ION Advisory: Microsoft’s March 2025 Patch Tuesday

Microsoft’s March Patch Tuesday update consists of 51 vulnerabilities for Microsoft products, 6 rated Critical and 6 vulnerabilities (earlier zero-days) being exploited – applying patches are critical.

Active Exploitation

The following critical vulnerabilities are already being actively exploited.

• CVE-2025-24983 – Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability – An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
• CVE-2025-26633 – Microsoft Management Console Security Feature Bypass Vulnerability – In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the vulnerability.
• CVE-2025-24985 – Windows Fast FAT File System Driver Remote Code Execution Vulnerability – An attacker tricking the victim into mounting a specially crafted VHD file can run code on the vulnerable host.
• CVE-2025-24991 – Windows NTFS Information Disclosure Vulnerability – An attacker tricking the victim into mounting a specially crafted VHD file can read portions of heap memory.
• CVE-2025-24984 – Windows NTFS Information Disclosure Vulnerability – Exploitation has been detected of an attacker having either physical access to the target computer or convincing the user to plug in a malicious USB drive to read portions of heap memory.
• CVE-2025-24993 – Windows NTFS Remote Code Execution Vulnerability – Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.
• CVE-2025-24989 – Microsoft Power Pages Improper Access Control Vulnerability – Microsoft Power Pages contained an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has been mitigated by Microsoft directly.

Critical Vulnerabilities

The following critical vulnerabilities have not yet been known to be be actively exploited, or publicly disclosed.

• CVE-2025-24057 – Microsoft Office Remote Code Execution Vulnerability – An attacker using a specially crafted file could exploit Microsoft Office using the Preview Pane.
• CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability – An attacker could successfully exploit this vulnerability by connecting to a system with the Remote Desktop Gateway role.
• CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability –Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.
• CVE-2025-26645 – Remote Desktop Client Remote Code Execution Vulnerability – An attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine during an RDP Session when the victim connects to the attacker controlled server.
• CVE-2025-24064 – Windows Domain Name Service Remote Code Execution Vulnerability – An attacker sending a well-timed dynamic DNS update message could execute code remotely on the target server.
• CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability – Untrusted pointer dereference in Windows Subsystem for Linux allows an unauthorized attacker to execute code locally after clicking on a malicious link.

Publicly Disclosed Vulnerabilities

• CVE-2025-26630 – Microsoft Access Remote Code Execution Vulnerability – A remote attacker could exploit the “Use after free” vulnerability in Microsoft Office Access allowing the unauthorized attacker to execute code locally – requiring tricking the user into running malicious code.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report: Microsoft Patch Tuesday: March 2025 – SANS Internet Storm Center

Patch-A-Palooza: PatchaPalooza