Report Name: Microsoft Patch Tuesday, March 2025
Generated: 2025-03-12 10:42:38

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9			2	3		5	Windows Kernel
Windows NTLM	0.9				2		2	A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity
.NET Core	0.8				1		1	.NET Core
Chromium	0.8			1	16		17	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
DirectX Graphics Kernel	0.8				1		1	DirectX Graphics Kernel
Kernel Streaming Service Driver	0.8				3		3	The Kernel Streaming Service Driver is a Windows kernel-mode component that manages low-latency, real-time streaming of multimedia data between hardware devices and applications
Kernel Streaming WOW Thunk Service Driver	0.8				1		1	Windows component
Microsoft Edge	0.8				1		1	Web browser
Microsoft Local Security Authority Server	0.8				1		1	LSASS, the Windows Local Security Authority Server process, handles Windows security mechanisms
Microsoft Management Console	0.8		1				1	Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system
Microsoft Office	0.8			10	1		11	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Windows	0.8				3		3	Windows component
Windows Domain Name Service	0.8			1			1	Windows component
Windows Common Log File System Driver	0.8				1		1	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows Fast FAT File System Driver	0.8		1				1	Windows component
Windows File Explorer	0.8				1		1	Windows component
Windows Mark of the Web	0.8				1		1	Windows component
Windows NTFS	0.8		3		1		4	The default file system of the Windows NT family
Windows Remote Desktop Client	0.8			1			1	Remote Desktop Protocol Client
Windows Remote Desktop Services	0.8			2			2	Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection
Windows Subsystem for Linux	0.8			1			1	Windows component
Windows Telephony Server	0.8			1			1	Windows component
Windows Win32 Kernel Subsystem	0.8		1		1		2	Windows component
Windows exFAT File System	0.8			1			1	Windows component
.NET	0.7				1		1	.NET
Synaptics Audio Drivers	0.6				1		1	Synaptics Audio Drivers are software components from Synaptics that manage audio hardware functionality on Windows devices
Windows Hyper-V	0.6				2		2	Hardware virtualization component of the client editions of Windows NT
Bing	0.5			1			1	Product detected by a:microsoft:bing (exists in CPE dict)
power_pages	0.5		1				1	Product detected by a:microsoft:power_pages (does NOT exist in CPE dict)
Azure	0.4				4		4	Azure
Visual Studio	0.3				3		3	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		2	20	3		25
Authentication Bypass	0.98		1		4		5
Command Injection	0.97				2		2
Security Feature Bypass	0.9		1	1	2		4
Elevation of Privilege	0.85		1		16		17
Information Disclosure	0.83		2		4		6
Denial of Service	0.7				3		3
Path Traversal	0.7				1		1
Memory Corruption	0.5				9		9
Spoofing	0.4				5		5

Source	U	C	H	M	L	A
MS PT Extended		1	2	17		20
Qualys		6	10	10		26
Tenable		6	3	2		11
Rapid7		6	3			9
ZDI		6				6

Urgent (0)

Critical (7)

1. Remote Code Execution - Windows Fast FAT File System Driver (CVE-2025-24985) - Critical [742]

Description: Windows Fast FAT File System Driver Remote Code Execution Vulnerability. Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-24985: Windows Fast FAT File System Driver Remote Code Execution Vulnerability A Windows Fast FAT File System Driver is a software component within the Windows operating system that manages file operations on a storage device formatted with the Fast FAT file system. The integer overflow or wraparound flaw in Windows Fast FAT Driver may allow an unauthorized attacker to execute code. An attacker may trick a local user on a vulnerable system into mounting a specially crafted VHD to trigger the vulnerability. CISA added the CVE-2025-24985 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability

Tenable: CVE-2025-24985 is a RCE vulnerability in the Windows Fast FAT File System Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local attacker could exploit this vulnerability by convincing a potential target to mount a specially crafted virtual hard disk (VHD). Successful exploitation would grant an attacker arbitrary code execution.

Tenable: According to Microsoft, CVE-2025-24985 was exploited in the wild as a zero-day. This is the first vulnerability in Windows Fast FAT File System to be reported since 2022 and the first to be exploited in the wild.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability. CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability. These are two more bugs being exploited, and I group them together because they are triggered by the same action. To be exploited, a user would need to mount a specially crafted virtual hard drive (VHD). It’s interesting to see the root cause of these bugs is an overflow; heap-based for the NTFS and an integer overflow for Fast FAT. Once exploited, the attacker can execute code on an affected system. If paired with a privilege escalation (like the one below), they could completely take over a system.

2. Remote Code Execution - Windows NTFS (CVE-2025-24993) - Critical [742]

Description: Windows NTFS Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-24993: Windows NTFS Remote Code Execution Vulnerability The heap-based buffer overflow vulnerability in Windows NTFS may allow an authorized attacker to execute code locally. An attacker may trick a local user on a vulnerable system into mounting a specially crafted VHD to trigger the vulnerability. CISA added the CVE-2025-24993 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable: CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability

Tenable: CVE-2025-24993 is a RCE vulnerability in Windows New Technology File System (NTFS). It was assigned a CVSSv3 score of 7.8 and is rated as important. According to Microsoft, a heap-based buffer overflow can be exploited in order to execute arbitrary code on an affected system. In order to exploit this vulnerability, an attacker must entice a local user to mount a crafted VHD. According to Microsoft, this flaw was reportedly exploited in the wild as a zero-day.

Rapid7: If you like NTFS zero-day vulnerabilities, but find information disclosure a bit pedestrian, then CVE-2025-24993 might be just what you’re after: exploitation requires that the user mount a malicious VHD, which then leads to heap-based buffer overflow, and the potential for local code execution. As is standard for a certain type of code execution vulnerability, the advisory somewhat awkwardly clarifies that the word “remote” in the title refers to the location of the attacker, and that the attack itself is carried out locally. The advisory doesn’t specify the context of code execution, but it’s a safe assumption that the end goal here is SYSTEM, since the attacker or a user must already execute code in the context of the user to trigger the vulnerability. The CVSSv3 base score of 7.8 reflects the potentially valuable reward for exploitation and low attack complexity, but is held back by the requirement for user interaction.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability. CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability. These are two more bugs being exploited, and I group them together because they are triggered by the same action. To be exploited, a user would need to mount a specially crafted virtual hard drive (VHD). It’s interesting to see the root cause of these bugs is an overflow; heap-based for the NTFS and an integer overflow for Fast FAT. Once exploited, the attacker can execute code on an affected system. If paired with a privilege escalation (like the one below), they could completely take over a system.

3. Security Feature Bypass - Microsoft Management Console (CVE-2025-26633) - Critical [713]

Description: Microsoft Management Console Security Feature Bypass Vulnerability. Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Qualys: CVE-2025-26633: Microsoft Management Console Security Feature Bypass Vulnerability Improper neutralization flaw in Microsoft Management Console may allow an unauthorized attacker to bypass a security feature. CISA added the CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable: CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability

Tenable: CVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.0 and is rated important. An attacker could exploit this vulnerability by convincing a potential target with either standard user or admin privileges to open a malicious file.

Tenable: According to Microsoft, CVE-2025-26633 was exploited in the wild as a zero-day. This is the second zero-day in the MMC to be exploited in the wild since CVE-2024-43572, a RCE vulnerability patched in October 2024.

Rapid7: It’s been a few months since we saw a zero-day vulnerability in the Microsoft Management Console, but today brings us CVE-2025-26633, a security feature bypass for which Microsoft is aware of exploitation in the wild, as well as functional exploit code floating around somewhere out there on the internet. Successful exploitation leads to an outcome which isn’t specified by the advisory, but since the Microsoft Management Console has a feature set which includes the creation, hosting, and distribution of custom tools for the administrative management of both hardware and software for any supported version of Windows, it’s easy enough to see why an attacker might be interested. The advisory does mention that both preparation of the target environment and subsequent user interaction are required for successful exploitation, which would require the user to open a malicious file.

ZDI: CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability. This bug was discovered by Aliakbar Zahravi and has been seen in the wild and used in targeted attacks. The specific flaw exists within the handling of MSC files. The product does not warn the user before loading an unexpected MSC file. An attacker can leverage this vulnerability to evade file reputation protections and execute code in the context of the current user. There is user interaction required here, but that doesn’t seem to be a problem for the attacker – EncryptHub (aka Larva-208). With more than 600 organizations impacted by these threat actors, test and deploy this fix quickly to ensure your org isn’t added to the list. Ali will have further details about these attacks out soon.

4. Elevation of Privilege - Windows Win32 Kernel Subsystem (CVE-2025-24983) - Critical [704]

Description: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability. Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally.

Qualys: CVE-2025-24983: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability The Windows Win32 Kernel Subsystem is a core component within the Windows operating system that bridges standard Windows applications (using the Win32 API) and the underlying Windows kernel. The use after free vulnerability in Windows Win32 Kernel Subsystem may allow an authorized attacker to elevate privileges locally. An attacker may exploit the vulnerability to gain SYSTEM privileges. CISA added the CVE-2025-24983 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable: CVE-2025-24044 and CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-24044 and CVE-2025-24983 are EoP vulnerabilities in the Windows Win32 Kernel Subsystem. CVE-2025-24044 and CVE-2025-24983 were assigned CVSSv3 scores of 7.8 and 7.0 respectively, while both vulnerabilities are rated as important. A local, authenticated attacker would need to win a race condition in order to exploit CVE-2025-24983. Successful exploitation of either vulnerability would allow the attacker to gain SYSTEM privileges.

Tenable: According to Microsoft, CVE-2025-24983 was exploited in the wild as a zero-day. While CVE-2025-24044 was not exploited, Microsoft assessed it as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Prior to this month, Microsoft patched seven vulnerabilities in the Win32 Kernel Subsystem (one in 2022, five in 2024, one earlier in 2025), though CVE-2025-24983 is the first to be exploited in the wild.

Rapid7: Older Windows products receive a patch today for CVE-2025-24983, which is an elevation of privilege vulnerability in the Win32 kernel subsystem. Microsoft is aware of exploitation in the wild. Since no user interaction is required, and successful exploitation leads to SYSTEM privileges, this isn’t one to ignore, even if the attacker must win a race condition, which does raise the bar for entry somewhat. Microsoft Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. It’s not clear why newer Windows products dodged this particular bullet; the Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.

ZDI: CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability. This is another bug being actively exploited, but it’s a more traditional privilege escalation than the other one. In this case, an authenticated user would need to run a specially crafted program that ends up executing code with SYSTEM privileges. That’s why these types of bugs are usually paired with a code execution bug to take over a system. Microsoft doesn’t provide any information on how widespread these attacks are, but regardless of how targeted the attacks may be, I would test and deploy these patches quickly.

5. Information Disclosure - Windows NTFS (CVE-2025-24991) - Critical [688]

Description: Windows NTFS Information Disclosure Vulnerability. Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally.

Qualys: CVE-2025-24991: Windows NTFS Information Disclosure Vulnerability Inserting sensitive information into a log file in Windows NTFS may allow an authorized attacker to disclose information locally. An attacker may exploit the vulnerability to read portions of heap memory potentially. CISA added the CVE-2025-24991 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: CVE-2025-24984, CVE-2025-24991, CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerabilities

Tenable: CVE-2025-24984, CVE-2025-24991 and CVE-2025-24992 are information disclosure vulnerabilities in Windows NTFS. Both CVE-2025-24991 and CVE-2025-24992 were assigned CVSSv3 scores of 5.5, while CVE-2025-24984 was assigned a score of 4.6. All three of these vulnerabilities were rated as important and can be exploited in physical attacks such as an attacker utilizing a malicious USB drive or by enticing a local user to mount a crafted VHD.

Tenable: While two information disclosure vulnerabilities in Windows NTFS have previously been patched in 2022 (CVE-2022-26933) and 2023 (CVE-2023-36398), CVE-2025-24984 and CVE-2025-24991 are the first to have been exploited in the wild as zero-days.

Rapid7: If you like NTFS zero-day vulnerabilities, then today’s your lucky day! CVE-2025-24991 describes an out-of-bounds read in NTFS leading to information disclosure, specifically disclosure of small portions of heap memory. An attacker would need to trick a user into mounting a malicious VHD (Virtual Hard Disk), and that alone would be enough to trigger the vulnerability. The advisory does not explain how the attacker would exfiltrate the data, but clearly it’s practically possible, since Microsoft claims evidence of exploitation in the wild.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24984/CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability. These are the final two bugs under active attack in this release. They have different triggers, but both simply lead to info leaks consisting of unspecified memory contents. CVE-2025-24984 requires physical access, which is unusual to see in an active attack. The other CVE requires the target to mount a specially crafted VHD. Even though the info leak isn’t targeted, it must be worth getting since these are being exploited. Don’t sleep on these. Test and deploy the fixes quickly.

6. Information Disclosure - Windows NTFS (CVE-2025-24984) - Critical [676]

Description: Windows NTFS Information Disclosure Vulnerability. Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.

Qualys: CVE-2025-24984: Windows NTFS Information Disclosure Vulnerability Windows NTFS (New Technology File System) is a file system that stores and organizes files on Windows operating systems. It’s the default file system for Windows NT 3.1 and later versions. NTFS offers encryption, file and folder permissions, and disk quotas. An attacker may exploit the vulnerability to potentially read portions of heap memory. An attacker must have physical access to the target computer to plug in a malicious USB drive. CISA added the CVE-2025-24984 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: CVE-2025-24984, CVE-2025-24991, CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerabilities

Tenable: CVE-2025-24984, CVE-2025-24991 and CVE-2025-24992 are information disclosure vulnerabilities in Windows NTFS. Both CVE-2025-24991 and CVE-2025-24992 were assigned CVSSv3 scores of 5.5, while CVE-2025-24984 was assigned a score of 4.6. All three of these vulnerabilities were rated as important and can be exploited in physical attacks such as an attacker utilizing a malicious USB drive or by enticing a local user to mount a crafted VHD.

Tenable: While two information disclosure vulnerabilities in Windows NTFS have previously been patched in 2022 (CVE-2022-26933) and 2023 (CVE-2023-36398), CVE-2025-24984 and CVE-2025-24991 are the first to have been exploited in the wild as zero-days.

Rapid7: Defense-in-depth practitioners have been limiting and monitoring access to USB ports for years now, and today brings further evidence for the value of locking things down, in the form of CVE-2025-24984, an information disclosure vulnerability in NTFS. Microsoft has evidence of exploitation in the wild, and functional exploit code. This vulnerability has a thus-far-unique combination of attributes: the attack vector is physical — the advisory describes a malicious USB drive as the delivery mechanism — and the weakness is CWE-532: Insertion of Sensitive Information into Log File. The advisory doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information. A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24984/CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability. These are the final two bugs under active attack in this release. They have different triggers, but both simply lead to info leaks consisting of unspecified memory contents. CVE-2025-24984 requires physical access, which is unusual to see in an active attack. The other CVE requires the target to mount a specially crafted VHD. Even though the info leak isn’t targeted, it must be worth getting since these are being exploited. Don’t sleep on these. Test and deploy the fixes quickly.

7. Authentication Bypass - power_pages (CVE-2025-24989) - Critical [675]

Description: An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

MS PT Extended: CVE-2025-24989 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

High (21)

8. Remote Code Execution - Bing (CVE-2025-21355) - High [509]

Description: Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network

MS PT Extended: CVE-2025-21355 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

9. Remote Code Execution - Chromium (CVE-2025-0998) - High [442]

Description: Out of bounds memory access in V8 in Google Chrome prior to 133.0.6943.98 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0998 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

10. Security Feature Bypass - Windows Kernel (CVE-2025-21247) - High [439]

Description: MapUrlToZone Security Feature Bypass Vulnerability. Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

11. Remote Code Execution - Windows Kernel (CVE-2025-24051) - High [435]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

12. Remote Code Execution - Windows Remote Desktop Client (CVE-2025-26645) - High [419]

Description: Remote Desktop Client Remote Code Execution Vulnerability. Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-26645: Remote Desktop Client Remote Code Execution Vulnerability Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Rapid7: How much do you trust the RDP server you’re about to connect to? An attacker in control of a malicious RDP server simply has to wait for a client vulnerable to CVE-2025-26645 to connect in order to achieve remote code execution on the client. Microsoft has assigned a CVSSv3 base score of 8.8 and a severity ranking of critical. While none of us should be connecting to RDP servers we’re not familiar with, an attacker might well see CVE-2025-26645 as a great opportunity for lateral movement and footprint expansion through the network.

13. Remote Code Execution - Windows Telephony Server (CVE-2025-24056) - High [419]

Description: Windows Telephony Service Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows Telephony Server allows an unauthorized attacker to execute code over a network.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

14. Remote Code Execution - Microsoft Office (CVE-2025-24057) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-24057: Microsoft Office Remote Code Execution Vulnerability The heap-based buffer overflow flaw in Microsoft Office may allow an unauthorized attacker to execute code remotely.

15. Remote Code Execution - Microsoft Office (CVE-2025-24075) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

16. Remote Code Execution - Microsoft Office (CVE-2025-24077) - High [407]

Description: Microsoft Word Remote Code Execution Vulnerability. Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

17. Remote Code Execution - Microsoft Office (CVE-2025-24079) - High [407]

Description: Microsoft Word Remote Code Execution Vulnerability. Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

18. Remote Code Execution - Microsoft Office (CVE-2025-24080) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

19. Remote Code Execution - Microsoft Office (CVE-2025-24081) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

20. Remote Code Execution - Microsoft Office (CVE-2025-24082) - High [407]

Description: Microsoft Excel Remote Code Execution Vulnerability. Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

21. Remote Code Execution - Microsoft Office (CVE-2025-24083) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.

22. Remote Code Execution - Microsoft Office (CVE-2025-26629) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

23. Remote Code Execution - Microsoft Office (CVE-2025-26630) - High [407]

Description: Microsoft Access Remote Code Execution Vulnerability. Use after free in Microsoft Office Access allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-26630: Microsoft Access Remote Code Execution Vulnerability Microsoft Access is a database management system (DBMS) that helps users create and manage databases. The system uses Visual Basic for Applications to automate business processes. The use after free flaw in Microsoft Office Access allows an unauthorized attacker to execute code locally. An attacker must trick a user into running a malicious file to successfully exploit the vulnerability.

Tenable: CVE-2025-26630 | Microsoft Access Remote Code Execution Vulnerability

Tenable: CVE-2025-26630 is a RCE vulnerability in Microsoft Access. It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by using social engineering to convince a potential target to download and run a malicious file on their system. Successful exploitation would grant an attacker arbitrary code execution.

Tenable: According to Microsoft, CVE-2025-26630 is considered a zero-day vulnerability as it was publicly disclosed prior to a patch being available. This is the sixth vulnerability in Microsoft Access disclosed since 2023. However, this is the fourth zero-day to be publicly disclosed and attributed to Unpatched.ai. Three were disclosed in Microsoft’s January 2025 Patch Tuesday release (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395)

Rapid7: CVE-2025-26630 describes a remote-but-actually-local code execution vulnerability in Microsoft Access. Exploitation requires that the user open a malicious file. Microsoft is aware of public disclosure, but considers exploitation less likely. The weakness is our old friend CWE-416: Use After Free. Beyond that, the advisory is short on detail, but does claim that the Preview Pane is not an attack vector, so that’s a silver lining for this particular cloud. Going by the acknowledgements section of the advisory, it seems likely that relative newcomer Unpatched.ai intends to continue to shake things up, since they were also credited with a trio of zero-day Access vulnerabilities published back in January.

24. Remote Code Execution - Windows Domain Name Service (CVE-2025-24064) - High [407]

Description: Windows Domain Name Service Remote Code Execution Vulnerability. Use after free in DNS Server allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-24064: Windows Domain Name Service Remote Code Execution Vulnerability Windows Domain Name Service is the implementation of the Domain Name System (DNS) within the Windows operating system. The service allows users to access websites and network devices using easy-to-remember domain names instead of complex IP addresses. The use after free flaw in the DNS Server may allow an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability.

25. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-24035) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability. Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-24035 & CVE-2025-24045: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) is a Microsoft feature that allows users to remotely access and use Windows applications and desktops from various devices over a network connection. The sensitive data storage in improperly locked memory flaw in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-24035 and CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerabilities

Tenable: CVE-2025-24035 and CVE-2025-24045 are RCE vulnerabilities in Windows Remote Desktop Services. Each was assigned a CVSSv3 score of 8.1 and rated as critical. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed both flaws as “Exploitation More Likely.”

26. Remote Code Execution - Windows Remote Desktop Services (CVE-2025-24045) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability. Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.

Qualys: CVE-2025-24035 & CVE-2025-24045: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) is a Microsoft feature that allows users to remotely access and use Windows applications and desktops from various devices over a network connection. The sensitive data storage in improperly locked memory flaw in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-24035 and CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerabilities

Tenable: CVE-2025-24035 and CVE-2025-24045 are RCE vulnerabilities in Windows Remote Desktop Services. Each was assigned a CVSSv3 score of 8.1 and rated as critical. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed both flaws as “Exploitation More Likely.”

27. Remote Code Execution - Windows Subsystem for Linux (CVE-2025-24084) - High [407]

Description: Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability. Untrusted pointer dereference in Windows Subsystem for Linux allows an unauthorized attacker to execute code locally.

Qualys: CVE-2025-24084: Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability The untrusted pointer dereference in Windows Subsystem for Linux may allow an unauthorized attacker to execute code locally.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Rapid7: The Windows Subsystem for Linux (WSL2) kernel receives a patch today for an arbitrary code execution vulnerability. Microsoft doesn’t claim evidence of public disclosure or in-the-wild exploitation for CVE-2025-24084, but does rank it as critical using its own proprietary severity ranking scale, which goes beyond what the already-significant CVSSv3 base score of 8.4 would suggest. The advisory describes multiple possible attack vectors, but in the worst case, there is no requirement for user interaction, since simply receiving a malicious email would be enough to trigger the vulnerability. The advisory does not clarify the context of code execution, but the magic email attack vector is alarming. Patch accordingly.

28. Remote Code Execution - Windows exFAT File System (CVE-2025-21180) - High [407]

Description: Windows exFAT File System Remote Code Execution Vulnerability. Heap-based buffer overflow in Windows exFAT File System allows an unauthorized attacker to execute code locally.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

Medium (49)

29. Remote Code Execution - Microsoft Office (CVE-2025-24078) - Medium [395]

Description: Microsoft Word Remote Code Execution Vulnerability. Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

30. Authentication Bypass - .NET Core (CVE-2025-24070) - Medium [391]

Description: Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.

31. Authentication Bypass - Microsoft Windows (CVE-2025-24076) - Medium [391]

Description: {'ms_cve_data_all': 'Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability. Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.\n', 'nvd_cve_data_all': 'Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

32. Authentication Bypass - Microsoft Windows (CVE-2025-24994) - Medium [391]

Description: {'ms_cve_data_all': 'Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability. Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.\n', 'nvd_cve_data_all': 'Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

33. Remote Code Execution - .NET (CVE-2025-24043) - Medium [390]

Description: WinDbg Remote Code Execution Vulnerability. Improper verification of cryptographic signature in .NET allows an authorized attacker to execute code over a network.

34. Security Feature Bypass - Microsoft Edge (CVE-2025-21401) - Medium [389]

Description: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

MS PT Extended: CVE-2025-21401 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

35. Security Feature Bypass - Windows Mark of the Web (CVE-2025-24061) - Medium [389]

Description: Windows Mark of the Web Security Feature Bypass Vulnerability. Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature locally.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

36. Elevation of Privilege - Windows Kernel (CVE-2025-24987) - Medium [385]

Description: Windows USB Video Class System Driver Elevation of Privilege Vulnerability. Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to elevate privileges with a physical attack.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

37. Elevation of Privilege - Windows Kernel (CVE-2025-24988) - Medium [385]

Description: Windows USB Video Class System Driver Elevation of Privilege Vulnerability. Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to elevate privileges with a physical attack.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

38. Elevation of Privilege - Kernel Streaming Service Driver (CVE-2025-24046) - Medium [380]

Description: Kernel Streaming Service Driver Elevation of Privilege Vulnerability. Use after free in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally.

39. Elevation of Privilege - Kernel Streaming Service Driver (CVE-2025-24066) - Medium [380]

Description: Kernel Streaming Service Driver Elevation of Privilege Vulnerability. Heap-based buffer overflow in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

40. Elevation of Privilege - Kernel Streaming Service Driver (CVE-2025-24067) - Medium [380]

Description: Kernel Streaming Service Driver Elevation of Privilege Vulnerability. Heap-based buffer overflow in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

41. Elevation of Privilege - Kernel Streaming WOW Thunk Service Driver (CVE-2025-24995) - Medium [380]

Description: Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability. Heap-based buffer overflow in Kernel Streaming WOW Thunk Service Driver allows an authorized attacker to elevate privileges locally.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

42. Elevation of Privilege - Microsoft Local Security Authority Server (CVE-2025-24072) - Medium [380]

Description: Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability. Use after free in Microsoft Local Security Authority Server (lsasrv) allows an authorized attacker to elevate privileges locally.

43. Elevation of Privilege - Windows Common Log File System Driver (CVE-2025-24059) - Medium [380]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability. Incorrect conversion between numeric types in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

44. Elevation of Privilege - Windows Win32 Kernel Subsystem (CVE-2025-24044) - Medium [380]

Description: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability. Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally.

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

Tenable: CVE-2025-24044 and CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-24044 and CVE-2025-24983 are EoP vulnerabilities in the Windows Win32 Kernel Subsystem. CVE-2025-24044 and CVE-2025-24983 were assigned CVSSv3 scores of 7.8 and 7.0 respectively, while both vulnerabilities are rated as important. A local, authenticated attacker would need to win a race condition in order to exploit CVE-2025-24983. Successful exploitation of either vulnerability would allow the attacker to gain SYSTEM privileges.

Tenable: According to Microsoft, CVE-2025-24983 was exploited in the wild as a zero-day. While CVE-2025-24044 was not exploited, Microsoft assessed it as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Prior to this month, Microsoft patched seven vulnerabilities in the Win32 Kernel Subsystem (one in 2022, five in 2024, one earlier in 2025), though CVE-2025-24983 is the first to be exploited in the wild.

45. Information Disclosure - Chromium (CVE-2025-1921) - Medium [376]

Description: Inappropriate implementation in Media Stream in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to obtain information about a peripheral via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-1921 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

46. Information Disclosure - Windows File Explorer (CVE-2025-24071) - Medium [376]

Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.

47. Authentication Bypass - Synaptics Audio Drivers (CVE-2024-9157) - Medium [370]

Description: ** UNSUPPORTED WHEN ASSIGNED **  A privilege escalation vulnerability in CxUIUSvc64.exe and CxUIUSvc32.exe of Synaptics audio drivers allows a local authorized attacker to load a DLL in a privileged process. Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is End-of-Life and should be removed. For more information on this, refer to the CVE Record’s reference information.

48. Elevation of Privilege - Microsoft Windows (CVE-2025-25008) - Medium [368]

Description: Windows Server Elevation of Privilege Vulnerability. Improper link resolution before file access ('link following') in Microsoft Windows allows an authorized attacker to elevate privileges locally.

49. Path Traversal - Chromium (CVE-2025-1915) - Medium [365]

Description: Improper Limitation of a Pathname to a Restricted Directory in DevTools in Google Chrome on Windows prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-1915 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

50. Information Disclosure - Windows NTFS (CVE-2025-24992) - Medium [352]

Description: Windows NTFS Information Disclosure Vulnerability. Buffer over-read in Windows NTFS allows an unauthorized attacker to disclose information locally.

Tenable: CVE-2025-24984, CVE-2025-24991, CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerabilities

Tenable: CVE-2025-24984, CVE-2025-24991 and CVE-2025-24992 are information disclosure vulnerabilities in Windows NTFS. Both CVE-2025-24991 and CVE-2025-24992 were assigned CVSSv3 scores of 5.5, while CVE-2025-24984 was assigned a score of 4.6. All three of these vulnerabilities were rated as important and can be exploited in physical attacks such as an attacker utilizing a malicious USB drive or by enticing a local user to mount a crafted VHD.

51. Elevation of Privilege - Windows Hyper-V (CVE-2025-24048) - Medium [347]

Description: Windows Hyper-V Elevation of Privilege Vulnerability. Heap-based buffer overflow in Role: Windows Hyper-V allows an authorized attacker to elevate privileges locally.

52. Elevation of Privilege - Windows Hyper-V (CVE-2025-24050) - Medium [347]

Description: Windows Hyper-V Elevation of Privilege Vulnerability. Heap-based buffer overflow in Role: Windows Hyper-V allows an authorized attacker to elevate privileges locally.

53. Information Disclosure - Windows Kernel (CVE-2025-24055) - Medium [345]

Description: Windows USB Video Class System Driver Information Disclosure Vulnerability. Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to disclose information with a physical attack.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

54. Memory Corruption - Chromium (CVE-2025-0995) - Medium [341]

Description: Chromium: CVE -2025-0995 Use after free in V8 . This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0995 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

55. Memory Corruption - Chromium (CVE-2025-0999) - Medium [341]

Description: Chromium: CVE-2025-0999 Heap buffer overflow in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0999 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

56. Memory Corruption - Chromium (CVE-2025-1006) - Medium [341]

Description: Chromium: CVE-2025-1426 Heap buffer overflow in GPU. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-1006 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

57. Memory Corruption - Chromium (CVE-2025-1426) - Medium [341]

Description: Chromium: CVE-2025-1006 Use after free in Network. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-1426 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

58. Memory Corruption - Chromium (CVE-2025-1914) - Medium [341]

Description: Chromium: CVE-2025-1914 Out of bounds read in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-1914 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

59. Memory Corruption - Chromium (CVE-2025-1916) - Medium [341]

Description: Chromium: CVE-2025-1916 Use after free in Profiles. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-1916 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

60. Memory Corruption - Chromium (CVE-2025-1918) - Medium [341]

Description: Chromium: CVE-2025-1918 Out of bounds read in PDFium. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-1918 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

61. Memory Corruption - Chromium (CVE-2025-1919) - Medium [341]

Description: Chromium: CVE-2025-1919 Out of bounds read in Media. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-1919 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

62. Command Injection - Azure (CVE-2025-24049) - Medium [335]

Description: Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability. Improper neutralization of special elements used in a command ('command injection') in Azure Command Line Integration (CLI) allows an unauthorized attacker to elevate privileges locally.

63. Memory Corruption - Chromium (CVE-2025-0997) - Medium [329]

Description: Chromium: CVE -2025-0997 Use after free in Navigation . This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0997 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

64. Remote Code Execution - Azure (CVE-2025-24986) - Medium [328]

Description: Azure Promptflow Remote Code Execution Vulnerability. Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network.

65. Command Injection - Azure (CVE-2025-26627) - Medium [323]

Description: Azure Arc Installer Elevation of Privilege Vulnerability. Improper neutralization of special elements used in a command ('command injection') in Azure Arc allows an authorized attacker to elevate privileges locally.

66. Denial of Service - Chromium (CVE-2025-1917) - Medium [317]

Description: Inappropriate implementation in Browser UI in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-1917 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

67. Denial of Service - Chromium (CVE-2025-1923) - Medium [317]

Description: Inappropriate implementation in Permission Prompts in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)

MS PT Extended: CVE-2025-1923 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

68. Denial of Service - DirectX Graphics Kernel (CVE-2025-24997) - Medium [305]

Description: DirectX Graphics Kernel File Denial of Service Vulnerability. Null pointer dereference in Windows Kernel Memory allows an authorized attacker to deny service locally.

69. Spoofing - Windows NTLM (CVE-2025-24054) - Medium [304]

Description: NTLM Hash Disclosure Spoofing Vulnerability. External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

70. Spoofing - Windows NTLM (CVE-2025-24996) - Medium [304]

Description: NTLM Hash Disclosure Spoofing Vulnerability. External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

71. Elevation of Privilege - Azure (CVE-2025-21199) - Medium [301]

Description: Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability. Improper privilege management in Azure Agent Installer allows an authorized attacker to elevate privileges locally.

72. Spoofing - Chromium (CVE-2025-26643) - Medium [288]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability. The UI performs the wrong action in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

MS PT Extended: CVE-2025-26643 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

73. Elevation of Privilege - Visual Studio (CVE-2025-24998) - Medium [285]

Description: Visual Studio Elevation of Privilege Vulnerability. Uncontrolled search path element in Visual Studio allows an authorized attacker to elevate privileges locally.

74. Elevation of Privilege - Visual Studio (CVE-2025-25003) - Medium [285]

Description: Visual Studio Elevation of Privilege Vulnerability. Uncontrolled search path element in Visual Studio allows an authorized attacker to elevate privileges locally.

75. Elevation of Privilege - Visual Studio (CVE-2025-26631) - Medium [285]

Description: Visual Studio Code Elevation of Privilege Vulnerability. Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate privileges locally.

76. Spoofing - Chromium (CVE-2025-0996) - Medium [276]

Description: Inappropriate implementation in Browser UI in Google Chrome on Android prior to 133.0.6943.98 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0996 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

77. Spoofing - Chromium (CVE-2025-1922) - Medium [264]

Description: Inappropriate implementation in Selection in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2025-1922 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

Low (0)

Exploitation in the wild detected (7)

Remote Code Execution (2)

• Windows Fast FAT File System Driver (CVE-2025-24985)

Qualys: CVE-2025-24985: Windows Fast FAT File System Driver Remote Code Execution Vulnerability A Windows Fast FAT File System Driver is a software component within the Windows operating system that manages file operations on a storage device formatted with the Fast FAT file system. The integer overflow or wraparound flaw in Windows Fast FAT Driver may allow an unauthorized attacker to execute code. An attacker may trick a local user on a vulnerable system into mounting a specially crafted VHD to trigger the vulnerability. CISA added the CVE-2025-24985 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability

Tenable: CVE-2025-24985 is a RCE vulnerability in the Windows Fast FAT File System Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local attacker could exploit this vulnerability by convincing a potential target to mount a specially crafted virtual hard disk (VHD). Successful exploitation would grant an attacker arbitrary code execution.

Tenable: According to Microsoft, CVE-2025-24985 was exploited in the wild as a zero-day. This is the first vulnerability in Windows Fast FAT File System to be reported since 2022 and the first to be exploited in the wild.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability. CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability. These are two more bugs being exploited, and I group them together because they are triggered by the same action. To be exploited, a user would need to mount a specially crafted virtual hard drive (VHD). It’s interesting to see the root cause of these bugs is an overflow; heap-based for the NTFS and an integer overflow for Fast FAT. Once exploited, the attacker can execute code on an affected system. If paired with a privilege escalation (like the one below), they could completely take over a system.

• Windows NTFS (CVE-2025-24993)

Qualys: CVE-2025-24993: Windows NTFS Remote Code Execution Vulnerability The heap-based buffer overflow vulnerability in Windows NTFS may allow an authorized attacker to execute code locally. An attacker may trick a local user on a vulnerable system into mounting a specially crafted VHD to trigger the vulnerability. CISA added the CVE-2025-24993 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable: CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability

Tenable: CVE-2025-24993 is a RCE vulnerability in Windows New Technology File System (NTFS). It was assigned a CVSSv3 score of 7.8 and is rated as important. According to Microsoft, a heap-based buffer overflow can be exploited in order to execute arbitrary code on an affected system. In order to exploit this vulnerability, an attacker must entice a local user to mount a crafted VHD. According to Microsoft, this flaw was reportedly exploited in the wild as a zero-day.

Rapid7: If you like NTFS zero-day vulnerabilities, but find information disclosure a bit pedestrian, then CVE-2025-24993 might be just what you’re after: exploitation requires that the user mount a malicious VHD, which then leads to heap-based buffer overflow, and the potential for local code execution. As is standard for a certain type of code execution vulnerability, the advisory somewhat awkwardly clarifies that the word “remote” in the title refers to the location of the attacker, and that the attack itself is carried out locally. The advisory doesn’t specify the context of code execution, but it’s a safe assumption that the end goal here is SYSTEM, since the attacker or a user must already execute code in the context of the user to trigger the vulnerability. The CVSSv3 base score of 7.8 reflects the potentially valuable reward for exploitation and low attack complexity, but is held back by the requirement for user interaction.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability. CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability. These are two more bugs being exploited, and I group them together because they are triggered by the same action. To be exploited, a user would need to mount a specially crafted virtual hard drive (VHD). It’s interesting to see the root cause of these bugs is an overflow; heap-based for the NTFS and an integer overflow for Fast FAT. Once exploited, the attacker can execute code on an affected system. If paired with a privilege escalation (like the one below), they could completely take over a system.

Security Feature Bypass (1)

• Microsoft Management Console (CVE-2025-26633)

Qualys: CVE-2025-26633: Microsoft Management Console Security Feature Bypass Vulnerability Improper neutralization flaw in Microsoft Management Console may allow an unauthorized attacker to bypass a security feature. CISA added the CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable: CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability

Tenable: CVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.0 and is rated important. An attacker could exploit this vulnerability by convincing a potential target with either standard user or admin privileges to open a malicious file.

Tenable: According to Microsoft, CVE-2025-26633 was exploited in the wild as a zero-day. This is the second zero-day in the MMC to be exploited in the wild since CVE-2024-43572, a RCE vulnerability patched in October 2024.

Rapid7: It’s been a few months since we saw a zero-day vulnerability in the Microsoft Management Console, but today brings us CVE-2025-26633, a security feature bypass for which Microsoft is aware of exploitation in the wild, as well as functional exploit code floating around somewhere out there on the internet. Successful exploitation leads to an outcome which isn’t specified by the advisory, but since the Microsoft Management Console has a feature set which includes the creation, hosting, and distribution of custom tools for the administrative management of both hardware and software for any supported version of Windows, it’s easy enough to see why an attacker might be interested. The advisory does mention that both preparation of the target environment and subsequent user interaction are required for successful exploitation, which would require the user to open a malicious file.

ZDI: CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability. This bug was discovered by Aliakbar Zahravi and has been seen in the wild and used in targeted attacks. The specific flaw exists within the handling of MSC files. The product does not warn the user before loading an unexpected MSC file. An attacker can leverage this vulnerability to evade file reputation protections and execute code in the context of the current user. There is user interaction required here, but that doesn’t seem to be a problem for the attacker – EncryptHub (aka Larva-208). With more than 600 organizations impacted by these threat actors, test and deploy this fix quickly to ensure your org isn’t added to the list. Ali will have further details about these attacks out soon.

Elevation of Privilege (1)

• Windows Win32 Kernel Subsystem (CVE-2025-24983)

Qualys: CVE-2025-24983: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability The Windows Win32 Kernel Subsystem is a core component within the Windows operating system that bridges standard Windows applications (using the Win32 API) and the underlying Windows kernel. The use after free vulnerability in Windows Win32 Kernel Subsystem may allow an authorized attacker to elevate privileges locally. An attacker may exploit the vulnerability to gain SYSTEM privileges. CISA added the CVE-2025-24983 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable: CVE-2025-24044 and CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-24044 and CVE-2025-24983 are EoP vulnerabilities in the Windows Win32 Kernel Subsystem. CVE-2025-24044 and CVE-2025-24983 were assigned CVSSv3 scores of 7.8 and 7.0 respectively, while both vulnerabilities are rated as important. A local, authenticated attacker would need to win a race condition in order to exploit CVE-2025-24983. Successful exploitation of either vulnerability would allow the attacker to gain SYSTEM privileges.

Tenable: According to Microsoft, CVE-2025-24983 was exploited in the wild as a zero-day. While CVE-2025-24044 was not exploited, Microsoft assessed it as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Prior to this month, Microsoft patched seven vulnerabilities in the Win32 Kernel Subsystem (one in 2022, five in 2024, one earlier in 2025), though CVE-2025-24983 is the first to be exploited in the wild.

Rapid7: Older Windows products receive a patch today for CVE-2025-24983, which is an elevation of privilege vulnerability in the Win32 kernel subsystem. Microsoft is aware of exploitation in the wild. Since no user interaction is required, and successful exploitation leads to SYSTEM privileges, this isn’t one to ignore, even if the attacker must win a race condition, which does raise the bar for entry somewhat. Microsoft Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. It’s not clear why newer Windows products dodged this particular bullet; the Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.

ZDI: CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability. This is another bug being actively exploited, but it’s a more traditional privilege escalation than the other one. In this case, an authenticated user would need to run a specially crafted program that ends up executing code with SYSTEM privileges. That’s why these types of bugs are usually paired with a code execution bug to take over a system. Microsoft doesn’t provide any information on how widespread these attacks are, but regardless of how targeted the attacks may be, I would test and deploy these patches quickly.

Information Disclosure (2)

• Windows NTFS (CVE-2025-24984, CVE-2025-24991)

Qualys: CVE-2025-24984: Windows NTFS Information Disclosure Vulnerability Windows NTFS (New Technology File System) is a file system that stores and organizes files on Windows operating systems. It’s the default file system for Windows NT 3.1 and later versions. NTFS offers encryption, file and folder permissions, and disk quotas. An attacker may exploit the vulnerability to potentially read portions of heap memory. An attacker must have physical access to the target computer to plug in a malicious USB drive. CISA added the CVE-2025-24984 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Qualys: CVE-2025-24991: Windows NTFS Information Disclosure Vulnerability Inserting sensitive information into a log file in Windows NTFS may allow an authorized attacker to disclose information locally. An attacker may exploit the vulnerability to read portions of heap memory potentially. CISA added the CVE-2025-24991 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before April 1, 2025.

Tenable: CVE-2025-24984, CVE-2025-24991, CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerabilities

Tenable: CVE-2025-24984, CVE-2025-24991 and CVE-2025-24992 are information disclosure vulnerabilities in Windows NTFS. Both CVE-2025-24991 and CVE-2025-24992 were assigned CVSSv3 scores of 5.5, while CVE-2025-24984 was assigned a score of 4.6. All three of these vulnerabilities were rated as important and can be exploited in physical attacks such as an attacker utilizing a malicious USB drive or by enticing a local user to mount a crafted VHD.

Tenable: While two information disclosure vulnerabilities in Windows NTFS have previously been patched in 2022 (CVE-2022-26933) and 2023 (CVE-2023-36398), CVE-2025-24984 and CVE-2025-24991 are the first to have been exploited in the wild as zero-days.

Rapid7: Defense-in-depth practitioners have been limiting and monitoring access to USB ports for years now, and today brings further evidence for the value of locking things down, in the form of CVE-2025-24984, an information disclosure vulnerability in NTFS. Microsoft has evidence of exploitation in the wild, and functional exploit code. This vulnerability has a thus-far-unique combination of attributes: the attack vector is physical — the advisory describes a malicious USB drive as the delivery mechanism — and the weakness is CWE-532: Insertion of Sensitive Information into Log File. The advisory doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information. A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale.

Rapid7: If you like NTFS zero-day vulnerabilities, then today’s your lucky day! CVE-2025-24991 describes an out-of-bounds read in NTFS leading to information disclosure, specifically disclosure of small portions of heap memory. An attacker would need to trick a user into mounting a malicious VHD (Virtual Hard Disk), and that alone would be enough to trigger the vulnerability. The advisory does not explain how the attacker would exfiltrate the data, but clearly it’s practically possible, since Microsoft claims evidence of exploitation in the wild.

Rapid7: The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

ZDI: CVE-2025-24984/CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability. These are the final two bugs under active attack in this release. They have different triggers, but both simply lead to info leaks consisting of unspecified memory contents. CVE-2025-24984 requires physical access, which is unusual to see in an active attack. The other CVE requires the target to mount a specially crafted VHD. Even though the info leak isn’t targeted, it must be worth getting since these are being exploited. Don’t sleep on these. Test and deploy the fixes quickly.

Authentication Bypass (1)

• power_pages (CVE-2025-24989)

MS PT Extended: CVE-2025-24989 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (70)

Remote Code Execution (23)

• Bing (CVE-2025-21355)

MS PT Extended: CVE-2025-21355 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

• Chromium (CVE-2025-0998)

MS PT Extended: CVE-2025-0998 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

• Windows Kernel (CVE-2025-24051)
• Windows Remote Desktop Client (CVE-2025-26645)

Qualys: CVE-2025-26645: Remote Desktop Client Remote Code Execution Vulnerability Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Rapid7: How much do you trust the RDP server you’re about to connect to? An attacker in control of a malicious RDP server simply has to wait for a client vulnerable to CVE-2025-26645 to connect in order to achieve remote code execution on the client. Microsoft has assigned a CVSSv3 base score of 8.8 and a severity ranking of critical. While none of us should be connecting to RDP servers we’re not familiar with, an attacker might well see CVE-2025-26645 as a great opportunity for lateral movement and footprint expansion through the network.

• Windows Telephony Server (CVE-2025-24056)

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

• Microsoft Office (CVE-2025-24057, CVE-2025-24075, CVE-2025-24077, CVE-2025-24078, CVE-2025-24079, CVE-2025-24080, CVE-2025-24081, CVE-2025-24082, CVE-2025-24083, CVE-2025-26629, CVE-2025-26630)

Qualys: CVE-2025-26630: Microsoft Access Remote Code Execution Vulnerability Microsoft Access is a database management system (DBMS) that helps users create and manage databases. The system uses Visual Basic for Applications to automate business processes. The use after free flaw in Microsoft Office Access allows an unauthorized attacker to execute code locally. An attacker must trick a user into running a malicious file to successfully exploit the vulnerability.

Qualys: CVE-2025-24057: Microsoft Office Remote Code Execution Vulnerability The heap-based buffer overflow flaw in Microsoft Office may allow an unauthorized attacker to execute code remotely.

Tenable: CVE-2025-26630 | Microsoft Access Remote Code Execution Vulnerability

Tenable: CVE-2025-26630 is a RCE vulnerability in Microsoft Access. It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by using social engineering to convince a potential target to download and run a malicious file on their system. Successful exploitation would grant an attacker arbitrary code execution.

Tenable: According to Microsoft, CVE-2025-26630 is considered a zero-day vulnerability as it was publicly disclosed prior to a patch being available. This is the sixth vulnerability in Microsoft Access disclosed since 2023. However, this is the fourth zero-day to be publicly disclosed and attributed to Unpatched.ai. Three were disclosed in Microsoft’s January 2025 Patch Tuesday release (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395)

Rapid7: CVE-2025-26630 describes a remote-but-actually-local code execution vulnerability in Microsoft Access. Exploitation requires that the user open a malicious file. Microsoft is aware of public disclosure, but considers exploitation less likely. The weakness is our old friend CWE-416: Use After Free. Beyond that, the advisory is short on detail, but does claim that the Preview Pane is not an attack vector, so that’s a silver lining for this particular cloud. Going by the acknowledgements section of the advisory, it seems likely that relative newcomer Unpatched.ai intends to continue to shake things up, since they were also credited with a trio of zero-day Access vulnerabilities published back in January.

• Windows Domain Name Service (CVE-2025-24064)

Qualys: CVE-2025-24064: Windows Domain Name Service Remote Code Execution Vulnerability Windows Domain Name Service is the implementation of the Domain Name System (DNS) within the Windows operating system. The service allows users to access websites and network devices using easy-to-remember domain names instead of complex IP addresses. The use after free flaw in the DNS Server may allow an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability.

• Windows Remote Desktop Services (CVE-2025-24035, CVE-2025-24045)

Qualys: CVE-2025-24035 & CVE-2025-24045: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) is a Microsoft feature that allows users to remotely access and use Windows applications and desktops from various devices over a network connection. The sensitive data storage in improperly locked memory flaw in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. An attacker must win a race condition to exploit the vulnerability.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Tenable: CVE-2025-24035 and CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerabilities

Tenable: CVE-2025-24035 and CVE-2025-24045 are RCE vulnerabilities in Windows Remote Desktop Services. Each was assigned a CVSSv3 score of 8.1 and rated as critical. To exploit these flaws, an attacker must be able to win a race condition. Despite this requirement, Microsoft assessed both flaws as “Exploitation More Likely.”

• Windows Subsystem for Linux (CVE-2025-24084)

Qualys: CVE-2025-24084: Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability The untrusted pointer dereference in Windows Subsystem for Linux may allow an unauthorized attacker to execute code locally.

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Rapid7: The Windows Subsystem for Linux (WSL2) kernel receives a patch today for an arbitrary code execution vulnerability. Microsoft doesn’t claim evidence of public disclosure or in-the-wild exploitation for CVE-2025-24084, but does rank it as critical using its own proprietary severity ranking scale, which goes beyond what the already-significant CVSSv3 base score of 8.4 would suggest. The advisory describes multiple possible attack vectors, but in the worst case, there is no requirement for user interaction, since simply receiving a malicious email would be enough to trigger the vulnerability. The advisory does not clarify the context of code execution, but the magic email attack vector is alarming. Patch accordingly.

• Windows exFAT File System (CVE-2025-21180)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

• .NET (CVE-2025-24043)
• Azure (CVE-2025-24986)

Security Feature Bypass (3)

• Windows Kernel (CVE-2025-21247)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

• Microsoft Edge (CVE-2025-21401)

MS PT Extended: CVE-2025-21401 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

• Windows Mark of the Web (CVE-2025-24061)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

Authentication Bypass (4)

• .NET Core (CVE-2025-24070)
• Microsoft Windows (CVE-2025-24076, CVE-2025-24994)
• Synaptics Audio Drivers (CVE-2024-9157)

Elevation of Privilege (16)

• Windows Kernel (CVE-2025-24987, CVE-2025-24988)

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

• Kernel Streaming Service Driver (CVE-2025-24046, CVE-2025-24066, CVE-2025-24067)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

• Kernel Streaming WOW Thunk Service Driver (CVE-2025-24995)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

• Microsoft Local Security Authority Server (CVE-2025-24072)
• Windows Common Log File System Driver (CVE-2025-24059)
• Windows Win32 Kernel Subsystem (CVE-2025-24044)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-24044 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21180 is a remote code execution vulnerability in the Windows exFAT File System. This heap-based buffer overflow flaw in Windows exFAT File System could allow an unauthorized attacker to execute code. CVE-2025-24995 is an elevation of privilege vulnerability in Kernel Streaming WOW Thunk Service Driver. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2025-21247 is a security feature bypass vulnerability in MapUrlToZone. The improper resolution of path equivalence flaw could allow an unauthorized attacker to bypass a security feature over a network. CVE-2025-24061 is a security feature bypass vulnerability in Windows Mark of the Web. An attacker may exploit the vulnerability to bypass the SmartScreen user experience. CVE-2025-24066 & CVE-2025-24067 are the elevation of privilege vulnerabilities in the Kernel Streaming Service Driver. The use after free flaw in Microsoft Streaming Service could allow an authorized attacker to gain SYSTEM privileges.

Tenable: CVE-2025-24044 and CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerabilities

Tenable: CVE-2025-24044 and CVE-2025-24983 are EoP vulnerabilities in the Windows Win32 Kernel Subsystem. CVE-2025-24044 and CVE-2025-24983 were assigned CVSSv3 scores of 7.8 and 7.0 respectively, while both vulnerabilities are rated as important. A local, authenticated attacker would need to win a race condition in order to exploit CVE-2025-24983. Successful exploitation of either vulnerability would allow the attacker to gain SYSTEM privileges.

Tenable: According to Microsoft, CVE-2025-24983 was exploited in the wild as a zero-day. While CVE-2025-24044 was not exploited, Microsoft assessed it as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Prior to this month, Microsoft patched seven vulnerabilities in the Win32 Kernel Subsystem (one in 2022, five in 2024, one earlier in 2025), though CVE-2025-24983 is the first to be exploited in the wild.

• Microsoft Windows (CVE-2025-25008)
• Windows Hyper-V (CVE-2025-24048, CVE-2025-24050)
• Azure (CVE-2025-21199)
• Visual Studio (CVE-2025-24998, CVE-2025-25003, CVE-2025-26631)

Information Disclosure (4)

• Chromium (CVE-2025-1921)

MS PT Extended: CVE-2025-1921 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

• Windows File Explorer (CVE-2025-24071)
• Windows NTFS (CVE-2025-24992)

Tenable: CVE-2025-24984, CVE-2025-24991, CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerabilities

Tenable: CVE-2025-24984, CVE-2025-24991 and CVE-2025-24992 are information disclosure vulnerabilities in Windows NTFS. Both CVE-2025-24991 and CVE-2025-24992 were assigned CVSSv3 scores of 5.5, while CVE-2025-24984 was assigned a score of 4.6. All three of these vulnerabilities were rated as important and can be exploited in physical attacks such as an attacker utilizing a malicious USB drive or by enticing a local user to mount a crafted VHD.

• Windows Kernel (CVE-2025-24055)

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Path Traversal (1)

• Chromium (CVE-2025-1915)

MS PT Extended: CVE-2025-1915 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

Memory Corruption (9)

• Chromium (CVE-2025-0995, CVE-2025-0997, CVE-2025-0999, CVE-2025-1006, CVE-2025-1426, CVE-2025-1914, CVE-2025-1916, CVE-2025-1918, CVE-2025-1919)

MS PT Extended: CVE-2025-1006 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-0997 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-0999 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-1918 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-1914 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-0995 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-1916 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-1919 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-1426 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

Command Injection (2)

• Azure (CVE-2025-24049, CVE-2025-26627)

Denial of Service (3)

• Chromium (CVE-2025-1917, CVE-2025-1923)

MS PT Extended: CVE-2025-1917 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-1923 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

• DirectX Graphics Kernel (CVE-2025-24997)

Spoofing (5)

• Windows NTLM (CVE-2025-24054, CVE-2025-24996)

Qualys: Risk Reduction via TruRisk Eliminate With Qualys TruRisk Eliminate customers can install innovative patchless mitigation strategies for the following vulnerabilities. Some of these do not require a system reboot and can be used as a stop-gap while your systems are being patched for these vulnerabilities. More information about Qualys TruRisk Eliminate can be found here – https://www.qualys.com/apps/trurisk-eliminate/ CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24035 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability CVE-2025-24055 – Windows USB Video Class System Driver Information Disclosure Vulnerability CVE-2025-24988 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability CVE-2025-24054 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24996 – NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-24045 – Windows Remote Desktop Services Remote Code Execution Vulnerability CVE-2025-24056 – Windows Telephony Service Remote Code Execution Vulnerability CVE-2025-24987 – Windows USB Video Class System Driver Elevation of Privilege Vulnerability For some of the CVEs mentioned above, we mitigate risks by disabling RemoteAccess, TapiSrv services. Additional mitigation strategies that involving NTLM hashes and non-essential device derives are also enabled to provide optimal protection against the above mentioned vulnerabilities. The next Patch Tuesday falls on April 15, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

• Chromium (CVE-2025-0996, CVE-2025-1922, CVE-2025-26643)

MS PT Extended: CVE-2025-1922 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-26643 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10

MS PT Extended: CVE-2025-0996 was published before March 2025 Patch Tuesday from 2025-02-12 to 2025-03-10