After a relatively quiet February, Microsoft has released its March security update, addressing six actively exploited zero-day vulnerabilities and 51 other security flaws across its products. This marks one of the highest zero-day counts for a Patch Tuesday, falling just short of the record seven zero-days patched in a single update. Security teams now face a race against time to apply fixes before attackers escalate their exploits.
Three NTFS Zero-Day Vulnerabilities
Three of the six zero-day flaws impact the NTFS file system on recent Windows and Windows Server versions. The most severe, CVE-2025-24993, carries a CVSS score of 7.2. This remote code execution vulnerability stems from a heap-based buffer overflow, allowing attackers with system access to execute arbitrary code.
The two other NTFS zero-days, CVE-2025-24984 (CVSS 4.3) and CVE-2025-24991 (CVSS 5.1), are information disclosure flaws. While they grant unauthorized access to sensitive data, they require specific conditions for exploitation. Attackers exploiting CVE-2025-24991 must trick users into mounting a malicious virtual hard disk (VHD), whereas CVE-2025-24984 requires physical access to plug in a malicious USB drive.
According to Tenable’s senior research engineer, Satnam Narang, all three NTFS flaws demand user interaction to mount a crafted VHD. Depending on the flaw, attackers could either execute code or access sensitive system memory.
To mitigate risks, security experts recommend restricting VHD file sources to trusted or internal origins. Henry Smith, a senior security engineer at Automox, emphasizes the importance of deploying secure, internal golden images for approved VHD use cases.
Windows Fast FAT File System Zero-Day
Microsoft also patched CVE-2025-24985 (CVSS 7.2), a vulnerability in the Windows Fast FAT File System Driver. This flaw combines an integer overflow and a heap-based buffer overflow, allowing remote attackers to execute arbitrary code.
This marks the first actively exploited Fast FAT File System vulnerability in three years. According to Mike Walters, co-founder of Action1, attackers could chain this flaw with the NTFS zero-days to maximize impact, bypassing security controls and gaining kernel-level access.
Three Additional Exploited Vulnerabilities
Beyond the NTFS and FAT file system flaws, Microsoft addressed three other actively exploited vulnerabilities:
- CVE-2025-26633 (CVSS 6.5): A security feature bypass in the Microsoft Management Console (MMC), caused by improper input sanitization. Attackers can exploit it by tricking users into opening malicious files or clicking infected links. Automox security engineer Seth Hoy suggests restricting local administrative rights to minimize risks.
- CVE-2025-24983 (CVSS 6.5): A Win32 Kernel Subsystem privilege escalation flaw, reported by ESET security engineer Filip Jurčacko. Attackers can leverage this zero-day post-compromise to elevate privileges to system administrator levels. Jurčacko noted that the PipeMagic backdoor, used in past attacks, has been linked to this exploit.
- CVE-2025-24983 primarily affects older Windows versions, including Windows 8.1 and Windows Server 2012 R2, which no longer receive official security updates. However, some newer versions, such as pre-Windows 10 build 1809 and Windows Server 2016, remain vulnerable.
Among the 57 vulnerabilities patched in March, six were labeled as critical severity:
- CVE-2025-24084 (CVSS 7.3)
- CVE-2025-24045 (CVSS 8.1)
- CVE-2025-24035 (CVSS 8.1)
- CVE-2025-24064 (CVSS 7.1)
- CVE-2025-26645 (CVSS 8.8)
- CVE-2025-24057 (CVSS 7.8)
The SANS Institute highlighted CVE-2025-24064, a Windows Domain Name Service (DNS) remote code execution vulnerability, as particularly concerning. Attackers can exploit this flaw by sending a perfectly timed dynamic DNS update message. Since many Windows DNS servers support dynamic updates, organizations should evaluate their DNS configurations to determine exposure.
With 22% of this month’s patched vulnerabilities either actively exploited, publicly disclosed, or rated critical, security teams must act swiftly. Tyler Reguly, associate director of security R&D at Fortra, noted that while the total CVE count (57) is lower than usual, the high concentration of serious flaws adds to the workload for defenders.
As adversaries increasingly chain vulnerabilities for sophisticated attacks, organizations should prioritize patching zero-days and critical flaws immediately to minimize risks.
