Microsoft has rolled out security updates to fix 57 vulnerabilities in its software, including six critical zero-day flaws that have been actively exploited.
Among these vulnerabilities, six are classified as Critical, 50 as Important, and one as Low in severity. A total of 23 flaws involve remote code execution, while 22 pertain to privilege escalation.
Additionally, Microsoft has addressed 17 vulnerabilities in its Chromium-based Edge browser since last month’s Patch Tuesday update. This includes a spoofing flaw specific to the browser (CVE-2025-26643, CVSS score: 5.4).
Zero-Day Vulnerabilities Under Active Exploitation
The following six vulnerabilities have been actively targeted:
CVE-2025-24983 (CVSS score: 7.0): A use-after-free (UAF) vulnerability in the Windows Win32 Kernel Subsystem, allowing local privilege escalation for authorized attackers.
CVE-2025-24984 (CVSS score: 4.6): An information disclosure flaw in Windows NTFS, enabling attackers with physical access to read portions of heap memory using a malicious USB drive.
CVE-2025-24985 (CVSS score: 7.8): An integer overflow issue in the Windows Fast FAT File System Driver that permits unauthorized local code execution.
CVE-2025-24991 (CVSS score: 5.5): An out-of-bounds read vulnerability in Windows NTFS that can lead to local information disclosure.
CVE-2025-24993 (CVSS score: 7.8): A heap-based buffer overflow vulnerability in Windows NTFS, allowing unauthorized attackers to execute code locally.
CVE-2025-26633 (CVSS score: 7.0): A flaw in Microsoft Management Console (MMC) that enables unauthorized attackers to bypass security features locally.
Discovery and Exploitation Details
Security firm ESET, which discovered CVE-2025-24983, reported first detecting this zero-day in March 2023. It was being used through a backdoor named PipeMagic on compromised systems.
The security flaw is identified as a use-after-free issue within the Win32k driver,” ESET reported. “When the WaitForInputIdle API is used in a specific way, the W32PROCESS structure gets dereferenced more times than necessary, leading to UAF. Exploitation requires winning a race condition.”
PipeMagic, originally discovered in 2022, is a plugin-based trojan that has primarily targeted organizations in Asia and Saudi Arabia. In late 2024, cybercriminals distributed it as a fake OpenAI ChatGPT application.
A distinguishing characteristic of PipeMagic is its ability to generate a 16-byte random array, which it uses to create a named pipe following the format \.\pipe\1.,” Kaspersky disclosed in an October 2024 report. “This mechanism repeatedly establishes and removes the pipe, enabling the reception of encoded payloads and termination signals through a standard local interface.
The Zero Day Initiative noted that CVE-2025-26633 originates from how MSC files are handled, allowing attackers to evade file reputation protections and execute code within the current user’s context. The exploit has been attributed to a hacker group known as EncryptHub (LARVA-208).
Exploitable File System Vulnerabilities
Security firm Action1 indicated that attackers could chain four vulnerabilities in the Windows file system to enable remote code execution (CVE-2025-24985, CVE-2025-24993) and information disclosure (CVE-2025-24984, CVE-2025-24991). These flaws were reported anonymously.
“The attack involves crafting a malicious VHD file and tricking a user into opening or mounting it,” explained Kev Breen, Senior Director of Threat Research at Immersive Labs. “Since VHDs (Virtual Hard Disks) are commonly used for storing virtual machine operating systems, attackers can embed malware payloads in them. In some Windows configurations, simply double-clicking a VHD file could be enough to execute malicious payloads.”
Tenable researcher Satnam Narang noted that CVE-2025-26633 is the second zero-day vulnerability in MMC to be actively exploited, following CVE-2024-43572. Meanwhile, CVE-2025-24985 is the first zero-day flaw in the Windows Fast FAT File System Driver since March 2022.
As of now, the extent of exploitation for other vulnerabilities remains unclear. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch them by April 1, 2025.
Security Patches from Other Vendors
In addition to Microsoft, various tech companies have released security updates to fix critical vulnerabilities, including:
Google Android, Pixel, Chrome, Cloud, and Wear OS
HP & HP Enterprise (Aruba Networking)
Linux Distributions (Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, Ubuntu)
