Microsoft just dropped its March 2025 Patch Tuesday update, and it’s a big one. Seventy-eight vulnerabilities. Six actively exploited zero-days. Several critical remote code execution flaws. If you manage Windows infrastructure, clear your afternoon.
The update, released on March 11, addresses security flaws across Windows, Office, Azure, and several other Microsoft products. According to TechRepublic, the breakdown includes 16 critical vulnerabilities and 62 rated important. That’s a substantial patch load, though not unprecedented for a single Patch Tuesday cycle. What makes this month stand out isn’t the volume — it’s the nature of the threats already being exploited in the wild.
Six zero-day vulnerabilities were confirmed as actively exploited before the patch became available. That’s an unusually high count. These aren’t theoretical risks sitting in a CVE database waiting for proof-of-concept code. Attackers are already using them.
Among the most urgent is CVE-2025-26633, a security feature bypass in the Microsoft Management Console. This flaw allows attackers to circumvent protections that would normally prevent malicious code from executing through MMC snap-in files. It requires some user interaction — typically tricking someone into opening a crafted file — but that’s a low bar for a motivated threat actor running a phishing campaign. The vulnerability was reported by Aliakbar Zahravi of Trend Micro’s Zero Day Initiative, and BleepingComputer confirmed its active exploitation status.
Then there are the NTFS-related zero-days. Three of them. CVE-2025-24991 and CVE-2025-24984 are both information disclosure vulnerabilities in the Windows NTFS file system. The first can expose portions of heap memory, while the second could leak sensitive data through a specially crafted VHD file. CVE-2025-24993, also NTFS-related, is a remote code execution flaw triggered by mounting a malicious virtual hard disk image. All three were reported anonymously, which is notable — anonymous reporters sometimes indicate the vulnerabilities were discovered through incident response rather than traditional research.
CVE-2025-24985 rounds out the storage-related zero-days. It’s an integer overflow vulnerability in the Windows Fast FAT file system driver that enables remote code execution. Again, it requires mounting a malicious VHD. The pattern here is clear: attackers are targeting how Windows handles virtual disk images, a vector that’s become increasingly popular as organizations move workloads between physical and virtual environments.
The sixth exploited zero-day, CVE-2025-24983, is an elevation of privilege flaw in the Windows Win32 Kernel Subsystem. Discovered by ESET researcher Filip Jurčacko, this use-after-free vulnerability lets an authorized attacker escalate to SYSTEM-level privileges. It requires winning a race condition, which adds complexity, but exploitation is confirmed. ESET noted in its analysis that the vulnerability has been used in targeted attacks.
Beyond the zero-days, several critical remote code execution vulnerabilities deserve attention. CVE-2025-24035 and CVE-2025-24045 both affect Windows Remote Desktop Services. These carry CVSS scores of 8.1, and while Microsoft assessed exploitation as “less likely,” RDS flaws have historically attracted significant attacker interest. Organizations exposing RDP to the internet — and far too many still do — should prioritize these patches.
Office products took hits too. Multiple RCE vulnerabilities affect Microsoft Access and Excel, with attack vectors involving malicious files opened by unsuspecting users. Not glamorous. Still dangerous. Social engineering remains the most reliable delivery mechanism for these kinds of exploits, and Office documents are the preferred payload.
So what should security teams do? Prioritize the six zero-days immediately. No debate there. The NTFS and FAT vulnerabilities involving VHD files suggest organizations should also review policies around mounting external disk images — group policy restrictions can reduce exposure significantly. And the Remote Desktop Services patches should be fast-tracked for any internet-facing systems.
Rapid7’s analysis noted that this Patch Tuesday continues a trend of increasing zero-day counts in Microsoft’s monthly releases. The company’s Adam Barnett pointed out that “the volume of exploited-in-the-wild vulnerabilities continues to demand faster patching cadences from defenders.” That’s not alarmism. It’s arithmetic. More zero-days per cycle means shorter windows between disclosure and exploitation.
Microsoft also patched a seventh zero-day — CVE-2025-26630, an RCE vulnerability in Microsoft Access — that was publicly disclosed but not yet confirmed as exploited in attacks. Still worth patching quickly, since public disclosure accelerates attacker timelines considerably.
CISA has added the exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, which under Binding Operational Directive 22-01 means federal agencies face mandatory patching deadlines. Private organizations aren’t bound by that directive, but treating it as a reasonable baseline isn’t a bad idea.
One more thing. Microsoft’s patch notes indicate that several of these vulnerabilities affect Windows 10 and Windows 11 across multiple versions, including server editions. The attack surface is broad. Testing and deployment should account for the full range of affected configurations, particularly in environments running mixed OS versions.
March 2025’s Patch Tuesday isn’t the largest in recent memory, but the six actively exploited zero-days make it one of the most consequential. Patch fast. Validate your VHD handling policies. And keep an eye on those RDS-facing systems. Attackers certainly are.
WebProNews is an iEntry Publication