March 2025’s Patch Tuesday has brought a slew of important security updates from Microsoft, addressing a total of 57 vulnerabilities, including fixes for six actively exploited zero-day vulnerabilities. In what is one of the most significant updates this year, Microsoft has also addressed several critical flaws that could potentially allow attackers to execute remote code on compromised systems. Let’s break down what you need to know about this month's security fixes, which range from local privilege escalation issues to potential remote code execution vulnerabilities.
Microsoft’s Patch Tuesday update addresses a broad range of vulnerabilities, including:
23 Elevation of Privilege Vulnerabilities3 Security Feature Bypass Vulnerabilities23 Remote Code Execution Vulnerabilities4 Information Disclosure Vulnerabilities1 Denial of Service Vulnerability3 Spoofing Vulnerabilities
These flaws span multiple products, including Windows, Office applications, and various Azure services. Notably, this update includes critical fixes for zero-day vulnerabilities that have been actively exploited in real-world attacks.
Microsoft has also rolled out non-security updates for other issues related to Windows 11, Windows 10, and other services like Azure. However, the zero-day flaws are the highlight of this month’s release.
This month’s Patch Tuesday fixes six zero-day vulnerabilities that have been actively exploited in attacks. Additionally, there is one publicly disclosed zero-day vulnerability. Below are the details of these high-risk vulnerabilities:
Microsoft has acknowledged this vulnerability, which allows local attackers to gain SYSTEM privileges on a device after winning a race condition. While there’s little detail on how it was exploited, this vulnerability could significantly affect Windows-based devices, particularly in environments where attackers have local access. This flaw was discovered by Filip Jurčacko of ESET.
This vulnerability affects Windows NTFS and can be exploited by attackers who have physical access to a device and insert a malicious USB drive. Once triggered, it could allow attackers to read portions of the heap memory and steal sensitive data. This vulnerability was disclosed anonymously.
This critical vulnerability, tied to an integer overflow or wraparound in the Windows Fast FAT Driver, could allow attackers to execute code remotely. The flaw is particularly dangerous because it could be exploited when a malicious VHD (Virtual Hard Disk) is mounted. This vulnerability has been actively exploited through phishing attacks and malicious software.
Another NTFS-related vulnerability that allows attackers to exploit heap memory to retrieve sensitive data. It can be triggered when a user mounts a specially crafted VHD file. As with the other NTFS vulnerabilities, this flaw was disclosed anonymously.
A heap-based buffer overflow in Windows NTFS could enable attackers to execute arbitrary code by convincing a user to mount a malicious VHD file. The consequences of this vulnerability could be severe, enabling remote code execution on vulnerable systems.
This flaw could allow malicious files to bypass security features in Microsoft Management Console (MMC) and execute arbitrary code. The vulnerability can be exploited by sending a specially crafted file through email or instant messaging, but users must interact with the file for the exploit to succeed.
This zero-day flaw involves a “use after free” memory bug in Microsoft Access, which could allow attackers to execute arbitrary code if they trick the victim into opening a specially crafted Access file. While this vulnerability can’t be exploited through the preview pane, it remains a critical risk, especially when coupled with social engineering attacks.
What makes these vulnerabilities particularly concerning is the fact that many are actively being exploited in the wild. Exploiting vulnerabilities like CVE-2025-24983 and CVE-2025-24985 could allow an attacker to elevate privileges, access sensitive information, or execute remote code on a vulnerable system.
The NTFS-related flaws (CVE-2025-24984, CVE-2025-24991, CVE-2025-24993) are particularly worrisome because they can be triggered simply by mounting malicious virtual hard disks (VHD), which are frequently distributed through phishing emails or pirated software. These types of attacks can affect a wide range of users who may not be aware of the risks associated with opening untrusted files or mounting VHDs.
The vulnerabilities in Microsoft Office Access and Management Console also provide a path for attackers to gain access to internal systems or execute arbitrary code under certain conditions. Given the widespread use of these applications in enterprise environments, the risk is even higher.
Microsoft has been working diligently to resolve these issues as part of its monthly Patch Tuesday updates. The company regularly releases patches to address both actively exploited vulnerabilities and newly discovered issues. This timely response is critical, especially in light of the increasing number of zero-day vulnerabilities exploited by threat actors.
One notable example this month is CVE-2025-26633, a vulnerability in Microsoft Management Console. While details are scarce, it’s clear that this flaw could be used in targeted attacks, which emphasizes the importance of applying these security patches as soon as possible to protect your system.
As always, third-party security researchers play a key role in identifying and reporting vulnerabilities. For instance, Filip Jurčacko of ESET discovered the CVE-2025-24983 flaw, highlighting the ongoing importance of collaboration between vendors and security experts to keep systems safe. Microsoft also credited Aliakbar Zahravi from Trend Micro for discovering the CVE-2025-26633 vulnerability in the Microsoft Management Console.
Aside from zero-day vulnerabilities, Microsoft also issued patches for a range of other critical issues affecting various products:
Remote Desktop Services: Vulnerabilities (CVE-2025-24035, CVE-2025-24045) in this service could allow attackers to execute code remotely, making them a top priority for organizations using RDS.Windows Subsystem for Linux: CVE-2025-24084 addresses a critical remote code execution vulnerability in WSL2, which could have serious consequences if exploited.Microsoft Office: Several important updates were made to address remote code execution vulnerabilities in Office applications, including Word, Excel, and Access.
With a significant number of vulnerabilities addressed this month, including critical zero-days and remote code execution flaws, it’s crucial for all Windows users to apply the March 2025 Patch Tuesday update as soon as possible. Delaying these updates could leave systems vulnerable to exploitation, especially considering the active attacks tied to some of these flaws.
As cyber threats continue to evolve, keeping your software updated remains one of the most effective ways to ensure the security of your systems. Whether you're using Windows on your personal device or managing enterprise networks, timely patching is key to staying safe in the digital age.