Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws

Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.

This Patch Tuesday also fixes six "Critical" vulnerabilities, all remote code execution vulnerabilities.

The number of bugs in each vulnerability category is listed below:

The above numbers do not include Mariner flaws and 10 Microsoft Edge vulnerabilities fixed earlier this month.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5053598 & KB5053602 cumulative updates and the Windows 10 KB5053606 update.

This month's Patch Tuesday fixes six actively exploited zero-days and one that was publicly exposed, for a total of seven zero-days.

Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

A few of the actively exploited zero days are related to Windows NTFS bugs that involve mounting VHD drives.

The actively exploited zero-day vulnerability in today's updates are:

CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

Microsoft says this vulnerability will allow local attackers to gain SYSTEM privileges on the device after winning a race condition.

Microsoft has not shared how the flaw was exploited in attacks. However, as it was discovered by Filip Jurčacko with ESET, we will likely learn more in a future report.

BleepingComputer contacted ESET for more information about this flaw.

CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability

Microsoft says that this flaw can be exploited by attackers who have physical access to the device and insert a malicious USB drive.

Exploiting the flaw allows the attackers to read portions of heap memory and steal information.

Microsoft says that this vulnerability was disclosed anonymously.

CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability

Microsoft says that this remote code execution vulnerability is caused by an integer overflow or wraparound in Windows Fast FAT Driver that, when exploited, allows an attacker to execute code.

"An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability," explains Microsoft.

While Microsoft has not shared details about how it was exploited but malicious VHD images were previously distributed in phishing attacks and through pirated software sites.

Microsoft says that this vulnerability was disclosed anonymously.

CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability

Microsoft says that attackers can exploit this flaw to read small portions heap memory and steal information.

Attackers can exploit the flaw by tricking a user into mounting a malicious VHD file.

Microsoft says that this vulnerability was disclosed anonymously.

CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability

Microsoft says that this remote code execution vulnerability is caused by a heap-based buffer overflow bug in Windows NTFS that allows an attacker to execute code.

"An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability," explains Microsoft

Microsoft says that this vulnerability was disclosed anonymously.

CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability

While Microsoft has not shared any details about this flaw, based on its description, it may involve a bug that allows malicious Microsoft Management Console (.msc) files to bypass Windows security features and execute code.

"In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the vulnerability," explains Microsoft.

"In any case an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment."

Microsoft says Aliakbar Zahravi from Trend Micro discovered this flaw. BleepingComputer contacted Trend Micro to learn more about how this flaw was exploited.

The publicly disclosed zero-day is:

CVE-2025-26630 - Microsoft Access Remote Code Execution Vulnerability

Microsoft says this remote code execution flaw is caused by a use after free memory bug in Microsoft Office Access.

To exploit the flaw, a user must be tricked into opening a specially crafted Access file. This can be done through phishing or social engineering attacks.

However, the flaw cannot be exploited through the preview pane.

Microsoft says the flaw was discovered by Unpatched.ai.

Other vendors who released updates or advisories in March 2025 include:

Below is the complete list of resolved vulnerabilities in the March 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws

Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws

Windows 11 KB5053598 & KB5053602 cumulative updates released

Windows 10 KB5053606 update fixes broken SSH connections

Windows 10 KB5051974 update force installs new Microsoft Outlook app