Full Report
Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities. [...]
Analysis Summary
# Vulnerability: Microsoft March 2025 Patch Tuesday Summary
## CVE Details
- CVE ID: Multiple (Focusing on 7 Zero-Days and Critical RCEs mentioned)
- CVSS Score: Not universally provided, but 6 vulnerabilities are classified as **Critical** (Remote Code Execution).
- CWE: Various (including Integer Overflow, Heap-based Buffer Overflow, etc., based on descriptions).
## Affected Systems
- Products: Windows (including Win32 Kernel, NTFS, Remote Desktop Services, WSL2, etc.)
- Versions: All affected Windows versions covered by the March 2025 updates. Specific version details are reserved for individual vendor advisories.
- Configurations: Varies by CVE; notable conditions include local user interaction, physical USB access, or mounting crafted VHD files.
## Vulnerability Description
Microsoft's March 2025 Patch Tuesday addresses 57 flaws, including 6 actively exploited Zero-Days and 1 publicly disclosed zero-day. The major themes include RCE flaws (6 rated Critical) and several NTFS/VHD manipulation vulnerabilities exploited in the wild.
**Key Zero-Day/Publicly Disclosed Flaws:**
* **CVE-2025-24983 (EoP):** Race condition in Windows Win32 Kernel Subsystem allowing local attackers to gain SYSTEM privileges.
* **CVE-2025-24984 (Info Disclosure):** USB physical access allows attackers to read portions of heap memory via malicious USB insertion.
* **CVE-2025-24985 (RCE):** Integer overflow in Windows Fast FAT Driver, triggered when a local user mounts a specially crafted VHD file.
* **CVE-2025-24991 (Info Disclosure):** Allows attackers to read small portions of heap memory by tricking a user into mounting a malicious VHD file.
* **CVE-2025-24993 (RCE):** Heap-based buffer overflow in Windows NTFS, triggered by mounting a specially crafted VHD file.
* **CVE-2025-26633 (Security Feature Bypass):** May involve malicious Microsoft Management Console (.msc) files bypassing security features via user action (clicking a link/attachment).
## Exploitation
- Status: **Six actively exploited zero-days** fixed, plus one publicly disclosed vulnerability.
- Complexity: Varies. EoP flaws require local privileges or race conditions; RCE via VHD often requires a user to *trick* the local user into mounting the file. Attribute to Low/Medium based on the requirement for user interaction or local access for the core flaws described.
- Attack Vector: Local (most VHD/NTFS flaws), Network (implied for zero-days leading to RCE, or social engineering for MSC bypass).
## Impact
- Confidentiality: High (Information Disclosure in NTFS flaws, potential for RCE disclosure).
- Integrity: Critical (Remote Code Execution via RCE flaws, EoP resulting in SYSTEM change/malware execution).
- Availability: Medium (Denial of Service flaws exist in the overall count, though not detailed here).
## Remediation
### Patches
Patches are available as part of the March 2025 Patch Tuesday updates for all listed CVEs. Specific cumulative update packages mentioned include:
* Windows 11 KB5053598 & KB5053602
* Windows 10 KB5053606
### Workarounds
No specific workarounds are detailed in the summary for the zero-days other than applying the patch. For the VHD-related flaws, extreme caution should be exercised regarding mounting externally sourced VHD files.
## Detection
- Indicators of Compromise (IOCs): Not explicitly listed, but monitoring for unexpected privilege escalation (SYSTEM access) or unauthorized VHD mounting operations related to NTFS operations should be prioritized.
- Detection Methods and Tools: Standard endpoint detection and response (EDR) tools should monitor kernel subsystem activity. Specific detection logic for malicious `.msc` file execution or VHD mounting attempts should be deployed.
## References
- Vendor Advisories: Microsoft Security Update Guide (MSRC) for the corresponding CVEs (e.g., CVE-2025-24983).
- Relevant Links:
* Windows 11 cumulative updates help: hxxps://www.bleepingcomputer.com/news/microsoft/windows-11-kb5053598-and-kb5053602-cumulative-updates-released/
* Windows 10 cumulative update help: hxxps://www.bleepingcomputer.com/news/microsoft/windows-10-kb5053606-update-fixes-broken-ssh-connections/