In the latest round of security updates from Microsoft, a total of 57 unique vulnerabilities have been addressed. However, system administrators managing Windows environments are advised to remain vigilant, particularly due to the presence of six known zero-day exploits that require immediate attention. While the overall number of vulnerabilities may seem manageable, the breadth of issues spans various Microsoft product families, including developer tools, Microsoft Office, and Azure services.
Microsoft corrects six Windows zero-day exploits
As is customary with Patch Tuesdays, the Windows operating system accounts for the majority of the vulnerabilities identified this month. Fortunately, applying the cumulative update will rectify these issues. Among the critical vulnerabilities is a security feature bypass in the Microsoft Management Console (CVE-2025-26633), which has a CVSS rating of 7.0 and affects both Windows desktop and server systems. Exploitation of this vulnerability necessitates user interaction, allowing attackers to employ various methods—such as instant messages, emails, or websites—to entice users into opening a malicious file.
Chris Goettl, vice president of product management for security products at Ivanti, noted, “The attacker would need to take additional actions to prepare the environment for exploitation, but the vulnerability allows for a variety of different user-targeted attacks. The bar is low.”
Three additional zero-day vulnerabilities have been identified within the Windows New Technology File System (NTFS). The vulnerabilities CVE-2025-24984 and CVE-2025-24991 are classified as information disclosure vulnerabilities, while CVE-2025-24993 is a critical remote-code execution vulnerability. Another information-disclosure vulnerability, CVE-2025-24992, also impacts Windows NTFS but is not currently exploited as a zero-day. This vulnerability has a “more likely” exploitability assessment and a CVSS score of 5.5.
Each NTFS exploit requires a malicious virtual hard disk (VHD) to be mounted on the target device, enabling attackers to disclose sensitive kernel data or execute arbitrary code in the kernel context. The next zero-day vulnerability, CVE-2025-24985, affects the Windows Fast FAT driver across all supported Windows desktop and server systems, carrying a CVSS score of 7.8. Similar to the NTFS flaws, this vulnerability requires user interaction to mount a malicious FAT-formatted VHD, which can lead to a range of malicious actions, from executing arbitrary code to accessing sensitive data.
Goettl highlighted that several of these file-system-based vulnerabilities could potentially be combined into a chained exploit, starting with the mounting of a malicious USB drive, which could then lead to reading system memory contents and executing code to gain total control of the system.
The final exploited zero-day vulnerability, CVE-2025-24983, is an elevation-of-privilege vulnerability affecting the Windows Win32 Kernel Subsystem. Rated important with a CVSS score of 7.0, this flaw impacts older supported Windows desktop and server systems. Attackers with low privileges on the network can exploit this vulnerability to escalate their privileges to system level, thereby gaining complete control over the device.
Other security updates of note for March Patch Tuesday
Among the vulnerabilities disclosed this month, one notable public disclosure is a remote-code execution vulnerability in Microsoft Access (CVE-2025-26630), rated important with a CVSS score of 7.8. This vulnerability also requires user interaction to trigger the exploit by executing a malicious file. Goettl remarked, “The disclosure did not include code samples, but it provided enough detail for someone to begin understanding where to look, although they will still need to do some leg work.”
This public disclosure is part of a broader set of 11 vulnerabilities affecting Microsoft Office this month. Most of these vulnerabilities share a similar CVSS rating of 7.8 and are assessed as “less likely” to be exploited. However, one remote-code execution vulnerability (CVE-2025-24057) stands out due to its critical severity level, impacting both Windows and Mac versions of Microsoft Office. Microsoft has indicated that the preview pane in Outlook serves as an attack vector, meaning users only need to preview a malicious file to execute arbitrary code at their privilege level.
Additionally, Microsoft has republished four older vulnerabilities with either coverage updates or clarifications, including:
- Microsoft AutoUpdate elevation of privilege (CVE-2025-24036)
- Windows Remote Desktop Services remote-code execution (CVE-2024-49116)
- Windows Cryptographic Services security feature bypass (CVE-2024-30098)
- Windows Credential Roaming Service elevation of privilege (CVE-2022-30170)
Windows security hardening rollout approaches final stage
As Microsoft prepares to implement more stringent authentication measures for Windows machines, administrators have one final month to address any outstanding vulnerabilities. The upcoming April Patch Tuesday security updates will mark the culmination of a year-long phased rollout, introducing mandatory “Enforcement” mode for systems affected by two critical Kerberos Privilege Attribute Certificate (PAC) validation vulnerabilities (CVE-2024-26248 and CVE-2024-29056).
This security hardening initiative aims to rectify an authorization weakness within the Windows operating system, compelling it to scrutinize PAC digital signatures more rigorously to prevent potential spoofing by attackers. Microsoft previously introduced a “Compatibility” mode on April 9, 2024, allowing administrators to audit machines and resolve compatibility issues. In January, the Patch Tuesday security update altered PAC validation rules to “Enforced by Default” mode, providing admins with the option to override settings for system corrections. However, with the transition to mandatory “Enforcement” mode next month, incompatible systems may face significant challenges, including restricted access to network resources and denial of access to data or applications.
Tom Walat is the site editor for Informa TechTarget Editorial’s Windows Server site.
