Microsoft Patches 58 Security Flaws, Warns of Six Actively Exploited Windows Vulnerabilities
Microsoft’s March 2025 Patch Tuesday has rolled out security updates addressing 58 newly identified vulnerabilities across Windows, Office, and Edge. Of particular concern, six vulnerabilities in Windows are currently being exploited, and an additional zero-day vulnerability in Office was already publicly known before the patch.
Windows Security: 37 Vulnerabilities Patched
Among the 58 total fixes, 37 vulnerabilities were found in Windows, covering versions Windows Server, Windows 10, and Windows 11—which still receive security updates. However, Microsoft reminds users that Windows 10 support ends later this year, urging those on older hardware to upgrade to Windows 10 (22H2) or Windows 11 (24H2) to maintain protection.
For users still running Windows 7 or Windows 8.1, the lack of security updates significantly increases their exposure to cyberattacks, making upgrading an urgent priority.
Windows Vulnerabilities Under Active Attack
Microsoft has confirmed six Windows vulnerabilities are actively being exploited, though it has not provided details on the scale of these attacks. Security researchers at Trend Micro’s ZDI, including Dustin Childs, have analyzed the threats:
- CVE-2025-26633 – A Microsoft Management Console (MMC) vulnerability exploited by EncryptHub (Larva-208), a threat actor group responsible for over 600 confirmed attacks. The exploit involves malicious MSC files that allow attackers to bypass security protections and execute commands.
- CVE-2025-24993 & CVE-2025-24985 – Two file system vulnerabilities that can be exploited when users mount a specially crafted Virtual Hard Drive (VHD) file. The NTFS-related flaw enables Remote Code Execution (RCE), while the FAT-related flaw could escalate to system takeover when combined with privilege escalation exploits.
- CVE-2025-24983 – A Win32 kernel subsystem vulnerability that, when exploited, allows an attacker to run code with system-level privileges. If combined with an RCE exploit, this flaw could enable full control of a compromised system.
Critical Windows Vulnerabilities: Remote Desktop Services at Risk
Although none of the currently exploited Windows vulnerabilities are categorized as critical, Microsoft has identified five critical Remote Code Execution (RCE) flaws. The two most pressing are:
- CVE-2025-24035 & CVE-2025-24045 – Both impact Remote Desktop Services (RDS). Attackers only need to connect to a vulnerable RDS gateway to execute arbitrary code, making these vulnerabilities high-priority risks.
Microsoft Office Security Fixes: 11 RCE Flaws Addressed
Microsoft has patched 11 security vulnerabilities in Office, all categorized as Remote Code Execution (RCE) flaws. Key highlights include:
- CVE-2025-26630 – A zero-day vulnerability in Microsoft Access that was publicly known before this patch, increasing its risk level.
- CVE-2025-24057 – The only critical vulnerability in this update, with potential impact across all Office applications.
- Word and Excel each received three separate RCE vulnerability patches, reinforcing the importance of installing updates immediately.
Microsoft Edge: Security Updates Following Chrome’s Fix
Microsoft Edge has been updated to version 134.0.3124.51 (March 6, 2025), which patches a browser-specific vulnerability (CVE-2025-26643). Google followed with an update to Chrome (134.0.6998.89) on March 10, addressing a separate zero-day vulnerability.
Looking Ahead: Next Patch Tuesday on April 8, 2025
The next wave of security updates is scheduled for April 8, 2025. Given the active exploitation of vulnerabilities this month, timely patching is essential to minimize risks and maintain system security.