March 2025 Patch Tuesday: Microsoft Plugs 57 Holes, Including 6 Actively Exploited Zero-Days

Hey there, fellow security nerds! Grab your coffee—maybe something stronger if you’re already neck-deep in patching—because Microsoft’s March 2025 Patch Tuesday is a beast. Dropped yesterday, March 11, this update tackles 57 vulnerabilities, with a hefty six zero-days already under active exploitation. Plus, we’ve got six critical remote code execution (RCE) flaws that’ll keep you on your toes. As someone who’s been dissecting these updates for years, I can tell you this one’s got some spicy details worth unpacking. Let’s dive into the nitty-gritty, starting with those zero-days that have attackers rubbing their hands together.

The Zero-Day Lineup: Six Actively Exploited Flaws

Microsoft’s confirmed that six of these bugs were being weaponized in the wild before the patches hit. That’s a red flag for any security team, so let’s break them down:

1. CVE-2025-24983: Windows Win32 Kernel Subsystem EoP (CVSS 7.0)
   
   • What’s Up? This is a use-after-free (UAF) bug in the Win32k driver, letting local attackers escalate to SYSTEM privileges if they win a race condition. Think of it as a memory management slip-up—dereferencing a W32PROCESS structure one too many times.
   • Exploitation Details: ESET spotted this one back in March 2023, delivered via a backdoor called PipeMagic. It’s been popping up in campaigns targeting Asia and Saudi Arabia, sometimes disguised as a fake ChatGPT app. The exploit leans on the WaitForInputIdle API to trigger the UAF. No public PoC yet, but given its two-year run, assume sophisticated actors have it locked down.
   • Impact: Older Windows versions (8.1, Server 2012 R2) are hit hardest, though it’s present in supported builds like Windows 10 1809 and Server 2016. Patch it fast—privilege escalation to SYSTEM is a golden ticket for attackers.
2. CVE-2025-24984: Windows NTFS Info Disclosure (CVSS 4.6)
   
   • What’s Up? An out-of-bounds read in NTFS. Plug in a malicious USB, and attackers with physical access can snag heap memory chunks.
   • Exploitation Details: Reported anonymously, it’s actively exploited but low-severity due to the physical access requirement. No specific attack vectors are public, but think targeted scenarios—lost laptops, insider threats. Could be chained with other flaws for bigger impact.
   • Impact: Data leakage potential is real, especially in environments with loose physical controls. Not a standalone showstopper, but a stepping stone.
3. CVE-2025-24985: Windows Fast FAT File System Driver RCE (CVSS 7.8)
   
   • What’s Up? An integer overflow and heap-based buffer overflow combo in the Fast FAT driver. Trick a user into mounting a crafted virtual hard disk (VHD), and it’s game over—arbitrary code execution.
   • Exploitation Details: Another anonymous report, but Microsoft notes it’s been seen in phishing and pirated software attacks. First zero-day in Fast FAT since March 2022, and it’s a doozy. No public exploit code, but the VHD vector screams social engineering.
   • Impact: High severity, local execution. If your users are clicking shady links or downloading dodgy torrents, this is your wake-up call.
4. CVE-2025-24991: Windows NTFS Info Disclosure (CVSS 5.5)
   
   • What’s Up? Another NTFS flaw, this time leaking small heap memory bits via a malicious VHD mount.
   • Exploitation Details: Actively exploited, anonymously reported. Pairs nicely with CVE-2025-24984 for recon—think stealing creds or mapping memory for a follow-up exploit.
   • Impact: Kernel-level info disclosure is never trivial. Patch it alongside its NTFS siblings.
5. CVE-2025-24993: Windows NTFS RCE (CVSS 7.8)
   
   • What’s Up? A heap-based buffer overflow in NTFS, also triggered by mounting a malicious VHD. Full-on RCE in kernel context.
   • Exploitation Details: In the wild, per Microsoft. No specifics on campaigns, but the VHD pattern matches CVE-2025-24985. Likely chained with info disclosure bugs for maximum damage.
   • Impact: Critical if exploited—kernel-level code execution is as bad as it gets. Prioritize this one.
6. CVE-2025-26633: Microsoft Management Console Security Feature Bypass (CVSS 7.0)
   
   • What’s Up? Improper neutralization in MMC lets attackers bypass security via a crafted .msc file. User interaction required—think email attachments or malicious links.
   • Exploitation Details: Linked to a group dubbed EncryptHub (LARVA-208). Evades file reputation checks, executes code at user level. Second MMC zero-day in a year (see CVE-2024-43572). No public PoC, but targeted attacks are confirmed.
   • Impact: Admin tool access makes this a juicy target for lateral movement. Watch those phishing nets.

Critical RCEs: Six More to Sweat Over

Beyond the zero-days, we’ve got six critical RCEs, all packing CVSS scores from 7.8 to 8.8. These aren’t exploited yet (that we know of), but they’re prime candidates for future trouble:

• CVE-2025-26645: Remote Desktop Client RCE (CVSS 8.8)
  
  • A path traversal bug. Connect a vulnerable RDP client to a malicious server, and the attacker can execute code remotely. No user interaction beyond the connection. Exploitation’s “less likely” per Microsoft, but test it—RDP’s a common attack surface.
• CVE-2025-24035 & CVE-2025-24045: Remote Desktop Services RCE (CVSS 8.1)
  
  • Two race-condition-dependent RCEs. CVE-2025-24035 needs the RD Gateway role; both require network access and timing luck. Not exploited yet, but RDP’s history says patch ASAP.
• CVE-2025-24064: Windows DNS Server RCE (CVSS 8.1)
  
  • Another race condition, this time in dynamic DNS updates. Critical for orgs relying on DNS infrastructure—exploitation could spill sensitive network details. No known attacks, but “more likely” to be hit soon.
• CVE-2025-24084: Windows Subsystem for Linux (WSL2) RCE (CVSS 8.4)
  
  • Multiple vectors—email, IM, or a dodgy link. High complexity, but versatile attack paths bump the risk. WSL2 users, don’t sleep on this.
• CVE-2025-24057: Microsoft Office RCE (CVSS 7.8)
  
  • Preview Pane in Outlook is the vector—view a malicious file, and code runs at user level. Affects Windows and Mac Office versions. User interaction required, but phishing makes it trivial. Patch your Office installs, stat.

The Seventh Zero-Day: Public, Not Exploited

• CVE-2025-26630: Microsoft Access RCE (CVSS 7.8)
  
  • Publicly disclosed, not yet exploited. Open a crafted Access doc, and it’s RCE time. No code samples in the wild, but enough details are out there for someone to weaponize it. Office 2016 needs two patches (Office + Access), while Click-to-Run updates handle it seamlessly.

Exploits and Chaining: What’s Cooking?

Here’s where it gets fun—or terrifying, depending on your perspective. Those four file system zero-days (CVE-2025-24984, -24985, -24991, -24993) are begging to be chained. Start with a VHD-based info disclosure to map memory, then drop an RCE payload for kernel access. Add CVE-2025-24983’s privilege escalation, and you’ve got a full system takeover. No public PoCs exist as of now, but the active exploitation tag means APTs or ransomware crews likely have private exploits humming along. CISA’s added all six to its Known Exploited Vulnerabilities catalog, with a patch deadline of April 1 for federal agencies—hint, hint, private sector.

Patch Strategy: Don’t Blink

For you pros, this is straightforward but urgent:

• Prioritize the Zero-Days: All six are in the monthly cumulative update—no post-patch config needed. Hit Windows systems first.
• Critical RCEs Next: That single Office patch (CVE-2025-24057) and RDP fixes are non-negotiable. DNS and WSL2 follow if they’re in your stack.
• Detection: Look for VHD mounts, USB insertions, or MMC file interactions in logs. PipeMagic’s backdoor history suggests persistence—hunt for it.
• Mitigation Gaps: No workarounds for most. Physical access bugs (e.g., CVE-2025-24984) lean on endpoint controls—lock down USB ports if you can.

Final Thoughts

March 2025’s Patch Tuesday is a stark reminder: core Windows components like NTFS and Fast FAT are still goldmines for attackers. Six exploited zero-days in one drop is no joke—sixth straight month Microsoft’s had to patch these, per Rapid7’s Adam Barnett. Test these updates in your lab yesterday, deploy them today, and keep an eye on X for exploit chatter. Got a war story from this round? Drop it in the comments—I’m all ears.

Stay sharp out there!