Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
Today is Microsoft’s March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
This Patch Tuesday also fixes six “Critical” vulnerabilities, all remote code execution vulnerabilities.
The number of bugs in each vulnerability category is listed below:
- 23 Elevation of Privilege Vulnerabilities
- 3 Security Feature Bypass Vulnerabilities
- 23 Remote Code Execution Vulnerabilities
- 4 Information Disclosure Vulnerabilities
- 1 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
The above numbers do not include Mariner flaws and 10 Microsoft Edge vulnerabilities fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5053598 & KB5053602 cumulative updates and the Windows 10 KB5053606 update.
Six actively exploited zero-days
This month’s Patch Tuesday fixes six actively exploited zero-days and one that was publicly exposed, for a total of seven zero-days.
Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.
A few of the actively exploited zero days are related to Windows NTFS bugs that involve mounting VHD drives.
The actively exploited zero-day vulnerability in today’s updates are:
CVE-2025-24983 – Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
Microsoft says this vulnerability will allow local attackers to gain SYSTEM privileges on the device after winning a race condition.
Microsoft has not shared how the flaw was exploited in attacks. However, as it was discovered by Filip Jurčacko with ESET, we will likely learn more in a future report.
BleepingComputer contacted ESET for more information about this flaw.
CVE-2025-24984 – Windows NTFS Information Disclosure Vulnerability
Microsoft says that this flaw can be exploited by attackers who have physical access to the device and insert a malicious USB drive.
Exploiting the flaw allows the attackers to read portions of heap memory and steal information.
Microsoft says that this vulnerability was disclosed anonymously.
CVE-2025-24985 – Windows Fast FAT File System Driver Remote Code Execution Vulnerability
Microsoft says that this remote code execution vulnerability is caused by an integer overflow or wraparound in Windows Fast FAT Driver that, when exploited, allows an attacker to execute code.
“An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability,” explains Microsoft.
While Microsoft has not shared details about how it was exploited but malicious VHD images were previously distributed in phishing attacks and through pirated software sites.
Microsoft says that this vulnerability was disclosed anonymously.
CVE-2025-24991 – Windows NTFS Information Disclosure Vulnerability
Microsoft says that attackers can exploit this flaw to read small portions heap memory and steal information.
Attackers can exploit the flaw by tricking a user into mounting a malicious VHD file.
Microsoft says that this vulnerability was disclosed anonymously.
CVE-2025-24993 – Windows NTFS Remote Code Execution Vulnerability
Microsoft says that this remote code execution vulnerability is caused by a heap-based buffer overflow bug in Windows NTFS that allows an attacker to execute code.
“An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability,” explains Microsoft
Microsoft says that this vulnerability was disclosed anonymously.
CVE-2025-26633 – Microsoft Management Console Security Feature Bypass Vulnerability
While Microsoft has not shared any details about this flaw, based on its description, it may involve a bug that allows malicious Microsoft Management Console (.msc) files to bypass Windows security features and execute code.
“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the vulnerability,” explains Microsoft.
“In any case an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment.”
Microsoft says Aliakbar Zahravi from Trend Micro discovered this flaw. BleepingComputer contacted Trend Micro to learn more about how this flaw was exploited.
The publicly disclosed zero-day is:
CVE-2025-26630 – Microsoft Access Remote Code Execution Vulnerability
Microsoft says this remote code execution flaw is caused by a use after free memory bug in Microsoft Office Access.
To exploit the flaw, a user must be tricked into opening a specially crafted Access file. This can be done through phishing or social engineering attacks.
However, the flaw cannot be exploited through the preview pane.
Microsoft says the flaw was discovered by Unpatched.ai.
Recent updates from other companies
Other vendors who released updates or advisories in March 2025 include:
- Broadcom fixed three zero-day flaws in VMware ESXi that were exploited in attacks.
- Cisco fixes WebEx flaw that could expose credentials, as well as critical vulnerabilities in Cisco Small Business routers.
- An unpatched Edimax IC-7100 IP camera flaw is being exploited by botnet malware to infect devices.
- Google fixed an exploited zero-day flaw in an Android’s Linux kernel driver that was used to unlock devices.
- Ivanti released security updates for Secure Access Client (SAC) and Neurons for MDM.
- Fortinet released security updates for numerous products, including FortiManager, FortiOS, FortiAnalyzer, and FortiSandbox.
- Paragon disclosed a flaw in its BioNTdrv.sys driver that was exploited by ransomware gangs in BYOVD attacks.
- SAP releases security updates for multiple products.
The March 2025 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the March 2025 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET | CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability | Important |
| ASP.NET Core & Visual Studio | CVE-2025-24070 | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | Important |
| Azure Agent Installer | CVE-2025-21199 | Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability | Important |
| Azure Arc | CVE-2025-26627 | Azure Arc Installer Elevation of Privilege Vulnerability | Important |
| Azure CLI | CVE-2025-24049 | Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability | Important |
| Azure PromptFlow | CVE-2025-24986 | Azure Promptflow Remote Code Execution Vulnerability | Important |
| Kernel Streaming WOW Thunk Service Driver | CVE-2025-24995 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Local Security Authority Server (lsasrv) | CVE-2025-24072 | Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability | Important |
| Microsoft Management Console | CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability | Important |
| Microsoft Office | CVE-2025-24083 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-26629 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-24080 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-24057 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Access | CVE-2025-26630 | Microsoft Access Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-24081 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-24082 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-24075 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-24077 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-24078 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-24079 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Streaming Service | CVE-2025-24046 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Streaming Service | CVE-2025-24067 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2025-25008 | Windows Server Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2024-9157 | Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability | Important |
| Remote Desktop Client | CVE-2025-26645 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Role: DNS Server | CVE-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability | Critical |
| Role: Windows Hyper-V | CVE-2025-24048 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2025-24050 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2025-24998 | Visual Studio Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2025-25003 | Visual Studio Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2025-26631 | Visual Studio Code Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-24059 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Cross Device Service | CVE-2025-24994 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | Important |
| Windows Cross Device Service | CVE-2025-24076 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | Important |
| Windows exFAT File System | CVE-2025-21180 | Windows exFAT File System Remote Code Execution Vulnerability | Important |
| Windows Fast FAT Driver | CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability | Important |
| Windows File Explorer | CVE-2025-24071 | Microsoft Windows File Explorer Spoofing Vulnerability | Important |
| Windows Kernel Memory | CVE-2025-24997 | DirectX Graphics Kernel File Denial of Service Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2025-24066 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Windows MapUrlToZone | CVE-2025-21247 | MapUrlToZone Security Feature Bypass Vulnerability | Important |
| Windows Mark of the Web (MOTW) | CVE-2025-24061 | Windows Mark of the Web Security Feature Bypass Vulnerability | Important |
| Windows NTFS | CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2025-24984 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTFS | CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTFS | CVE-2025-24991 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTLM | CVE-2025-24996 | NTLM Hash Disclosure Spoofing Vulnerability | Important |
| Windows NTLM | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical |
| Windows Remote Desktop Services | CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-24051 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important |
| Windows Subsystem for Linux | CVE-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability | Critical |
| Windows Telephony Server | CVE-2025-24056 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows USB Video Driver | CVE-2025-24988 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Video Driver | CVE-2025-24987 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Video Driver | CVE-2025-24055 | Windows USB Video Class System Driver Information Disclosure Vulnerability | Important |
| Windows Win32 Kernel Subsystem | CVE-2025-24044 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important |
| Windows Win32 Kernel Subsystem | CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important |
