Warning: Microsoft Patch Tuesday March 2025 patches 57 vulnerabilities (6 critical, 51 important), including 6 actively exploited zero-days. patch immediately!

Image
Decorative image
Veröffentlicht : 12/03/2025

Reference:
Advisory #2025-54

Version:
1.0

Affected software:
.NET
ASP.NET Core & Visual Studio
Azure Agent Installer
Azure Arc
Azure CLI
Azure PromptFlow
Kernel Streaming WOW Thunk Service Driver
Microsoft Local Security Authority Server (lsasrv)
Microsoft Management Console
Microsoft Office
Microsoft Office Access
Microsoft Office Excel
Microsoft Office Word
Microsoft Streaming Service
Microsoft Windows
Remote Desktop Client
Role: DNS Server
Visual Studio
Visual Studio Code
Windows Common Log File System Driver
Windows Cross Device Service
Windows Fast FAT Driver
Windows File Explorer
Windows Hyper-V
Windows Kernel Memory
Windows Kernel-Mode Drivers
Windows MapUrlToZone
Windows Mark of the Web (MOTW)
Windows NTFS
Windows NTLM
Windows Remote Desktop Services
Windows Routing and Remote Access Service (RRAS)
Windows Subsystem for Linux
Windows Telephony Server
Windows USB Video Driver
Windows Win32 Kernel Subsystem
Windows exFAT File System

Type:
Several types, including Remote Code Execution, Privilege Escalation and Information Disclosure.

CVE/CVSS:
Microsoft patched 57 vulnerabilities in its March 2025 Patch Tuesday release, 6 rated as critical, 51 rated important, including 6 0-day vulnerabilities that are actively exploited.

Number of CVEs by type: 
- 23 Remote Code Execution vulnerabilities
- 23 Elevation of Privilege vulnerabilities
- 4 Information Disclosure vulnerabilities
- 3 Spoofing vulnerability
- 1 Denial of Service vulnerabilities
- 3 Security Feature Bypass vulnerabilities
 

Sources

Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar

Risks

Microsoft’s March 2025 Patch Tuesday includes 57 vulnerabilities (critical and 51 important), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes 6 0-day actively exploited vulnerabilities. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.

The CCB would like to point your attention to following vulnerabilities:

CVE-2025-24983: Windows Win32 Kernel Subsystem (Actively exploited)

Elevation of Privilege. CVSS 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local authenticated attacker could elevate privileges to SYSTEM if they win a race condition. ESET Researcher that discovered the vulnerability, reports that the exploit was deployed via the PipeMagic backdoor, allowing remote access to the compromised machine and data exfiltration.

CVE-2025-24984 and CVE-2025-24991: NTFS (Actively exploited)

Information Disclosure. CVSS 4.6 (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) respectively.

An attacker could exploit these vulnerabilities to read sensitive information of portions of heap memory. Exploitation happens via the use of a malicious USB drive inserted in the targeted device or by tricking the user into mounting a specially crafted VHD respectively.

CVE-2025-24985: Windows Fast FAT File System Driver and CVE-2025-24993: NTFS (Actively exploited)

Remote Code Execution. CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Both vulnerabilities allow an attacker to gain remote code execution by tricking a local user into mounting a specially crafted VHD.

CVE -2025-26633: Microsoft Management Console (Actively exploited)

Security Feature Bypass. CVSS 7.0 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can craft a malicious file that leads to the bypass of a security feature if a local user is tricked into opening it.

CVE-2025-24035 and CVE-2025-24045: Windows Remote Desktop Services Remote Code Execution

Remote Code Execution. CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Both vulnerabilities require the attacker to win a race condition. Although the vulnerabilities are not exploited, Microsoft assesses them as critical and more likely to be exploited in the future.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via Report an incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

KrebsonSecurity - https://krebsonsecurity.com/2025/03/microsoft-6-zero-days-in-march-2025-patch-tuesday/

Tenable - https://www.tenable.com/blog/microsofts-march-2025-patch-tuesday-addresses-56-cves-cve-2025-26633-cve-2025-24983

SANS Internet Storm Center - https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20March%202025/31756