Full Report
Microsoft on Tuesday released security updates to address 57 security vulnerabilities in its software, including a whopping six zero-days that it said have been actively exploited in the wild. Of the 56 flaws, six are rated Critical, 50 are rated Important, and one is rated Low in severity. Twenty-three of the addressed vulnerabilities are remote code execution bugs and 22 relate to privilege
Analysis Summary
# Vulnerability: Key Microsoft March 2025 Zero-Day Exploits
## CVE Details
- CVE ID: Multiple (Six zero-days actively exploited)
- CVSS Score: Varies (7.8 Critical for key RCE/overflows)
- CWE: Multiple (Use-After-Free, Integer Overflow, Out-of-Bounds Read, Improper Neutralization)
## Affected Systems
- Products: Windows (Kernel Subsystem, NTFS, Fast FAT File System Driver, Microsoft Management Console (MMC))
- Versions: Not specified, but all systems pending the March 2025 security updates are vulnerable.
- Configurations: Varies by CVE. Some require local access, some require physical access (USB drive), and some rely on user interaction (mounting malicious VHD files or opening MSC files).
## Vulnerability Description
Microsoft released updates addressing 57 security vulnerabilities, including six zero-days actively exploited in the wild.
Key exploited vulnerabilities include:
1. **CVE-2025-24983 (UAF in Win32k):** A Use-After-Free in the Win32 Kernel Subsystem that can lead to local privilege escalation through a race condition involving the `WaitForInputIdle` API. This specific vulnerability was linked to the active exploitation by the PipeMagic backdoor since March 2023.
2. **CVE-2025-24985 & CVE-2025-24993 (NTFS/File System RCE):** Heap-based buffer overflow and Integer Overflow vulnerabilities in Windows NTFS and Fast FAT File System Driver, allowing unauthorized local code execution. These can potentially be chained with disclosure bugs.
3. **CVE-2025-24991 & CVE-2025-24984 (NTFS Disclosure):** Out-of-bounds read and Information Disclosure vulnerabilities in NTFS that allow an authorized attacker to disclose heap memory information locally. CVE-2025-24984 specifically requires physical access via a malicious USB drive.
4. **CVE-2025-26633 (MMC Bypass):** An improper neutralization vulnerability in Microsoft Management Console allowing attackers to bypass file reputation protections and execute code locally in the context of the current user. Linked to threat actor EncryptHub.
## Exploitation
- Status: **Actively exploited in the wild** (Six zero-days confirmed).
- Complexity: Ranges from **Local** (requires authenticated attacker or physical access) to attack chains that rely on **social engineering** (e.g., convincing a user to mount a malicious VHD file).
- Attack Vector: Primarily **Local** or **Adjacent** based on the descriptions, though VHD chaining suggests initial phishing/delivery mechanisms precede the local exploit chains.
## Impact
- Confidentiality: **High**, due to information disclosure vulnerabilities (e.g., CVE-2025-24991, CVE-2025-24984).
- Integrity: **High**, due to potential for code execution and privilege escalation.
- Availability: **Medium to High**, depending on the payload executed (e.g., ransomware activity linked to CVE-2025-26633).
## Remediation
### Patches
- Microsoft's March 2025 security updates must be applied immediately. (The exact KB numbers are not individually listed here, but the update package addresses all listed CVEs.)
- Edge Browser: Patches were also released for the Chromium-based Edge browser (e.g., for CVE-2025-26643).
### Workarounds
- Specific workarounds for the kernel/file system bugs (UAF, overflow) are not detailed but are superseded by patching.
- For systems vulnerable to CVE-2025-26633: Be cautious of opening suspicious `.MSC` files.
- For systems vulnerable to VHD-chaining: Users should be advised against opening or mounting unsolicited Virtual Hard Disk files received via email or untrusted sources.
## Detection
- **Indicators of Compromise:** Look for activity historically associated with the PipeMagic trojan (which was used to deliver CVE-2025-24983). Indicators include newly created named pipes with specific random formats (`\\.\pipe\1.xxxxxx`).
- **Detection Methods and Tools:** Monitor for system calls related to the `WaitForInputIdle` API potentially being abused in a race condition context (for CVE-2025-24983). Endpoint Detection and Response (EDR) solutions should monitor for attempts to mount VHD files that subsequently attempt unauthorized code execution or privilege escalation. Look for indicators related to threat actor EncryptHub activity for CVE-2025-26633.
## References
- Vendor Advisory: https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar
- ESET Report on CVE-2025-24983: hxxps://x dot com/ESETresearch/status/1899508656258875756
- Action1 Analysis on VHD Chaining: hxxps://www.action1.com/patch-tuesday/patch-tuesday-march-2025/
- Microsoft Edge Security Notes: hxxps://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security
- Specific Edge Spoofing CVE: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26643