The overall number of patched Microsoft CVEs (57) in this month’s Patch Tuesday is relatively low, but what stands out is that six of them are listed as “Exploitation Detected.” All six have been added to CISA’s database of Known Exploited Vulnerabilities.

The six actively exploited vulnerabilities are:

CVE-2025-24983 (CVSS score 7.0 out of 10): A Windows Win32 Kernel Subsystem Elevation of Privilege vulnerability. Successful exploitation of this vulnerability requires an attacker to win a race condition but would provide the successful attacker with SYSTEM privileges on a compromised device.

Reportedly, the in-the-wild use of this vulnerability is limited to older versions of Windows OS: Windows 8.1 and Server 2012 R2.

CVE-2025-24984 (CVSS score 4.6 out of 10): A Windows NTFS information disclosure vulnerability. Insertion of sensitive information into a log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.

An attacker needs physical access to the target computer to plug in a malicious USB drive and could steal information by reading portions of heap memory. Heap is the name for a region of memory which is used to store dynamic variables.

CVE-2025-26633 (CVSS score 7.0 out of 10): A Microsoft Management Console (MMC) security feature bypass vulnerability. Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Without providing a lot of details Microsoft adds:

• In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the vulnerability.
• In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

CVE-2025-24985 (CVSS score 7.8 out of 10): A Windows Fast FAT File System Driver Remote Code Execution (RCE) vulnerability, due to an integer overflow or wraparound in Windows Fast FAT Driver which allows an unauthorized attacker to execute code locally.

Microsoft notes that:

An attacker can trick a local user on a vulnerable system into mounting a specially crafted Virtual Hard Disk (VHD) that would then trigger the vulnerability.

CVE-2025-24991 (CVSS score 5.5 out of 10): A Windows NTFS Information Disclosure vulnerability. An out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally—the information being small portions of heap memory. Again, the attacker will have to trick a local user on a vulnerable system into mounting a specially crafted VHD.

CVE-2025-24993 (CVSS score 7.8 out of 10): A heap based buffer overflow Windows NTFS Remote Code Execution vulnerability. Another vulnerability that requires a local user on a vulnerable system to mount a specially crafted VHD. Only this one allows an unauthorized attacker to execute code locally.

Virtual Hard Disk

Virtual Hard Disks, such as .vhd and .vhdx files, can be opened in Windows as if they are a physical disk. An attacker typically sends emails with .zip archive attachments containing virtual hard drive files, or embedded links to downloads that contain a virtual hard drive file.

There are a few things you can do to keep you safe from malicious VHDs.

• Only accept and mount VHDs from trusted and verified sources. Be suspicious of unsolicited VHDs or those from unknown origins.
• Use role-based access control and policies to restrict VHD access to authorized personnel only.
• Deploy active protection on your endpoints and monitor for suspicious activity. If you lack the security staff, consider deploying an MDR service.
• Regularly update virtualization software, hypervisors, and security tools to protect against known vulnerabilities.
• Provide security awareness training to help users recognize social engineering tactics that might be used to trick them into mounting malicious VHDs.

Other vendors

Adobe issued important updates for Acrobat and Reader.

Broadcom patched 3 zero-days which were actively exploited.

Cisco patched an important vulnerability in Cisco Webex for BroadWorks.

Ivanti updated their security advisory for 3 actively exploited vulnerabilities Ivanti Endpoint Manager (EPM) appliances.

Google published the March 2025 Android security bulletin.

SAP released security updates for several products as part of March Patch Day.