Microsoft Patch Tuesday addresses six actively exploited zero-days

As part of its monthly Patch Tuesday event, Microsoft has fixed 57 vulnerabilities. Among them are six actively exploited zero-day vulnerabilities affecting the Microsoft Management Console, Windows NTFS, the Fast FAT File System Driver, and the Win32 Kernel Subsystem, plus several critical vulnerabilities that could allow remote code execution (RCE).

Microsoft advised that the following six vulnerabilities have been actively exploited as zero-days:

• CVE-2025-26633 — An improper neutralization flaw in Microsoft Management Console could allow an unauthorized threat actor to bypass a security feature locally by sending the targeted user a specially crafted file or website that is designed to exploit the vulnerability.
• CVE-2025-24993 — A heap-based buffer overflow issue in Windows NTFS that could allow an unauthorized threat actor to execute code locally.
• CVE-2025-24991 — An out-of-bounds read bug in Windows NTFS that could allow an authorized threat actor to disclose information locally by tricking a local user on a vulnerable system into mounting a specially crafted VHD.
• CVE-2025-24985 — An integer overflow or wraparound vulnerability in Windows Fast FAT Driver that could allow an unauthorized threat actor to execute code locally by tricking a local user on a vulnerable system into mounting a specially crafted VHD.
• CVE-2025-24984 — An insertion of sensitive information into log file flaw in Windows NTFS that could allow an unauthorized threat actor with physical access to disclose inserting a malicious USB drive to potentially read portions of heap memory.
• CVE-2025-24983 — A use after free issue in Windows Win32 Kernel Subsystem that could allow an authorized attacker to elevate privileges locally after winning a race condition to gain SYSTEM privileges.

Among the critical vulnerabilities patched on Tuesday is CVE-2025-26645, a path traversal in Remote Desktop Client that could allow an unauthorized threat actor to execute code over a network.

Microsoft is advising users to download and install the latest security patches as soon as possible.

Source: SecurityWeek

Analysis

It’s alarming that six zero-day vulnerabilities have been addressed in March’s Patch Tuesday event. The presence of multiple zero-day patches in a single update may indicate increased threat actor activity or could be the result of improved detection and reporting mechanisms.

Fortunately, there are some mitigating factors, such as the vulnerabilities requiring user interaction, local/physical access, and the winning of a race condition to be exploited, which slightly reduces the risk the zero-day vulnerabilities pose.

Microsoft’s policy not to publicly release additional details and indicators of compromise (IoC) associated with the vulnerabilities hinders network defenders from understanding the full nature of the potential threat of the vulnerabilities.

Regardless, the presence of multiple zero-days highlights the importance of promptly applying security updates to protect systems against actively exploited vulnerabilities.

Mitigation

Field Effect’s team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in Microsoft Products. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users were automatically notified if a vulnerable version of Windows was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect encourages users of the affected Windows versions to update to the latest version as soon as possible, in accordance with Microsoft’s advisory.

Related Articles

• Microsoft fixes 63 vulnerabilities on Patch Tuesday, including two that were actively exploited
• Microsoft improves transparency, addresses critical vulnerabilities
• Microsoft investigates potential new Windows zero-day vulnerability