Microsoft’s March Patch Tuesday Fixes 58 Vulnerabilities, Including Six Under Active Attack
Microsoft has released its March 2025 Patch Tuesday updates, addressing 58 new security vulnerabilities across Windows, Office, and Edge. Of particular concern, six Windows vulnerabilities are already being actively exploited in the wild, while another Office flaw was publicly disclosed prior to this patch.
Windows Security Fixes: 37 Vulnerabilities Patched
A significant portion of the updates—37 vulnerabilities—affect various versions of Windows, including Windows Server, Windows 10, and Windows 11, which continue to receive security updates. However, with Windows 10 reaching end-of-life later this year, users are strongly advised to upgrade to Windows 10 (22H2) or Windows 11 (24H2) if their hardware supports it.
For those still running Windows 7 or Windows 8.1, the risk continues to rise, as these versions no longer receive official security patches. Without updates, they become prime targets for cyberattacks.
Active Attacks on Windows Vulnerabilities
Microsoft has confirmed ongoing attacks on six of the patched vulnerabilities, though it has not classified any as critical or disclosed the scale of these exploits. Security researcher Dustin Childs from Trend Micro’s Zero Day Initiative (ZDI) has provided additional insights into these vulnerabilities:
- CVE-2025-26633 – A Microsoft Management Console (MMC) flaw exploited by EncryptHub (Larva-208), a threat actor group that has already compromised over 600 organizations. The attack involves malicious MSC files that bypass security mechanisms and execute code with user rights.
- CVE-2025-24993 & CVE-2025-24985 – Exploits affecting the NTFS and FAT file systems through malicious Virtual Hard Drive (VHD) files. If combined with an Elevation of Privilege (EoP) vulnerability, attackers could fully compromise the system.
- CVE-2025-24983 – A Win32 kernel subsystem vulnerability that enables privilege escalation. If a user is tricked into running a malicious program, an attacker could execute code with full system privileges—potentially leading to complete system takeover.
Critical Windows Vulnerabilities in Remote Desktop Services
While none of the actively exploited Windows vulnerabilities are classified as critical, Microsoft has flagged five Remote Code Execution (RCE) vulnerabilities as severe risks. Two, in particular, stand out:
- CVE-2025-24035 & CVE-2025-24045 – Both impact Remote Desktop Services (RDS), where an attacker could simply connect to a vulnerable RDS gateway to inject and execute malicious code.
Microsoft Office: 11 RCE Vulnerabilities Fixed
This month’s update also addressed 11 security flaws in Microsoft Office, all of which are Remote Code Execution (RCE) vulnerabilities. Notable fixes include:
- CVE-2025-26630 – A zero-day vulnerability in Microsoft Access, which was publicly disclosed before this patch.
- CVE-2025-24057 – The only critical vulnerability in this batch, which could potentially impact all Office applications.
- Three RCE vulnerabilities each in Word and Excel, reinforcing the need for users to stay up to date with security patches.
Microsoft Edge: New Chromium-Based Security Fixes
Microsoft Edge’s latest security patch, version 134.0.3124.51 (March 6, 2025), includes a fix for a specific Edge vulnerability (CVE-2025-26643). Notably, Google followed up with a security update for Chrome (version 134.0.6998.89) on March 10, addressing a zero-day vulnerability.
Next Patch Tuesday: April 8, 2025
The next batch of security updates is scheduled for April 8, 2025. As cyber threats evolve, promptly installing security patches remains critical to minimizing risk.
