{"id":23903,"date":"2025-03-12T13:00:37","date_gmt":"2025-03-12T09:00:37","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23903"},"modified":"2025-03-12T13:00:37","modified_gmt":"2025-03-12T09:00:37","slug":"march-2025-patch-tuesday","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/march-2025-patch-tuesday\/23903\/","title":{"rendered":"Six Microsoft vulnerabilities being actively exploited"},"content":{"rendered":"

In its monthly Patch Tuesday<\/em> update, Microsoft has provided patches for six vulnerabilities that are being actively exploited in the wild. Four of these vulnerabilities are related to file systems \u2014 three of which having the same trigger, which may indicate that they\u2019re being used in one and the same attack, or at least by the same actor. The details of their exploitation are still publicly undisclosed (fortunately), but the latest update is highly recommended for immediate installation.<\/p>\n

File system vulnerabilities<\/h2>\n

Two of the vulnerabilities were found in the NTFS system. They allow attackers to gain access to parts of the heap<\/a> \u2014 that is, to dynamically allocated application memory. Interestingly, the first of them, CVE-2025-24984<\/a> (4.6 on the CVSS scale), implies physical access of the attacker to the victim\u2019s computer (they need to insert a malicious drive into the USB slot). To exploit the second information disclosure vulnerability, CVE-2025-24991<\/a> (CVSS 5.5), attackers need to somehow force a local user to mount a malicious virtual hard disk (VHD).<\/p>\n

The other two file system vulnerabilities \u2014 CVE-2025-24985<\/a> in the Fast FAT file system driver, and CVE-2025-24993<\/a> in NTFS \u2014 are triggered in the same way by mounting a VHD prepared by the attackers. However, their exploitation leads to remote execution of arbitrary code on the attacked machine (RCE). Both vulnerabilities have a CVSS rating of 7.8.<\/p>\n

Other exploited vulnerabilities<\/h2>\n

The CVE-2025-24983<\/a> (CVSS 7.0) vulnerability was found in the Windows Win32 kernel subsystem. It can allow attackers to elevate their privileges to the system level. To exploit it, attackers need to win the race condition<\/a>.<\/p>\n

The latest vulnerability from the list of actively exploited ones, CVE-2025-26633<\/a> (also CVSS 7.0), allows bypassing the security mechanisms of the Microsoft Management Console. The description provides two scenarios for its exploitation; however, both are related to the delivery of a malicious file to the victim, which must then be run. The first scenario involves delivering the file in an email attachment; the second \u2014 delivering a link through an instant messaging program, or, again, via email. According to information<\/a> from the Zero Day Initiative researchers, who brought this vulnerability to Microsoft\u2019s attention, it\u2019s used by the EncryptHub ransomware group, also known as Larva-208.<\/p>\n

And another zero-day vulnerability<\/h2>\n

In addition to the six vulnerabilities used in active attacks, the update from Microsoft also closes CVE-2025-26630<\/a> in Microsoft Access, which has not yet been used by attackers \u2014 though it could well be since, according to Microsoft, it\u2019s been publicly known of for some time. This vulnerability has a CVSS rating of 7.8, and its exploitation leads to the execution of arbitrary code. However, the description emphasizes that to exploit it it needs to be opened on the attacked machine, and the Preview Pane is not an attack vector.<\/p>\n

Other vulnerabilities<\/h2>\n

The note about the preview mechanism in the description of CVE-2025-26630 is not accidental \u2014 the update also contains a patch for the RCE vulnerability CVE-2025-24057<\/a>, which is quite exploitable through the Preview Pane. In addition, Microsoft closed more vulnerabilities classified as critical, but not yet exploited. All of them also allow remote arbitrary code execution:<\/p>\n