March 2025 Patch Tuesday Fixes Six Actively Exploited Zero-Days

Microsoft has released its March 2025 Patch Tuesday updates, addressing 57 vulnerabilities, including six actively exploited zero-days and one publicly disclosed flaw. Among these, six are classified as "Critical" and primarily involve remote code execution (RCE)vulnerabilities.

Vulnerability Breakdown:

• 23 Elevation of Privilege (EoP) Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 23 Remote Code Execution (RCE) Vulnerabilities
• 4 Information Disclosure Vulnerabilities
• 1 Denial of Service (DoS) Vulnerability
• 3 Spoofing Vulnerabilities

Actively Exploited Zero-Days:

Microsoft has patched six zero-day vulnerabilities that were actively exploited in the wild. These include:

1. CVE-2025-24983 - Windows Win32Kernel Subsystem Elevation of Privilege

• Allow local attackers to gain SYSTEM privileges by exploiting race conditions within the Win32 Kernel Subsystem.
• This vulnerability is particularly dangerous as attackers who already have limited access to a system can elevate their privileges to execute arbitrary code with full administrative control.
• Attackers may chain this exploit with other vulnerabilities to gain persistent access to compromised environments.

2. CVE-2025-24984 - Windows NTFS Information Disclosure

• Attackers with physical access to a system can exploit this vulnerability by inserting a malicious USB drive.
• This flaw allows unauthorized access to heap memory, potentially exposing sensitive data such as passwords or encryption keys.
• This vulnerability could be used in targeted attacks where an adversary gains brief access to a machine in an unsecured environment.

3. CVE-2025-24985 - Windows Fast FAT File System Driver RCE

• Caused by an integer overflow or wraparound within the Windows Fast FAT File     System Driver.
• An attacker can craft a malicious VHD (Virtual Hard Disk) file that, when mounted by a user, triggers the vulnerability and allows remote code execution.
• This method has been observed in phishing attacks, where malicious VHD images were disguised as legitimate downloads.

4. CVE-2025-24991 - Windows NTFS Information Disclosure

• Attackers can exploit this flaw by reading small portions of heap memory, potentially leaking sensitive system information.
• The attack vector involves tricking users into mounting a malicious VHD file, which triggers the disclosure of restricted memory content.
• This vulnerability could be leveraged in conjunction with other exploits to gather intelligence on targeted systems.

5. CVE-2025-24993 - Windows NTFS Remote Code Execution

• This RCE vulnerability is caused by a heap-based buffer overflow in Windows NTFS.
• Attackers can exploit this flaw by convincing users to mount a specially crafted VHD file, leading to arbitrary code execution.
• This type of attack has been linked to malware campaigns that distribute compromised VHD files via torrent sites and phishing emails.

6. CVE-2025-26633 - Microsoft Management Console Security Feature Bypass

• This vulnerability likely involves malicious Microsoft Management Console (.msc) files bypassing built-in Windows security mechanisms.
• Attackers can use social engineering tactics to trick users into opening a crafted .msc file, leading to code execution.
• A common attack scenario involves phishing emails containing deceptive links or malicious attachments.

Publicly Disclosed Zero-Day:

CVE-2025-26630 - Microsoft Access Remote Code Execution

• Exploited via specially crafted Microsoft Access files that abuse a use-after-free memory corruption bug.
• Attackers can deliver these malicious Access files via phishing emails or deceptive  links.
• Microsoft confirmed that this vulnerability cannot be exploited through the preview pane, requiring user interaction.

Mitigation and Recommendations:

• Apply patches immediately to prevent exploitation.
• Limit  USB access on corporate endpoints to mitigate physical attacks.
• Educate users about phishing and social engineering risks.
• Implement security monitoring for suspicious VHD file mount activity.
• Use EDR/XDR solutions to detect privilege escalation attempts.

Conclusion:

With multiple actively exploited vulnerabilities, including those related to NTFS and VHD-based attacks, it is critical to apply these patches immediately. Organizations should strengthen endpoint security policies and educate users to reduce the risk of exploitation.

For a full list of updates and additional details, refer to Microsoft's official Patch Tuesday release.