sensitive data. However, successful exploitation requires the victim to mount a crafted VHD, illustrating the vulnerability’s dependency on specific user actions. While its potential impact is lower than that of remote code execution, information disclosure can serve as a precursor to more severe attacks if sensitive data is compromised.

The final zero-day addressed, CVE-2025-24984, is another information disclosure vulnerability within NTFS. Unlike the previous vulnerability, this flaw enables attackers to insert sensitive information into log files. It requires physical access to the targeted machine, which somewhat limits its exploitation scope. However, in scenarios where physical access is possible, this vulnerability poses a substantial security risk by compromising data integrity and confidentiality.

Recommended Actions for Users and Administrators

Given the active exploitation of these zero-day vulnerabilities, immediate action is critical to mitigate potential risks. First and foremost, all systems should be updated with the latest security patches provided by Microsoft. Detailed information and update instructions are available on Microsoft’s official support page. Prompt patching significantly reduces exposure to these and similar threats, ensuring that systems are safeguarded against known exploits.

Organizations should prioritize the patching of critical systems, particularly those containing sensitive information or those exposed to external networks. Systems that manage core operations, data storage, or communications are especially vulnerable and should be addressed with urgency. Delays in patching such systems could result in exploitation, leading to data breaches or operational disruption.

Additionally, reviewing and strengthening security configurations is essential. This involves conducting regular security audits, ensuring configurations align with industry best practices, and adjusting settings to minimize potential attack vectors. Implementing security measures like strict user permissions, controlled access to external drives, and enhanced monitoring of system logs can significantly reduce the likelihood of successful attacks.

By adhering to these recommendations, organizations and users can reduce their exposure to ongoing threats and protect critical systems from being compromised. Vigilance and timely action remain the most effective defenses against the evolving landscape of cybersecurity threats.

Complete List of Microsoft March 2025 Security Updates