Full Report
6Critical50Important0Moderate0LowMicrosoft addresses 56 CVEs, including seven zero-day flaws, with six of those being exploited in the wild.Microsoft patched 56 CVEs in its March 2025 Patch Tuesday release, with six rated critical, and 50 rated as important.This month’s update includes patches for:.NETASP.NET Core & Visual StudioAzure Agent InstallerAzure ArcAzure CLIAzure PromptFlowKernel Streaming WOW Thunk Service DriverMicrosoft Local Security Authority Server (lsasrv)Microsoft Management ConsoleMicrosoft OfficeMicrosoft Office AccessMicrosoft Office ExcelMicrosoft Office WordMicrosoft Streaming ServiceMicrosoft WindowsRemote Desktop ClientRole: DNS ServerVisual StudioVisual Studio CodeWindows Common Log File System DriverWindows Cross Device ServiceWindows Fast FAT DriverWindows File ExplorerWindows Hyper-VWindows Kernel MemoryWindows Kernel-Mode DriversWindows MapUrlToZoneWindows Mark of the Web (MOTW)Windows NTFSWindows NTLMWindows Remote Desktop ServicesWindows Routing and Remote Access Service (RRAS)Windows Subsystem for LinuxWindows Telephony ServerWindows USB Video DriverWindows Win32 Kernel SubsystemWindows exFAT File SystemRemote code execution (RCE) vulnerabilities accounted for 41.1% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 39.3%.ImportantCVE-2025-26633 | Microsoft Management Console Security Feature Bypass VulnerabilityCVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.0 and is rated important. An attacker could exploit this vulnerability by convincing a potential target with either standard user or admin privileges to open a malicious file.According to Microsoft, CVE-2025-26633 was exploited in the wild as a zero-day. This is the second zero-day in the MMC to be exploited in the wild since CVE-2024-43572, a RCE vulnerability patched in October 2024.ImportantCVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution VulnerabilityCVE-2025-24985 is a RCE vulnerability in the Windows Fast FAT File System Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local attacker could exploit this vulnerability by convincing a potential target to mount a specially crafted virtual hard disk (VHD). Successful exploitation would grant an attacker arbitrary code execution.According to Microsoft, CVE-2025-24985 was exploited in the wild as a zero-day. This is the first vulnerability in Windows Fast FAT File System to be reported since 2022 and the first to be exploited in the wild.ImportantCVE-2025-24044 and CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege VulnerabilitiesCVE-2025-24044 and CVE-2025-24983 are EoP vulnerabilities in the Windows Win32 Kernel Subsystem. CVE-2025-24044 and CVE-2025-24983 were assigned CVSSv3 scores of 7.8 and 7.0 respectively, while both vulnerabilities are rated as important. A local, authenticated attacker would need to win a race condition in order to exploit CVE-2025-24983. Successful exploitation of either vulnerability would allow the attacker to gain SYSTEM privileges.According to Microsoft, CVE-2025-24983 was exploited in the wild as a zero-day. While CVE-2025-24044 was not exploited, Microsoft assessed it as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Prior to this month, Microsoft patched seven vulnerabilities in the Win32 Kernel Subsystem (one in 2022, five in 2024, one earlier in 2025), though CVE-2025-24983 is the first to be exploited in the wild.ImportantCVE-2025-24993 | Windows NTFS Remote Code Execution VulnerabilityCVE-2025-24993 is a RCE vulnerability in Windows New Technology File System (NTFS). It was assigned a CVSSv3 score of 7.8 and is rated as important. According to Microsoft, a heap-based buffer overflow can be exploited in order to execute arbitrary code on an affected system. In order to exploit this vulnerability, an attacker must entice a local user to mount a crafted VHD. According to Microsoft, this flaw was reportedly exploited in the wild as a zero-day.ImportantCVE-2025-24984, CVE-2025-24991, CVE-2025-24992 | Windows NTFS Information Disclosure VulnerabilitiesCVE-2025-24984, CVE-2025-24991 and CVE-2025-24992 are information disclosure vulnerabilities in Windows NTFS. Both CVE-2025-24991 and CVE-2025-24992 were assigned CVSSv3 scores of 5.5, while CVE-2025-24984 was assigned a score of 4.6. All three of these vulnerabilities were rated as important and can be exploited in physical attacks such as an attacker utilizing a malicious USB drive or by enticing a local user to mount a crafted VHD.While two information disclosure vulnerabilities in Windows NTFS have previously been patched in 2022 (CVE-2022-26933) and 2023 (CVE-2023-36398), CVE-2025-24984 and CVE-2025-24991 are the first to have been exploited in the wild as zero-days.ImportantCVE-2025-26630 | Microsoft Access Remote Code Execution VulnerabilityCVE-2025-26630 is a RCE vulnerability in Microsoft Access. It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by using social engineering to convince a potential target to download and run a malicious file on their system. Successful exploitation would grant an attacker arbitrary code execution.According to Microsoft, CVE-2025-26630 is considered a zero-day vulnerability as it was publicly disclosed prior to a patch being available. This is the sixth vulnerability in Microsoft Access disclosed since 2023. However, this is the fourth zero-day to be publicly disclosed and attributed to Unpatched.ai. Three were disclosed in Microsoft’s January 2025 Patch Tuesday release (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395)CriticalCVE-2025-24035 and CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution VulnerabilitiesCVE-2025-24035 and CVE-2025-24045 are RCE vulnerabilities in Windows Remote Desktop Services. Each was assigned a CVSSv3 score of 8.1 and rated as critical. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed both flaws as “Exploitation More Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s March 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's March 2025 Security UpdatesTenable plugins for Microsoft March 2025 Patch Tuesday Security UpdatesJoin Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Remote Code Execution in Windows Remote Desktop Services (March 2025 Patch Tuesday)
## CVE Details
- CVE ID: CVE-2025-24035, CVE-2025-24045
- CVSS Score: 8.1 (High)
- CWE: Not specified in detail, but related to Remote Desktop Services RCE.
## Affected Systems
- Products: Windows (Specific products not fully enumerated, but implied to be systems utilizing Windows Remote Desktop Services)
- Versions: Not explicitly listed in the excerpt.
- Configurations: Systems running Windows Remote Desktop Services.
## Vulnerability Description
CVE-2025-24035 and CVE-2025-24045 are Remote Code Execution (RCE) vulnerabilities present in Windows Remote Desktop Services (RDS). Exploiting these flaws requires the attacker to successfully win a specific race condition.
## Exploitation
- Status: Exploitation More Likely (Microsoft's assessment)
- Complexity: Medium (Due to the race condition requirement)
- Attack Vector: Network, as this affects Remote Desktop Services.
## Impact
- Confidentiality: High (Implied by RCE)
- Integrity: High (Implied by RCE)
- Availability: High (Implied by RCE)
## Remediation
### Patches
- Microsoft's March 2025 Security Updates contain the necessary patches to address these vulnerabilities. Specific patch installation guidance should be obtained from Microsoft's security update release notes.
### Workarounds
- No specific workarounds are detailed in the provided text, other than applying the patch.
## Detection
- **Indicators of Compromise:** Not specified in the provided text.
- **Detection methods and tools:** Tenable has released plugins for Microsoft’s March 2025 Patch Tuesday update. Scanning environments with Tenable products using these plugins can identify unpatched systems.
## References
- [Microsoft's March 2025 Security Updates](https:msrc.microsoft.com/update-guide/en-us/releaseNote/2025-Mar)
- [CVE-2025-24035](https:msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24035)
- [CVE-2025-24045](https:msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24045)
- [Tenable plugins search for March 2025](https:www.tenable.com/plugins/search?q=%22March+2025%22+AND+script_family%3A%28%22Windows+%3A+Microsoft+Bulletins%22+OR+%22Windows%22%29&sort=&page=1)