Breaking Down the Latest March 2025 Patch Tuesday Report

Microsoft has released its March 2025 Patch Tuesday security updates, addressing 57-67 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This month's release includes fixes for seven zero-day vulnerabilities, with six of them actively exploited in the wild.

The seven zero-days include critical flaws in the Windows Win32 Kernel Subsystem, Windows NTFS, Windows Fast FAT File System Driver, Microsoft Access, and Microsoft Management Console. One of the most notable exploited vulnerabilities is CVE-2025-26633, a security feature bypass in Microsoft Management Console.

Other critical flaws include remote code execution bugs in Windows Remote Desktop Services (CVE-2025-24035 and CVE-2025-24045), Windows Domain Name Service (CVE-2025-24064), Windows Subsystem for Linux (WSL2) Kernel (CVE-2025-24084), Microsoft Office (CVE-2025-24057), and Remote Desktop Client (CVE-2025-26645).

In total, Microsoft has addressed six critical vulnerabilities and around 50 important ones. The most common types of vulnerabilities patched this month are remote code execution (23 bugs), elevation of privilege (23 bugs), along with spoofing (3 bugs), information disclosure (4 bugs), denial of service (1 bug), and security feature bypass (3 bugs).

Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and remote code execution flaws.

Key Highlights - Patch Tuesday March 2025

In March's Patch Tuesday, Microsoft addressed 57-67 vulnerabilities, including seven zero-day vulnerabilities with six being actively exploited in the wild. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, spoofing, denial of service, and security feature bypass.

Key highlights are:

This March Patch Tuesday highlights Microsoft's ongoing commitment to securing its wide range of products against ever-evolving cybersecurity threats. Apply these updates to close vulnerabilities before threats exploit them.

Zero-day Vulnerabilities Patched in March 2025

In March 2025, Microsoft addressed seven zero-day vulnerabilities, with six of them actively being exploited in the wild. These vulnerabilities were particularly significant as they had been disclosed or exploited before patches were available, posing immediate risks to affected systems.

CVE-2025-24983: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

The use after free vulnerability in Windows Win32 Kernel Subsystem may allow an authorized attacker to elevate privileges locally. An attacker may exploit the vulnerability to gain SYSTEM privileges. The vulnerability requires the attacker to win a race condition, which slightly increases the attack complexity.

This is a significant vulnerability because it affects a core component within the Windows operating system. The Win32 Kernel Subsystem bridges standard Windows applications using the Win32 API and the underlying Windows kernel.

CISA has added CVE-2025-24983 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

CVE-2025-24984: Windows NTFS Information Disclosure Vulnerability

This vulnerability in Windows NTFS (New Technology File System) may allow an attacker to potentially read portions of heap memory. What makes this vulnerability unique is that an attacker must have physical access to the target computer to plug in a malicious USB drive.

While the CVSS score is relatively low due to the physical access requirement, this vulnerability has been actively exploited in the wild, indicating its practical usefulness to attackers.

CISA added CVE-2025-24984 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

CVE-2025-24985: Windows Fast FAT File System Driver Remote Code Execution Vulnerability

The integer overflow or wraparound flaw in Windows Fast FAT Driver may allow an unauthorized attacker to execute code. Exploitation requires tricking a local user on a vulnerable system into mounting a specially crafted VHD (Virtual Hard Disk) to trigger the vulnerability.

This is the first vulnerability in the Windows Fast FAT File System to be reported since 2022 and the first to be exploited in the wild.

CISA has added CVE-2025-24985 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

CVE-2025-24991: Windows NTFS Information Disclosure Vulnerability

Vulnerability type: Information Disclosure Affected product: Windows NTFS CVSS v3 base score: 5.5 Severity rating: Important

Inserting sensitive information into a log file in Windows NTFS may allow an authorized attacker to disclose information locally. An attacker may exploit the vulnerability to read portions of heap memory potentially. Exploitation requires tricking a local user into mounting a specially crafted VHD.

CISA has added CVE-2025-24991 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

CVE-2025-24993: Windows NTFS Remote Code Execution Vulnerability

The heap-based buffer overflow vulnerability in Windows NTFS may allow an authorized attacker to execute code locally. Similar to the other NTFS vulnerabilities, an attacker may trick a local user on a vulnerable system into mounting a specially crafted VHD to trigger the vulnerability.

CISA has added CVE-2025-24993 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

CVE-2025-26630: Microsoft Access Remote Code Execution Vulnerability

The use after free flaw in Microsoft Office Access allows an unauthorized attacker to execute code locally. An attacker must trick a user into running a malicious file to successfully exploit the vulnerability.

This is the fourth zero-day to be publicly disclosed and attributed to Unpatched.ai, with three others disclosed in Microsoft's January 2025 Patch Tuesday release.

CVE-2025-26633: Microsoft Management Console Security Feature Bypass Vulnerability

Improper neutralization flaw in Microsoft Management Console may allow an unauthorized attacker to bypass a security feature. An attacker could exploit this vulnerability by convincing a potential target with either standard user or admin privileges to open a malicious file.

This is the second zero-day in the Microsoft Management Console to be exploited in the wild since CVE-2024-43572, a remote code execution vulnerability patched in October 2024.

CISA has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Critical Vulnerabilities Patched in March 2025

Microsoft's March 2025 security updates addressed six vulnerabilities rated as Critical severity. These vulnerabilities represent significant risks that could be leveraged by malicious actors in attacks. Promptly patching critical issues should be a top priority for security teams.

CVE-2025-24035 & CVE-2025-24045: Windows Remote Desktop Services Remote Code Execution Vulnerability

These remote code execution vulnerabilities exist in Windows Remote Desktop Services (RDS), a Microsoft feature that allows users to remotely access and use Windows applications and desktops from various devices over a network connection.

The sensitive data storage in improperly locked memory flaw in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability, which slightly increases the attack complexity.

Despite this requirement, Microsoft assessed both flaws as "Exploitation More Likely" according to Microsoft's Exploitability Index, highlighting the potential risk. For CVE-2025-24035, the attacker specifically needs to target a system with the Remote Desktop Gateway role.

CVE-2025-24057: Microsoft Office Remote Code Execution Vulnerability

The heap-based buffer overflow flaw in Microsoft Office may allow an unauthorized attacker to execute code remotely. This vulnerability requires an attacker to trick the victim into opening a specially crafted file.

While the CVSS score is under 8, Microsoft rated this as Critical severity due to the widespread use of Office products and the relatively simple social engineering required to exploit it. Organizations are advised to remind their employees of best practices regarding phishing attacks and to avoid opening unusual files.

CVE-2025-24064: Windows Domain Name Service Remote Code Execution Vulnerability

The use after free flaw in the DNS Server may allow an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability, which requires them to interleave their malicious DNS update message with a legitimate one.

The relative importance of DNS servers to an organization's infrastructure necessitates that this vulnerability be patched quickly, as information held on the DNS server can be used by an adversary to gain critical information about the layout of an organization's internal infrastructure.

CVE-2025-24084: Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability

The untrusted pointer dereference in Windows Subsystem for Linux may allow an unauthorized attacker to execute code locally. What makes this vulnerability particularly concerning is that Microsoft identified multiple attack vectors, including email.

In the worst-case scenario, simply receiving a malicious email would be enough to trigger the vulnerability without any user interaction. Alternatively, an attacker could exploit this by convincing a user to click a link to a malicious website or open a malicious instant message. The multiple attack vectors increase the risk of successful exploitation.

CVE-2025-26645: Remote Desktop Client Remote Code Execution Vulnerability

Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. An attacker who controls a malicious RDP server could trigger remote code execution on the client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

This vulnerability has significant implications for lateral movement within networks, as attackers could use it to expand their footprint after gaining initial access to one system. Organizations should ensure that users only connect to trusted and verified RDP servers.

Table of Critical Vulnerabilities

Vulnerabilities by Category

In total, 57 vulnerabilities were addressed in March's Patch Tuesday. Remote Code Execution and Elevation of Privilege flaws top the list with 23 patches each, followed by 4 Information Disclosure, 3 Spoofing, 3 Security Feature Bypass, and 1 Denial of Service vulnerability.

Here is the breakdown of the categories patched this month:

1. Remote Code Execution – 23

2. Elevation of Privilege - 23

3. Information Disclosure – 4

4. Security Feature Bypass – 3

5. Spoofing – 3

6. Denial of Service – 1

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's March 2025 Patch Tuesday:

Remote code execution vulnerabilities continue to dominate this month, representing 40% of the March updates. Successful exploits of these critical bugs enable arbitrary code execution for extensive system control.

The equally prevalent category is elevation of privilege at 40%. These vulnerabilities empower threat actors to increase compromised user rights and often serve as key components in attack chains.

While less frequent, spoofing, security feature bypass, information disclosure, and denial of service flaws can provide attackers with critical footholds or contribute to broader attack campaigns. Systematically addressing all these categories of risk is essential against today's advanced, determined adversaries across enterprise attack surfaces.

List of Products Patched in March 2025 Patch Tuesday Report

Microsoft's March 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

These patches address vulnerabilities across Microsoft's ecosystem, with Windows operating system components receiving the largest number of fixes. The diverse range of affected products highlights the importance of a comprehensive patching strategy for organizations using Microsoft technologies.

Summary tables

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's March 2025 Patch Tuesday release addressed 57 total vulnerabilities, headlined by fixes for seven zero-day flaws, with six of them actively exploited in the wild:

Additionally, CVE-2025-26630 (Microsoft Access Remote Code Execution) was publicly disclosed before a patch was available.

Additional key vulnerabilities included:

In total, 23 remote code execution bugs and 23 elevation of privilege flaws were addressed this month. Information disclosure, spoofing, security feature bypass, and denial of service issues rounded out the rest.

The extensive patch load stresses the importance of continuous monitoring, vulnerability management, and updating to counter sophisticated multi-stage attacks targeting enterprise networks. Prioritizing remediation efforts by focusing on the actively exploited zero-days and critical-rated flaws is crucial to maintaining security posture.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: