March Patch Tuesday brings 57 fixes, multiple zero-days

March Patch Tuesday brings 57 fixes, multiple zero-days

The third Patch Tuesday of 2025 brings fixes for 57 flaws and a hefty number of zero-days

Microsoft has dropped a grand total of 57 fixes to mark the third Patch Tuesday update of 2025 – rising to closer to 70 when third-party vulns are taken into account – including six zero-days and six critical flaws needing urgent attention.

The zero-days comprise a security feature bypass in Microsoft Management Console, two remote code execution (RCE) issues in Windows Fast FAT File System Driver and Windows NTFS, two information disclosure vulnerabilities in Windows NTFS, and a privilege escalation flaw in Windows Win32 Kernel Subsystem.

All are listed as exploited by Microsoft, but have not yet been made public, and all are considered to be important in their severity, carrying CVSS scores that range from 4.6 to 7.8.

A seventh vulnerability, an RCE issue in Windows Access, has been listed as public but does not appear to be actively exploited at the time of writing.

The six critical vulnerabilities, carrying CVSS scores of 7.8 through 8.8, are all RCE flaws. Two of them affect Windows Remote Desktop Services, and the four others relate to Microsoft Office, Windows Domain Name Service, Remote Desktop Client, and Windows Subsystem for Linux Kernel.

“All six of the vulnerabilities that Microsoft has labelled as exploit detected are resolved with the monthly cumulative update,” said Tyler Reguly, Fortra associate director of security research and development.

“This means a single update to roll out to fix all of these at once. Thankfully, none of them require post-patch configuration steps. The same is true for five of the six critical severity vulnerabilities. A lot of our important fixes come from the same patch.

“The remaining critical vulnerability, CVE-2025-24057, and the publicly disclosed vulnerability, CVE-2025-26630, both require Office updates. For those running click-to-run, there’s not a lot to do, but for those running Office 2016, there are two patches to install, one for Office and one for Access,” he added.

Reguly said that fortunately, this limited the amount of patching needed to resolve the attention-grabbing flaws. “However,” he said, “they are big ticket items and with headlines likely to state, Microsoft Patches Six 0-Day Vulnerabilities, admins will likely have a lot of questions to answer about the state of their patching.”

Big ticket items: big impacts

Assessing these big ticket items in a little more depth, Immersive senior director of threat research, Kev Breen said the NTFS and FAT RCE flaws probably warrant the greatest attention. These flaws form part of a chain with the two NTFS information disclosure vulnerabilities.

“These four CVEs are all related to a remote code execution vulnerability that is associated with mounting Virtual Hard Disk (VHD) files. These are tracked separately as CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, and CVE-2025-24993, so when it comes to patch management ensure all four are covered.

Breen explained that the exploit chain relies on the attacker convincing a user to open or mount a virtual hard disk (VHD) file. These are typically used to store operating systems for virtual machines and while more usually associated with VMs, there have been cases down through the years where such files have been used to smuggle malware payloads onto target systems.

“Depending on the configuration of Windows systems, simply double-clicking on a VHD file could be enough to mount the container and, therefore, execute any payloads contained within the malicious file,” said Breen. “Organisations should check their security tools for any VHD files being sent via email or downloaded from the internet and look to add security rules or blocks for these file types where they are not required.”

Meanwhile, Alex Vovk, CEO and co-founder of Action1, considered some of the implications of the Windows Win32 Kernel EoP flaw, tracked as CVE-2025-24984.

“CVE-2025-24983 provides a direct path from low privileges to SYSTEM access, making it an attractive target for attackers with initial access via phishing, malware, compromised credentials, or insider threats,” said Vovk.

“Although classified as high complexity, well-resourced attackers – including state-sponsored groups and cyber criminal organisations – have historically overcome such constraints through automation and repeated attempts. Race-condition vulnerabilities in kernel subsystems have proven to be reliably exploitable, given sufficient attacker persistence and environment predictability.

“Organisations heavily dependent on Windows infrastructure – including enterprises, governments, and critical infrastructure sectors – are at risk. Kernel-level privilege escalation vulnerabilities remain highly valuable to attackers, as they serve as a key pivot point in advanced cyber attacks, enabling deeper network infiltration and persistent access,” said Vovk.

Read more about Patch Tuesday

• February 2025: Microsoft is correcting 57 vulnerabilities in its February Patch Tuesday, two of which are being actively exploited in the wild, and three of which are critical.
• January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws.
• December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol.
• November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update.
• October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.
• September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy.
• August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update.
• July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention.
• June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update.
• May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention.
• April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flaw that impacts all Windows users.
• March 2024: Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday.

Originally published at ECT News