- Best Practices and Risks Considerations in Automation like LCNC and RPA
- Machine Identities Outnumber Humans Increasing Risk Seven-Fold
- At long last, OpenStack (now known as OpenInfra Foundation) joins Linux Foundation
- ServiceNow’s Yokohama platform release focuses on agentic AI
- The Quantum Sky Is Falling! Understanding the Quantum Threat to Network Security
Microsoft Patches a Whopping Seven Zero-Days in March
Microsoft’s March Patch Tuesday has put more pressure on system administrators, with over 50 new vulnerabilities to fix including seven zero-days.
Of these seven, six are being actively exploited in the wild. They are:
- CVE-2025-26633: A security feature bypass in Microsoft Management Console with a CVSS score of 7.0
- CVE-2025-24993: A remote code execution (RCE) vulnerability in Windows NTFS with a CVSS score of 7.8
- CVE-2025-24991: An information disclosure vulnerability in Windows NTFS with a CVSS score of 5.5
- CVE-2025-24985: An RCE vulnerability in Windows Fast FAT File System Driver with a CVSS score of 7.8
- CVE-2025-24984: An information disclosure bug in Windows NTFS with a CVSS score of 4.6
- CVE-2025-24983: An elevation of privilege (EoP) vulnerability in Windows Win32 Kernel Subsystem with a CVSS score of 7.0
Microsoft also released details of a zero-day vulnerability which has been publicly disclosed but not yet exploited. CVE-2025-26630 is an RCE vulnerability in Microsoft Access. It has a CVSS score of 7.8, which ranks it as “important.”
“The disclosure could provide attackers with some additional information to formulate an exploit, but the lack of code samples will increase their efforts,” explained Ivanti VP of security product management, Chris Goettl. “Risk-based prioritization would indicate a slightly higher risk for a disclosure without functional code, but not enough to bump this CVE up to critical.”
In total, there were 23 EoP and 23 RCE vulnerabilities listed this month. All six “critical” rated CVEs were RCE vulnerabilities. They include CVE-2025-24084, which affects the Windows Subsystem for Linux (WSL2) kernel.
“The advisory describes multiple possible attack vectors, but in the worst case, there is no requirement for user interaction, since simply receiving a malicious email would be enough to trigger the vulnerability,” explained Rapid7 lead software engineer, Adam Barnett. “The advisory does not clarify the context of code execution, but the magic email attack vector is alarming. Patch accordingly.”
Another critical RCE bug fixed this month is CVE-2025-26645, which affects the popular remote desktop client (RDP). It could provide threat actors with an easy means of achieving lateral movement through a victim’s network, Barnett warned.
“How much do you trust the RDP server you’re about to connect to?” he asked. “An attacker in control of a malicious RDP server simply has to wait for a client vulnerable to CVE-2025-26645 to connect in order to achieve remote code execution on the client.”
Read more on Patch Tuesday: Microsoft Patches Eight Zero-Days to Start the Year
Image credit: CHERRY.JUICE / Shutterstock.com
