Patch Tuesday Microsoft’s Patch Tuesday bundle has appeared, with a dirty dozen flaws competing for your urgent attention – six of them rated critical and another six already being exploited by criminals.
Let’s start with the six already exploited vulnerabilities, three of which impact Windows NTFS.
The first is CVE-2025-24993 - a heap-based buffer overflow in NTFS used by Windows Server 2008 and later systems, as well as Windows 10 and 11. The flaw makes remote code execution (RCE) a possibility and is fairly simple to exploit, Redmond warns.
Though it's technically an RCE, it requires some local action, such as getting a user to mount a malicious virtual hard disk (VHD) image, as Redmond explains: "This type of exploit is sometimes referred to as arbitrary code execution. The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
"An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability."
That said, this 7.8-severity flaw is being exploited in the wild.
The second zero-day vulnerability, CVE-2025-24991, is an information-disclosure flaw in NTFS rated 5.5 on the ten-point CVSS severity scale. The bug allows an attacker to perform an out-of-bounds read to access data on the target system, but again only if the victim, for instance, mounts a specially crafted VHD.
The other exploited NTFS issue is the 4.6-rated CVE-2025-24984, which allows insertion of sensitive information into a log file. Attackers need physical access to the target computer. All three NTFS flaws were reported anonymously, Microsoft said.
One of the other exploited flaws is CVE-2025-24985, a 7.8-rated code execution bug in the Windows Fast FAT File System Driver. Again, exploitation requires convincing a local user to mount a specially crafted VHD. If paired with a privilege escalation flaw, an attacker could completely take over a system.
CVE-2025-24983 is only exploitable by an authenticated user but allows privilege escalation to SYSTEM level by running a specially crafted program to exploit a flaw in the Win32 Kernel Subsystem.
The last of the flaws already being actively exploited is CVE-2025-26633, a security feature bypass flaw in the Microsoft Management Console (MMC).
Trend Micro researcher Aliakbar Zahravi found this flaw being abused by criminals. According to the security shop, more than 600 organizations have already been hit by threat actors who tricked users into clicking on a poisoned MSC file – a file type used by MMC to configure and monitor system components – that, thanks to the aforementioned CVE, gives attackers the chance to run code within the user's context.
Let's get critical
March's patch bundle also addresses six critical flaws.
Two of them are present in Windows Remote Desktop Services (RDS) and are rated 8.1 on the CVSS scale.
The first, CVE-2025-24035, is a sensitive data storage issue caused by RDS improperly locking memory. The second, CVE-2025-24045, is a tricky flaw to exploit, requiring an attacker to win a race condition.
There's also an 8.8-rated flaw in Remote Desktop Client - CVE-2025-26645 - which allows an unauthorized attacker to execute code over a network via relative path traversal when a vulnerable client connects to a malicious remote desktop protocol server.
Another critical bug, a CVSS 7.8 flaw in Office assigned CVE-2025-24057, has left security researchers scratching their heads. It's a heap-based buffer overflow that seemingly requires the user to get involved and inadvertently help the invader.
"The Office bug where Preview Pane is an attack vector is likely to see exploits, but Microsoft confusingly states user interaction is required," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative. "Perhaps the target needs to preview the file in the Preview Pane?"
The other critical flaws are CVE-2025-24064, a use-after-free() flaw in Windows DNS Server, and CVE-2025-24084, a Windows Subsystem for Linux kernel remote code execution vulnerability.
Among the 57 flaws Microsoft’s fixed this month is one that’s already been disclosed, but not yet exploited or patched. CVE-2025-26630 is a use-after-free bug in Microsoft Access spotted by Unpatched.ai. If successfully exploited, it would allow remote code execution, but the attack requires the target to download and open a malicious file through social engineering.
Apple and Adobe join the patch party
Apple used Tuesday to patch a serious issue, CVE-2025-24201, which is already under attack. The flaw allows attackers to bypass the Web Content sandbox that Apple’s Safari browser uses to isolate web content from the rest of a system and execute arbitrary code on a target system.
The issue was "exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2," Cupertino said. When Apple uses that kind of language, past experience suggests that advanced threat actors such as commercial surveillanceware vendors have found a way through the iTitan's defenses.
After not issuing any patches for Acrobat last month, Adobe found nine flaws to fix this month - six of them critical. All of the criticals, and one of the important patches, allow arbitrary code execution, while the other two important issues involve memory leaks.
Adobe also fixed three critical and three important flaws in Illustrator. InDesign also gets nine fixes - all but two of them treated as critical.
The graphics stalwart also sorted out seven critical bugs in Substance 3D Sampler, dished two fixes for critical problems in 3D Designer, and the same number for 3D Painter.
3D Modeler scored four fixes, two of them critical and the other pair merely important. ®
And for Android...
Google pushed out the latest patches for Android and said two flaws in the OS are already "under limited, targeted exploitation" by miscreants. Grab your operating system updates as soon as you can from Google or your 'droid maker.
In all, Google released 40-plus patches this month. Ten of March's patches are for critical system bugs - eight of them allowing remote code execution, and other two are an escalation of privilege and denial of service.
One of the under-attack bugs is CVE-2024-50302, a Linux kernel memory leak that Amnesty International reported is being exploited by commercial surveillanceware vendor Cellebrite.
The second vulnerability under attack, CVE-2024-43093, is an Android Framework privilege escalation vulnerability that was patched last year.