Microsoft Patch Tuesday: March 2025
The March patch Tuesday looks like a fairly light affair, with only 51 vulnerabilities total and only six rated as critical. However, this patch Tuesday also includes six patches for already exploited, aka "0-Day" vulnerabilities. None of the already exploited vulnerabilities are rated as critical.
Today's most interesting vulnerability is a not-yet exploited critical vulnerability (CVE-2025-24064) that affects the Windows Domain Name Service. A remote code attacker would exploit this vulnerability by sending a "perfectly timed" dynamic DNS update message. Many Windows DNS servers support dynamic updates, making assigning hostnames to internal IP addresses easier. It is unclear if the server is exploitable if dynamic updates are disabled.
Three of the exploited vulnerabilities affect the NTFS file system. One may lead to remote code execution. The other two are considered privilege escalation vulnerabilities. The remote code execution vulnerability, CVE-2025-24993, is due to a heap-based buffer overflow. Typically, these types of vulnerabilities are exploited when mounting a corrupt file system.
CVE-2025-24985 is related to the Windows Fast FAT File System Driver. Again a heap-based buffer overflow, or "Integer Overflow/Wraparound", the vulnerability allows for remote code execution. The attacker may be remote for both the NTFS and FAT issues, but the attacker will likely upload the corrupt VHD disk image to the victim and mount it locally. Of course, the attacker may just provide the VHD file and trick the victim into mounting it locally.
The two remaining already exploited vulnerabilities affect a security feature bypass in the Microsoft Management Console and a privilege elevation vulnerability in the Win32 kernel subsystem.
Three of the critical vulnerabilities affect the Windows Remote Desktop Services. Systems are vulnerable if they act as a remote gateway. This is important because gateways are likelier to be exposed to the internet. However, the attacker will also have to win an unspecified race condition, often resulting in less reliable exploits.
The remaining critical vulnerabilities affect Microsoft Office and the Windows subsytem for Linux.
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24070 | No | No | - | - | Important | 7.0 | 6.1 |
| Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability | |||||||
| CVE-2025-21199 | No | No | - | - | Important | 6.7 | 5.8 |
| Azure Arc Installer Elevation of Privilege Vulnerability | |||||||
| CVE-2025-26627 | No | No | - | - | Important | 7.0 | 6.1 |
| Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24049 | No | No | - | - | Important | 8.4 | 7.3 |
| Azure Promptflow Remote Code Execution Vulnerability | |||||||
| CVE-2025-24986 | No | No | - | - | Important | 6.5 | 5.7 |
| DirectX Graphics Kernel File Denial of Service Vulnerability | |||||||
| CVE-2025-24997 | No | No | - | - | Important | 4.4 | 3.9 |
| Kernel Streaming Service Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24046 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24066 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24067 | No | No | - | - | Important | 7.8 | 6.8 |
| Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24995 | No | No | - | - | Important | 7.8 | 6.8 |
| MapUrlToZone Security Feature Bypass Vulnerability | |||||||
| CVE-2025-21247 | No | No | - | - | Important | 4.3 | 3.9 |
| Microsoft Access Remote Code Execution Vulnerability | |||||||
| CVE-2025-26630 | Yes | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||||
| CVE-2025-26643 | No | No | Less Likely | Less Likely | Low | 5.4 | 4.7 |
| Microsoft Excel Remote Code Execution Vulnerability | |||||||
| CVE-2025-24081 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24082 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24075 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24072 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Management Console Security Feature Bypass Vulnerability | |||||||
| CVE-2025-26633 | No | Yes | - | - | Important | 7.0 | 6.5 |
| Microsoft Office Remote Code Execution Vulnerability | |||||||
| CVE-2025-24057 | No | No | - | - | Critical | 7.8 | 6.8 |
| CVE-2025-24080 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24083 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-26629 | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24076 | No | No | - | - | Important | 7.3 | 6.4 |
| CVE-2025-24994 | No | No | - | - | Important | 7.3 | 6.4 |
| Microsoft Windows File Explorer Spoofing Vulnerability | |||||||
| CVE-2025-24071 | No | No | - | - | Important | 7.5 | 6.5 |
| Microsoft Word Remote Code Execution Vulnerability | |||||||
| CVE-2025-24077 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24078 | No | No | - | - | Important | 7.0 | 6.1 |
| CVE-2025-24079 | No | No | - | - | Important | 7.8 | 6.8 |
| NTLM Hash Disclosure Spoofing Vulnerability | |||||||
| CVE-2025-24996 | No | No | - | - | Important | 6.5 | 5.7 |
| CVE-2025-24054 | No | No | - | - | Important | 6.5 | 5.7 |
| Remote Desktop Client Remote Code Execution Vulnerability | |||||||
| CVE-2025-26645 | No | No | - | - | Critical | 8.8 | 7.7 |
| Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability | |||||||
| CVE-2024-9157 | No | No | - | - | Important | ||
| Visual Studio Code Elevation of Privilege Vulnerability | |||||||
| CVE-2025-26631 | No | No | - | - | Important | 7.3 | 6.4 |
| Visual Studio Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24998 | No | No | - | - | Important | 7.3 | 6.4 |
| CVE-2025-25003 | No | No | - | - | Important | 7.3 | 6.4 |
| WinDbg Remote Code Execution Vulnerability | |||||||
| CVE-2025-24043 | No | No | - | - | Important | 7.5 | 6.5 |
| Windows Domain Name Service Remote Code Execution Vulnerability | |||||||
| CVE-2025-24064 | No | No | - | - | Critical | 8.1 | 7.1 |
| Windows Common Log File System Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24059 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Fast FAT File System Driver Remote Code Execution Vulnerability | |||||||
| CVE-2025-24985 | No | Yes | - | - | Important | 7.8 | 7.2 |
| Windows Hyper-V Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24048 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24050 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Mark of the Web Security Feature Bypass Vulnerability | |||||||
| CVE-2025-24061 | No | No | - | - | Important | 7.8 | 6.8 |
| Windows NTFS Information Disclosure Vulnerability | |||||||
| CVE-2025-24984 | No | Yes | - | - | Important | 4.6 | 4.3 |
| CVE-2025-24991 | No | Yes | - | - | Important | 5.5 | 5.1 |
| CVE-2025-24992 | No | No | - | - | Important | 5.5 | 4.8 |
| Windows NTFS Remote Code Execution Vulnerability | |||||||
| CVE-2025-24993 | No | Yes | - | - | Important | 7.8 | 7.2 |
| Windows Remote Desktop Services Remote Code Execution Vulnerability | |||||||
| CVE-2025-24035 | No | No | - | - | Critical | 8.1 | 7.1 |
| CVE-2025-24045 | No | No | - | - | Critical | 8.1 | 7.1 |
| Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | |||||||
| CVE-2025-24051 | No | No | - | - | Important | 8.8 | 7.7 |
| Windows Server Elevation of Privilege Vulnerability | |||||||
| CVE-2025-25008 | No | No | - | - | Important | 7.1 | 6.2 |
| Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability | |||||||
| CVE-2025-24084 | No | No | - | - | Critical | 8.4 | 7.3 |
| Windows Telephony Service Remote Code Execution Vulnerability | |||||||
| CVE-2025-24056 | No | No | - | - | Important | 8.8 | 7.7 |
| Windows USB Video Class System Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24987 | No | No | - | - | Important | 6.6 | 5.8 |
| CVE-2025-24988 | No | No | - | - | Important | 6.6 | 5.8 |
| Windows USB Video Class System Driver Information Disclosure Vulnerability | |||||||
| CVE-2025-24055 | No | No | - | - | Important | 4.3 | 3.8 |
| Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | |||||||
| CVE-2025-24044 | No | No | - | - | Important | 7.8 | 6.8 |
| CVE-2025-24983 | No | Yes | - | - | Important | 7.0 | 6.5 |
| Windows exFAT File System Remote Code Execution Vulnerability | |||||||
| CVE-2025-21180 | No | No | - | - | Important | 7.8 | 6.8 |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Comments