Last updated at Tue, 11 Mar 2025 20:16:15 GMT
Microsoft is addressing 57 vulnerabilities this March 2025 Patch Tuesday, which is a similar volume to last month. However, Microsoft has evidence of in-the-wild exploitation for as many as six of the vulnerabilities published today, and CISA KEV already lists all of them. Microsoft is also aware of public disclosure for one other vulnerability. This is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Ten browser vulnerabilities have already been published separately this month, and are not included in the total.
Win32 kernel subsystem: zero-day EoP
Older Windows products receive a patch today for CVE-2025-24983, which is an elevation of privilege vulnerability in the Win32 kernel subsystem. Microsoft is aware of exploitation in the wild. Since no user interaction is required, and successful exploitation leads to SYSTEM privileges, this isn’t one to ignore, even if the attacker must win a race condition, which does raise the bar for entry somewhat. Microsoft Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. It’s not clear why newer Windows products dodged this particular bullet; the Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.
NTFS USB attack: zero-day information disclosure
Defense-in-depth practitioners have been limiting and monitoring access to USB ports for years now, and today brings further evidence for the value of locking things down, in the form of CVE-2025-24984, an information disclosure vulnerability in NTFS. Microsoft has evidence of exploitation in the wild, and functional exploit code. This vulnerability has a thus-far-unique combination of attributes: the attack vector is physical — the advisory describes a malicious USB drive as the delivery mechanism — and the weakness is CWE-532: Insertion of Sensitive Information into Log File. The advisory doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information. A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale.
NTFS VHD attack: zero-day information disclosure
If you like NTFS zero-day vulnerabilities, then today’s your lucky day! CVE-2025-24991 describes an out-of-bounds read in NTFS leading to information disclosure, specifically disclosure of small portions of heap memory. An attacker would need to trick a user into mounting a malicious VHD (Virtual Hard Disk), and that alone would be enough to trigger the vulnerability. The advisory does not explain how the attacker would exfiltrate the data, but clearly it’s practically possible, since Microsoft claims evidence of exploitation in the wild.
NTFS VHD attack: zero-day code execution
If you like NTFS zero-day vulnerabilities, but find information disclosure a bit pedestrian, then CVE-2025-24993 might be just what you’re after: exploitation requires that the user mount a malicious VHD, which then leads to heap-based buffer overflow, and the potential for local code execution. As is standard for a certain type of code execution vulnerability, the advisory somewhat awkwardly clarifies that the word “remote” in the title refers to the location of the attacker, and that the attack itself is carried out locally. The advisory doesn’t specify the context of code execution, but it’s a safe assumption that the end goal here is SYSTEM, since the attacker or a user must already execute code in the context of the user to trigger the vulnerability. The CVSSv3 base score of 7.8 reflects the potentially valuable reward for exploitation and low attack complexity, but is held back by the requirement for user interaction.
Fast FAT VHD attack: zero-day code execution
The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.
Microsoft Management Console: zero-day security feature bypass
It’s been a few months since we saw a zero-day vulnerability in the Microsoft Management Console, but today brings us CVE-2025-26633, a security feature bypass for which Microsoft is aware of exploitation in the wild, as well as functional exploit code floating around somewhere out there on the internet. Successful exploitation leads to an outcome which isn’t specified by the advisory, but since the Microsoft Management Console has a feature set which includes the creation, hosting, and distribution of custom tools for the administrative management of both hardware and software for any supported version of Windows, it’s easy enough to see why an attacker might be interested. The advisory does mention that both preparation of the target environment and subsequent user interaction are required for successful exploitation, which would require the user to open a malicious file.
Microsoft Access: zero-day code execution
CVE-2025-26630 describes a remote-but-actually-local code execution vulnerability in Microsoft Access. Exploitation requires that the user open a malicious file. Microsoft is aware of public disclosure, but considers exploitation less likely. The weakness is our old friend CWE-416: Use After Free. Beyond that, the advisory is short on detail, but does claim that the Preview Pane is not an attack vector, so that’s a silver lining for this particular cloud. Going by the acknowledgements section of the advisory, it seems likely that relative newcomer Unpatched.ai intends to continue to shake things up, since they were also credited with a trio of zero-day Access vulnerabilities published back in January.
WSL magic email attack: critical RCE
The Windows Subsystem for Linux (WSL2) kernel receives a patch today for an arbitrary code execution vulnerability. Microsoft doesn’t claim evidence of public disclosure or in-the-wild exploitation for CVE-2025-24084, but does rank it as critical using its own proprietary severity ranking scale, which goes beyond what the already-significant CVSSv3 base score of 8.4 would suggest. The advisory describes multiple possible attack vectors, but in the worst case, there is no requirement for user interaction, since simply receiving a malicious email would be enough to trigger the vulnerability. The advisory does not clarify the context of code execution, but the magic email attack vector is alarming. Patch accordingly.
Malicious RDP server: critical RCE
How much do you trust the RDP server you’re about to connect to? An attacker in control of a malicious RDP server simply has to wait for a client vulnerable to CVE-2025-26645 to connect in order to achieve remote code execution on the client. Microsoft has assigned a CVSSv3 base score of 8.8 and a severity ranking of critical. While none of us should be connecting to RDP servers we’re not familiar with, an attacker might well see CVE-2025-26645 as a great opportunity for lateral movement and footprint expansion through the network.
Microsoft lifecycle update
In Microsoft product lifecycle news, SQL Server 2019 moved from mainstream support to extended support on 2025-02-28. Looking ahead, Visual Studio App Center will be retired on 2025-03-31, and Dynamics GP 2015 moves past the end of extended support on 2025-04-08.
Summary charts
Summary tables
Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-24049 | Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability | No | No | 8.4 |
| CVE-2025-26627 | Azure Arc Installer Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2025-21199 | Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability | No | No | 6.7 |
| CVE-2025-24986 | Azure Promptflow Remote Code Execution Vulnerability | No | No | 6.5 |
Browser vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-26643 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | No | No | 5.4 |
| CVE-2025-1923 | Chromium: CVE-2025-1923 Inappropriate Implementation in Permission Prompts | No | No | N/A |
| CVE-2025-1922 | Chromium: CVE-2025-1922 Inappropriate Implementation in Selection | No | No | N/A |
| CVE-2025-1921 | Chromium: CVE-2025-1921 Inappropriate Implementation in Media Stream | No | No | N/A |
| CVE-2025-1919 | Chromium: CVE-2025-1919 Out of bounds read in Media | No | No | N/A |
| CVE-2025-1918 | Chromium: CVE-2025-1918 Out of bounds read in PDFium | No | No | N/A |
| CVE-2025-1917 | Chromium: CVE-2025-1917 Inappropriate Implementation in Browser UI | No | No | N/A |
| CVE-2025-1916 | Chromium: CVE-2025-1916 Use after free in Profiles | No | No | N/A |
| CVE-2025-1915 | Chromium: CVE-2025-1915 Improper Limitation of a Pathname to a Restricted Directory in DevTools | No | No | N/A |
| CVE-2025-1914 | Chromium: CVE-2025-1914 Out of bounds read in V8 | No | No | N/A |
Developer Tools vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability | No | No | 7.5 |
| CVE-2025-24998 | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2025-25003 | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2025-26631 | Visual Studio Code Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2025-24070 | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | No | No | 7 |
ESU Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-24056 | Windows Telephony Service Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-24051 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-26645 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability | No | No | 8.1 |
| CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability | No | No | 8.1 |
| CVE-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability | No | No | 8.1 |
| CVE-2025-21180 | Windows exFAT File System Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24044 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability | Yes | No | 7.8 |
| CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability | Yes | No | 7.8 |
| CVE-2025-24059 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24072 | Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24071 | Microsoft Windows File Explorer Spoofing Vulnerability | No | No | 7.5 |
| CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Yes | No | 7 |
| CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability | Yes | No | 7 |
| CVE-2025-24987 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability | No | No | 6.6 |
| CVE-2025-24988 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability | No | No | 6.6 |
| CVE-2025-24996 | NTLM Hash Disclosure Spoofing Vulnerability | No | No | 6.5 |
| CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability | No | No | 6.5 |
| CVE-2025-24991 | Windows NTFS Information Disclosure Vulnerability | Yes | No | 5.5 |
| CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2025-24984 | Windows NTFS Information Disclosure Vulnerability | Yes | No | 4.6 |
| CVE-2025-24055 | Windows USB Video Class System Driver Information Disclosure Vulnerability | No | No | 4.3 |
| CVE-2025-21247 | MapUrlToZone Security Feature Bypass Vulnerability | No | No | 4.3 |
| CVE-2024-9157 | Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability | No | No | N/A |
Microsoft Office vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-24077 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24079 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24057 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24080 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24083 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-26629 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24081 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24082 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-24075 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2025-26630 | Microsoft Access Remote Code Execution Vulnerability | No | Yes | 7.8 |
| CVE-2025-24078 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7 |
Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability | No | No | 8.4 |
| CVE-2025-24061 | Windows Mark of the Web Security Feature Bypass Vulnerability | No | No | 7.8 |
| CVE-2025-24048 | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24050 | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24995 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24046 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24066 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24067 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2025-24076 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2025-24994 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2025-25008 | Windows Server Elevation of Privilege Vulnerability | No | No | 7.1 |
| CVE-2025-24997 | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 4.4 |
