March Patch Tuesday fixes 6 Windows zero-day exploits

Microsoft corrects six Windows zero-day exploits

As with most Patch Tuesdays, the Windows OS contains most of the vulnerabilities. The good news is that applying the cumulative update will correct these problems.

The first exploited zero-day is a Microsoft Management Console security feature bypass vulnerability (CVE-2025-26633) rated critical with a CVSS rating of 7.0 and targets both Windows desktop and server systems. A successful exploit requires user interaction.

"The attacker would need to take additional actions to prepare the environment for exploitation, but the vulnerability allows for a variety of different user targeted attacks -- instant message, email, web site -- basically any way the attacker can present a user with a file to open so they can execute the vulnerability. The bar is low," said Chris Goettl, vice president of product management for security products at Ivanti.

The Windows New Technology File System (NTFS) has three exploited Windows zero-days. CVE-2025-24984 and CVE-2025-24991 are information disclosure vulnerabilities rated important while CVE-2025-24993 is a remote-code execution vulnerability rated critical. Another information-disclosure vulnerability (CVE-2025-24992) that also affects Windows NTFS but is not an exploited zero-day has a rating of important, an exploitability assessment of "more likely" and a CVSS score of 5.5.  

Each exploit of the NTFS vulnerability requires a malicious virtual hard disk (VHD) mounted on the target device. This allows the attacker to disclose sensitive kernel data or run arbitrary code in kernel context.

The next exploited zero-day (CVE-2025-24985) is rated important and affects the Windows Fast FAT driver in all currently supported Windows desktop and server systems with a CVSS score of 7.8. Like the NTFS flaws, the attacker must convince a user to mount a malicious FAT-formatted VHD to trigger the exploit, allowing the attacker to do a range of acts, from running arbitrary code to accessing sensitive data.

Goettl said several of the file-system-based vulnerabilities could be fashioned into a chained exploit, starting with the attacker mounting the malicious USB drive, reading system memory contents and executing code to gain total system control.

The last exploited Windows zero-day (CVE-2025-24983) is Windows Win32 Kernel Subsystem elevation-of-privilege vulnerability rated important with a 7.0 CVSS score that affects older supported Windows desktop and server systems. Attackers must be on the network with low privileges and, if successful, can escalate their privileges to system level and gain complete control of the device.  

Other security updates of note for March Patch Tuesday

The one public disclosure is a Microsoft Access remote-code execution vulnerability (CVE-2025-26630) rated important with a CVSS rating of 7.8. It requires user interaction to trigger the exploit by running a malicious file.

"The disclosure did not include code samples, but it gave enough detail that somebody could start to understand where to look, but they're going to have some leg work yet," said Goettl.

The public disclosure CVE was one of 11 vulnerabilities in Microsoft Office this month. While most have a similar CVSS rating of 7.8 and an exploitability assessment of "less likely," a Microsoft Office remote-code execution vulnerability (CVE-2025-24057) stands out for its critical max severity level.

The flaw affects both Windows and Mac versions of Microsoft Office. Microsoft said the preview pane is an attack vector, meaning users only need to preview a malicious file in Microsoft Outlook to run arbitrary code at the user's privilege level.

Microsoft only issued either coverage updates or clarifications in the four republished CVES: Microsoft AutoUpdate elevation of privilege (CVE-2025-24036), Windows Remote Desktop Services remote-code execution (CVE-2024-49116), Windows Cryptographic Services security feature bypass (CVE-2024-30098) and Windows Credential Roaming Service elevation of privilege (CVE-2022-30170).

Windows security hardening rollout approaches final stage

Microsoft admins have one more month to address any lingering issues before more stringent authentication arrives for Windows machines.

Microsoft plans to execute the final step in a year-long phased rollout when admins apply the April Patch Tuesday security updates. Windows OS systems susceptible to two critical Kerberos Privilege Attribute Certificate (PAC) validation vulnerabilities (CVE-2024-26248 and CVE-2024-29056) will get the last fix that makes "Enforcement" mode mandatory.

This security hardening process addresses an authorization weakness in the Windows OS, forcing it to scrutinize the PAC digital signature more closely to avoid spoofing by attackers.

Microsoft introduced a "Compatibility" mode on April 9, 2024, to allow administrators to audit machines and correct compatibility issues. In January, the Patch Tuesday security update changed the PAC validation rules to "Enforced by Default" mode to give admins an option to override the settings to correct systems. Next month, when "Enforcement" mode is required, incompatible systems will encounter issues, ranging from inability to access resources on the network to denial of access to data or applications.

Tom Walat is the site editor for Informa TechTarget Editorial's Windows Server site.