March 2025 Patch Tuesday: Comment from Satnam Narang, Sr. Staff Research Engineer, Tenable
By-Satnam Narang, Sr. Staff Research Engineer, Tenable
“The March 2025 Patch Tuesday release matched one of the highest number of zero-day vulnerabilities reported in a month at seven. This happened twice in 2024. In September 2024, five zero days were exploited in the wild and two were publicly disclosed before patches were available. This month is an exact match to August 2024, when six zero days were exploited in the wild and one was publicly disclosed before patches were available.
“Also worth noting, the six zero days reported as exploited in the wild this month exceed what we’ve seen so far in 2025 (five total across January and February).
“CVE-2025-26633 is a security feature bypass in the Microsoft Management Console (MMC). An attacker needs to convince a potential target that is either a standard user or has admin privileges to open a malicious file to exploit this vulnerability, and social engineering is certainly one of the easiest ways to make this happen. This is the second zero day in MMC to be exploited in the wild as a zero day, as Microsoft patched CVE-2024-43572 in October 2024.
“The last time we saw a vulnerability in the Windows Fast FAT File System Driver was in March 2022 with CVE-2022-23293. Not only is CVE-2025-24985 the first Windows Fast FAT File System Driver flaw in three years, it is also the first one to be exploited in the wild as a zero day. It was reported anonymously, so we don’t have any specific details around it.
“Microsoft patched three vulnerabilities in the file system for Windows called NTFS, including two information disclosure bugs (CVE-2025-24984, CVE-2025-24991) as well as a remote code execution flaw (CVE-2025-24993), which is the most severe of the trio. All three bugs were exploited in the wild as zero days. They require an attacker to convince a target to mount a specially crafted virtual hard disk (VHD). Depending on the flaw used, the attacker could execute code arbitrarily on the system or be able to read parts of the memory, which might disclose sensitive information.
“In an unusual twist, there was only one elevation of privilege zero day in this release. CVE-2025-24983 is a Windows Win32 Kernel Subsystem privilege escalation flaw. An attacker would need to have authenticated to a system prior to exploiting this bug through some other means (initial access vulnerability, phishing) with the goal of gaining SYSTEM privileges. However, unlike most privilege escalation bugs, this one doesn’t appear to be that easy to exploit as it requires an attacker to win a race condition first.”