Patch Tuesday: March 2025

Continuing the theme of releasing smaller bundles recently, March's Patch Tuesday is no exception. Microsoft has released security updates for 57 flaws, 6 off which are actively exploited zero-day vulnerabilities, as well as 6 critical vulnerabilities. It seems that Microsoft are opting for quality over quantity, and the zero days and critical vulnerabilities identified this month are big ones!

You can find a full list of security updates here.

Key Updates for February 2025

• 57 vulnerabilities patched
• 6 actively exploited zero day vulnerabilities and 1 publicly disclosed.
  
• 6 critical vulnerabilities.

Zero Day Vulnerabilities 

CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability

• CVSS Score: 7.8
• Severity: High
• Description: An integer overflow in the Windows Fast FAT File System Driver allows an unauthorized attacker to execute code locally. Exploitation requires tricking a local user into mounting a specially crafted virtual hard drive (VHD).
• Exploitation Status: Actively exploited in the wild.
  
  

CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability

• CVSS Score: 7.8
• Severity: High
• Description: A heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. Exploitation requires tricking a local user into mounting a specially crafted VHD.
• Exploitation Status: Actively exploited in the wild.
  
  

CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

• CVSS Score: 7.0
• Severity: High
• Description: A use-after-free flaw in the Windows Win32 Kernel Subsystem allows an authenticated attacker to elevate privileges locally. Exploitation requires winning a race condition to gain SYSTEM privileges.
• Exploitation Status: Actively exploited in the wild.
  
  

CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability

• CVSS Score: 7.0
• Severity: High
• Description: A flaw in the handling of MSC files in the Microsoft Management Console allows an unauthorized attacker to bypass security features locally. The product does not warn the user before loading an unexpected MSC file, enabling attackers to evade file reputation protections and execute code in the context of the current user.
• Exploitation Status: Actively exploited in the wild.
  
  

CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability

• CVSS Score: 5.5
• Severity: Medium
• Description: An out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally. Exploitation can occur if a local user mounts a specially crafted VHD, potentially allowing the attacker to read small portions of heap memory.
• Exploitation Status: Actively exploited in the wild.
  
  

CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability

• CVSS Score: 4.6
• Severity: Medium
• Description: Insertion of sensitive information into log files in Windows NTFS allows an unauthorized attacker with physical access to disclose information locally. Exploitation requires physical access to the target computer.
• Exploitation Status: Actively exploited in the wild.

CVE-2025-26630 - Microsoft Access Remote Code Execution Vulnerability

• CVSS Score: 7.8​
• Severity: High​
• Description: A use-after-free vulnerability in Microsoft Access allows an unauthorized attacker to execute code locally. Exploitation requires convincing a user to open a specially crafted Access file, potentially leading to arbitrary code execution.
• Exploitation Status: Publicly disclosed; not known to be actively exploited.

Critical Vulnerability Summary

Alongside the 7 zero-day vulnerabilities released, there are 6 Critical vulnerabilities that need to be addressed:

CVE-2025-26645 - Remote Desktop Client Remote Code Execution Vulnerability

• CVSS Score: 8.8
• Severity: Critical
• Description: A vulnerability in the Remote Desktop Client that allows an attacker to execute arbitrary code if a user connects to a malicious RDP server.

CVE-2025-24084 - Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability

• CVSS Score: 8.4
• Severity: Critical
• Description: A vulnerability in the Windows Subsystem for Linux 2 (WSL2) kernel that allows an attacker to execute arbitrary code by tricking a user into running a malicious binary within the WSL2 environment.
  
  

CVE-2025-24064 - Windows Domain Name Service Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Severity: Critical
• Description: A vulnerability in Windows DNS Server that allows an attacker to execute arbitrary code by sending a specially crafted DNS request to a vulnerable server.

CVE-2025-24035 - Windows Remote Desktop Services Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Severity: Critical
• Description: A vulnerability in Windows Remote Desktop Services that allows an attacker to execute arbitrary code by sending a specially crafted request to a target system with RDP enabled.
  

CVE-2025-24045 - Winows Remote Desktop Services Remote Code Execution Vulnerability

• CVSS Score: 8.1
• Severity: Critical
• Description: A vulnerability in Windows Remote Desktop Services that allows an attacker to execute arbitrary code by sending a specially crafted request to a target system with RDP enabled.
  
  

CVE-2025-24057 - Microsoft Office Remote Code Execution Vulnerability

• CVSS Score: 7.8
• Severity: Critical
• Description: A vulnerability in Microsoft Office that allows an attacker to execute arbitrary code by convincing a user to open a specially crafted Office document.

Actions to Take:

Prioritize Patching Critical and Actively Exploited Vulnerabilities

• Apply patches immediately for the six actively exploited zero-day vulnerabilities and the critical remote code execution (RCE) vulnerabilities.

Secure Remote Desktop Services (RDP)

• Given multiple RDP-related vulnerabilities (CVE-2025-24035, CVE-2025-24045), consider:
  • Disabling RDP if not needed.
  • Enforcing Network Level Authentication (NLA) for RDP connections.
  • Restricting RDP access to trusted IP addresses via firewall rules.

Mitigate Risks Associated with NTFS and FAT File System Vulnerabilities

• CVE-2025-24985 and CVE-2025-24993 can be exploited via crafted VHD files.
  • Restrict users from mounting external/untrusted virtual hard drives.
  • Monitor system logs for unusual VHD mounting activities.
  • Educate employees to avoid opening untrusted VHD files.

Strengthen Microsoft Office Security

• CVE-2025-24057 (Microsoft Office RCE) could be exploited through malicious documents.
  • Disable macros by default in Microsoft Office.
  • Train users to be cautious of unsolicited Office files.
  • Implement Protected View for Office documents received via email.

Secure Windows DNS Server

• CVE-2025-24064 (Windows DNS RCE) is a critical server-side vulnerability.
  • Patch all Windows DNS servers immediately.
  • Implement DNS query monitoring to detect suspicious requests.
  • Restrict external DNS queries where possible.

Harden WSL2 (Windows Subsystem for Linux)

• CVE-2025-24084 (WSL2 Kernel RCE) poses a risk to systems using Windows Subsystem for Linux.
  • Restrict WSL2 usage to trusted users.
  • Disable WSL2 in environments where it is not needed.

Microsoft Access Vulnerability Mitigation

• CVE-2025-26630 could lead to remote code execution if a user opens a malicious Access file.
  • Restrict Access file execution to known, trusted sources.
  • Use Microsoft Defender Application Control (MDAC) to block untrusted Access macros.

Implement Security Feature Bypass Protections

• CVE-2025-26633 (Microsoft Management Console Security Bypass) allows attackers to evade file reputation checks.
  • Restrict execution of .MSC files from unknown sources.
  • Monitor logs for unexpected MSC file execution.

Enable Endpoint Protection and Logging

• Deploy Endpoint Detection and Response (EDR) solutions to monitor and detect exploitation attempts.
• Ensure logging is enabled for RDP access, DNS queries, and file system events.

Educate Users on Phishing and Social Engineering Risks

• Since multiple vulnerabilities require user interaction (e.g., opening files, mounting VHDs, connecting to malicious RDP servers), security awareness training is crucial.

Did you know? You can use the RoboShadow platform to scan for vulnerabilities, check your Windows Updates and also patch any outstanding software updates using Cyber Heal.

If you have any questions about Patch Tuesday, or feedback on this blog please
reach out to us: hello@roboshadow.com 

Thanks for reading!