Microsoft’s March Update: 57 Vulnerabilities Fixed, 6 Zero-Days Patched

Microsoft has rolled out its latest Patch Tuesday update, addressing 57 security vulnerabilities, including six zero-day flaws that are currently being actively exploited in cyberattacks. This update is crucial for users to apply immediately to safeguard their systems against potential threats.

Key Highlights

Out of the 57 vulnerabilities, six are categorized as Critical, 50 as Important, and one as Low in severity. Among them, 23 are remote code execution (RCE) flaws, and 22 involve privilege escalation vulnerabilities.

Additionally, Microsoft has fixed 17 vulnerabilities in its Chromium-based Edge browser since the last Patch Tuesday, including CVE-2025-26643, a spoofing vulnerability with a CVSS score of 5.4.

Zero-Day Vulnerabilities Under Active Exploitation

Microsoft has identified six vulnerabilities being actively exploited:

1. CVE-2025-24983 (CVSS 7.0) – A use-after-free (UAF) vulnerability in the Windows Win32 Kernel Subsystem, allowing attackers with system access to escalate privileges.

2. CVE-2025-24984 (CVSS 4.6) – An NTFS information disclosure flaw that could let an attacker read portions of heap memory via a malicious USB device.

3. CVE-2025-24985 (CVSS 7.8) – An integer overflow vulnerability in the Windows Fast FAT File System Driver, enabling unauthorized local code execution.

4. CVE-2025-24991 (CVSS 5.5) – An out-of-bounds read vulnerability in NTFS that allows an attacker to extract sensitive information.

5. CVE-2025-24993 (CVSS 7.8) – A heap-based buffer overflow in NTFS, allowing attackers to execute arbitrary code.

6. CVE-2025-26633 (CVSS 7.0) – A security bypass flaw in Microsoft Management Console (MMC) that lets attackers evade file reputation checks and execute code.

Exploited Vulnerabilities and Attack Techniques

Cybersecurity firm ESET, which discovered CVE-2025-24983, linked it to a backdoor named PipeMagic, used in attacks since March 2023. PipeMagic has been observed in cyber campaigns across Asia and Saudi Arabia, often masquerading as an OpenAI ChatGPT application.

Researchers from Kaspersky identified that PipeMagic uses a unique 16-byte random array to create a named pipe (\.\pipe\1.), serving as a communication channel for payloads.

The Zero Day Initiative (ZDI) noted that CVE-2025-26633 is related to the way MSC files are processed, allowing attackers to bypass security mechanisms and execute malicious code. The campaign exploiting this flaw has been linked to the EncryptHub (aka LARVA-208) cybercrime group.

Potential Threats from File System Vulnerabilities

Security researchers warn that the four Windows file system vulnerabilities (CVE-2025-24985, CVE-2025-24993, CVE-2025-24984, and CVE-2025-24991) could be combined for severe attacks. Threat actors can use them to achieve remote code execution and information disclosure.

Attackers are reportedly using malicious Virtual Hard Disk (VHD) files to exploit these flaws. According to Kev Breen, Senior Director of Threat Research at Immersive, opening or mounting a malicious VHD file could trigger code execution, allowing malware deployment. This method has been widely used in phishing campaigns to bypass antivirus defenses.

CISA’s Response and Urgent Security Measures

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to implement fixes by April 1, 2025.

As of now, the full extent of these attacks remains unclear, but given the active exploitation, organizations are strongly advised to update their Windows systems immediately.