Adobe and Microsoft Address Critical Vulnerabilities in March 2025 Updates
In March 2025, Adobe took significant steps to enhance the security of its software suite, releasing seven bulletins that collectively address 37 Common Vulnerabilities and Exposures (CVEs). The updates span various products including Adobe Acrobat Reader, Illustrator, InDesign, and the Substance 3D family of applications. Notably, six of these vulnerabilities were reported through the Zero Day Initiative (ZDI) program.
The patch for Adobe Acrobat Reader is particularly crucial, as it resolves multiple Critical-rated code execution vulnerabilities. This update should be prioritized for deployment to safeguard users. Similarly, the Illustrator and InDesign patches also rectify critical code execution issues, emphasizing the need for users to open only trusted files, as an attacker would need to entice a user into opening a specially crafted document to exploit these vulnerabilities.
The updates for the Substance 3D applications are also noteworthy. The Substance 3D Sampler patch addresses seven vulnerabilities, some of which are classified as Critical. The Substance 3D Painter and Modeler patches each correct two code execution vulnerabilities, while the Substance 3D Designer patch tackles two Critical-rated code execution flaws. Fortunately, none of the vulnerabilities addressed this month are publicly known or under active attack at the time of release, with Adobe categorizing these updates as a deployment priority rating of 3.
Meanwhile, Microsoft has also been proactive in addressing security concerns, releasing a substantial update that includes 56 new CVEs across its Windows operating system, Office applications, Azure, and more. This release marks a total of 67 CVEs when factoring in third-party vulnerabilities. Among these, six are rated as Critical, while 50 are deemed Important, mirroring the volume seen in previous months but highlighting a concerning number of actively exploited bugs.
One of the most significant vulnerabilities is CVE-2025-26633, a security feature bypass in the Microsoft Management Console, discovered by researcher Aliakbar Zahravi. This flaw allows attackers to evade file reputation protections, potentially executing code in the context of the current user. Given that over 600 organizations have been impacted by these attacks, swift testing and deployment of the fix are essential.
Additionally, CVE-2025-24993 and CVE-2025-24985 are critical remote code execution vulnerabilities linked to the Windows NTFS and Fast FAT file systems. Exploitation of these vulnerabilities requires users to mount specially crafted virtual hard drives (VHDs), leading to potential system takeover if paired with privilege escalation vulnerabilities like CVE-2025-24983.
Lastly, CVE-2025-24984 and CVE-2025-24991, which involve information disclosure vulnerabilities, are also under active attack. While one requires physical access, the other necessitates mounting a specially crafted VHD. Despite the nature of these information leaks, their exploitation warrants immediate attention and prompt deployment of the corresponding patches.
In summary, both Adobe and Microsoft have issued critical updates this month, highlighting the ongoing need for vigilance in cybersecurity practices. Organizations are encouraged to prioritize these patches to mitigate risks associated with these vulnerabilities.
