Full Report
Microsoft’s Patch Tuesday March 2025 update includes fixes for six actively exploited zero-days and an additional 10 vulnerabilities at higher risk of attack. In all, the Patch Tuesday March 2025 update fixes 57 Microsoft CVEs and republishes an additional 10 non-Microsoft CVEs, including nine Chrome vulnerabilities and one from Synaptics. Here’s a breakdown of the higher-risk vulnerabilities included in the Microsoft report, plus additional updates from other vendors issuing patch Tuesday fixes. Zero Days: Patch Tuesday March 2025 The six zero-day vulnerabilities range in severity from 4.6 to 7.8 (CVSS:3.1). They include: CVE-2025-24983 is a 7.0-severity Windows Win32 Kernel Subsystem Elevation of Privilege/Use After Free vulnerability. The vulnerability, reported by Filip Jurčacko of ESET, requires an attacker to win a race condition in order to gain SYSTEM privileges. CVE-2025-24984 is a 4.6-rated Windows NTFS Information Disclosure/ Insertion of Sensitive Information into Log File vulnerability. Reported anonymously, the vulnerability requires physical access to the target computer to plug in a malicious USB drive to potentially read portions of heap memory. CVE-2025-24985 is a 7.8-severity Windows Fast FAT File System Driver Remote Code Execution (RCE) vulnerability. Reported anonymously, the vulnerability requires an attacker to trick a local user on a vulnerable system into mounting a specially crafted virtual hard disk (VHD) to trigger the vulnerability. CVE-2025-24991 is a 5.5-rated Windows NTFS Information Disclosure/Out-of-bounds Read vulnerability. Also requiring a local user on a vulnerable system to mount a specially crafted VHD, the vulnerability could potentially allow an attacker to read small portions of heap memory. CVE-2025-24993 is a 7.8-rated Windows NTFS RCE/Heap-based Buffer Overflow vulnerability. Reported anonymously, the vulnerability also requires a local user on a vulnerable system to mount a specially crafted VHD to execute code locally. CVE-2025-26633 is a 7.0-severity Microsoft Management Console Security Feature Bypass/Improper Neutralization vulnerability. Reported by Aliakbar Zahravi of Trend Micro, the vulnerability requires that a user open a specially crafted file sent by email or via a compromised website. CISA followed by adding the six Microsoft zero-days to its Known Exploited Vulnerabilities (KEV) catalog. Other High-Risk Microsoft Vulnerabilities In addition to the six zero-days under active attack, Microsoft reported that an additional 10 vulnerabilities are “more likely” to be exploited. These vulnerabilities range in severity from 4.3 to 8.1 and include: CVE-2025-21180, a Windows exFAT File System Remote Code Execution vulnerability CVE-2025-21247, a MapUrlToZone Security Feature Bypass vulnerability CVE-2025-24035, a Windows Remote Desktop Services Remote Code Execution vulnerability CVE-2025-24044, a Windows Win32 Kernel Subsystem Elevation of Privilege vulnerability CVE-2025-24045, a Windows Remote Desktop Services Remote Code Execution vulnerability CVE-2025-24061, a Windows Mark of the Web Security Feature Bypass vulnerability CVE-2025-24066, a Windows Kernel Streaming Service Driver Elevation of Privilege vulnerability CVE-2025-24067, a Windows Kernel Streaming Service Driver Elevation of Privilege vulnerability CVE-2025-24992, a Windows NTFS Information Disclosure vulnerability CVE-2025-24995, a Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Other Vendors with Patch Tuesday Updates Other vendors releasing updates on March 2025 Patch Tuesday include: Adobe (Acrobat and Reader and InDesign) Apple Fortinet Ivanti SAP
Analysis Summary
This summary focuses on the high-risk Microsoft vulnerabilities detailed in the context provided from the March 2025 Patch Tuesday report. Specific details for the six zero-days mentioned are not provided, so they are omitted here, focusing only on the 10 enumerated high-risk flaws.
# Vulnerability: Microsoft High-Risk Flaws (March 2025)
## CVE Details
- CVE ID: Multiple (CVE-2025-21180, CVE-2025-21247, CVE-2025-24035, CVE-2025-24044, CVE-2025-24045, CVE-2025-24061, CVE-2025-24066, CVE-2025-24067, CVE-2025-24992, CVE-2025-24995)
- CVSS Score: Ranging from 4.3 to 8.1
- CWE: Not specified for individual CVEs
## Affected Systems
- Products: Windows (including specific components like exFAT File System, Remote Desktop Services, Win32 Kernel Subsystem, Kernel Streaming Service Driver, NTFS, and Kernel Streaming WOW Thunk Service Driver).
- Versions: Not specifically detailed in the summary, but tied to Microsoft's March 2025 Patch Tuesday lineup.
- Configurations: Varies by CVE, relating to specific Windows processes and subsystems.
## Vulnerability Description
The listed vulnerabilities are 10 high-risk flaws reported by Microsoft in their March 2025 Patch Tuesday that are deemed "more likely" to be exploited. These flaws cover a range of security issues, primarily resulting in:
1. **Remote Code Execution (RCE):** Affecting the exFAT File System and Remote Desktop Services.
2. **Elevation of Privilege (EoP):** Affecting the Win32 Kernel Subsystem and Kernel Streaming Service Drivers.
3. **Security Feature Bypass (SFB):** Affecting MapUrlToZone and Mark of the Web checks.
4. **Information Disclosure:** Affecting the NTFS driver.
## Exploitation
- Status: Microsoft notes these are “more likely” to be exploited, indicating a heightened risk, though explicit confirmation of these 10 specific CVEs being actively exploited is not detailed here (unlike the separate set of 6 zero-days).
- Complexity: Varies, based on CVSS scores (up to 8.1 suggests Moderate to High complexity in some cases).
- Attack Vector: Likely includes Network (for RCE/SFB) and Local (for EoP).
## Impact
Impact varies significantly based on the specific CVE:
- Confidentiality: Information Disclosure (CVE-2025-24992) and potentially high impact via RCE.
- Integrity: High impact possible via RCE and EoP flaws.
- Availability: Potentially affected by high-impact RCE or denial of service stemming from EoP.
## Remediation
### Patches
- Patches are available as part of the **Microsoft Patch Tuesday for March 2025**. Users must apply the relevant security updates released on this date.
### Workarounds
- The context does not provide specific workarounds for these 10 high-risk flaws outside of applying the patches.
## Detection
- Detection must focus on standard compromise indicators related to the affected components (e.g., unusual process execution from RDS, file system manipulation attempts, or unauthorized privilege escalations).
- **Detection Methods:** Utilizing Microsoft’s security update scanning tools, Endpoint Detection and Response (EDR) solutions to monitor for anomalous activity in specified Windows subsystems (Kernel, RDS, File Systems).
## References
- Vendor Advisories: Microsoft Patch Tuesday March 2025 Security Update Guidance.
- Relevant Links:
- hxxps://thecyberexpress.com/patch-tuesday-march-2025-six-zero-days/
- (Note: Adobe, Apple, Fortinet, Ivanti, and SAP also released updates, see original article for details on those vendors).