Microsoft’s March 2025 Patch Tuesday has delivered a critical update, addressing 56 Common Vulnerabilities and Exposures (CVEs), a significant portion of which pose immediate threats. Notably, seven of these are zero-day vulnerabilities, with six actively exploited in the wild, signaling a heightened state of alert for system administrators and users alike.

The breakdown of patched vulnerabilities reveals a concerning trend: Remote Code Execution (RCE) vulnerabilities constituted a staggering 41.1% of the fixes, followed closely by Elevation of Privilege (EoP) vulnerabilities at 39.3%. This dominance of RCE and EoP flaws emphasizes the potential for attackers to gain significant control over affected systems.

Satnam Narang, senior staff research engineer at Tenable, highlighted the severity of this release, stating, “The March 2025 Patch Tuesday release matched one of the highest number of zero-day vulnerabilities reported in a month at seven. This happened twice in 2024. In September 2024, five zero days were exploited in the wild and two were publicly disclosed before patches were available. This month is an exact match to August 2024, when six zero days were exploited in the wild and one was publicly disclosed before patches were available.”

Furthermore, Narang pointed out the alarming increase in exploited zero-days in 2025: “Also worth noting, the six zero-days reported as exploited in the wild this month exceed what we’ve seen so far in 2025 (five total across January and February).”

Key Zero-Day Vulnerabilities Exploited in the Wild:

  • CVE-2025-26633: Microsoft Management Console (MMC) Security Feature Bypass:
    • This vulnerability requires social engineering, where an attacker convinces a user to open a malicious file.
    • “An attacker needs to convince a potential target that is either a standard user or has admin privileges to open a malicious file to exploit this vulnerability, and social engineering is certainly one of the easiest ways to make this happen,” Narang explained.
    • This marks the second exploited zero-day in MMC.
  • CVE-2025-24985: Windows Fast FAT File System Driver Vulnerability:
    • This is the first exploited zero-day in this driver in three years, with the last vulnerability (CVE-2022-23293) patched in March 2022.
    • “Not only is CVE-2025-24985 the first Windows Fast FAT File System Driver flaw in three years, it is also the first one to be exploited in the wild as a zero-day. It was reported anonymously, so we don’t have any specific details around it.”
  • NTFS File System Vulnerabilities (CVE-2025-24984, CVE-2025-24991, CVE-2025-24993):
    • These vulnerabilities affect the Windows NTFS file system, including two information disclosure bugs and one RCE flaw.
    • Exploitation requires convincing a target to mount a specially crafted virtual hard disk (VHD).
    • “They require an attacker to convince a target to mount a specially crafted virtual hard disk (VHD). Depending on the flaw used, the attacker could execute code arbitrarily on the system or be able to read parts of the memory, which might disclose sensitive information.”
  • CVE-2025-24983: Windows Win32 Kernel Subsystem Privilege Escalation:
    • This EoP vulnerability requires an attacker to have prior authenticated access to a system.
    • “An attacker would need to have authenticated to a system before exploiting this bug through some other means (initial access vulnerability, phishing) to gain SYSTEM privileges. However, unlike most privilege escalation bugs, this one doesn’t appear to be that easy to exploit as it requires an attacker to win a race condition first.”

Given the active exploitation of these zero-day vulnerabilities, organizations, and individual users are strongly advised to apply the March 2025 Patch Tuesday updates immediately. The high prevalence of RCE and EoP vulnerabilities underscores the critical need for prompt patching to mitigate the risk of compromise.