Across January and February combined, Windows users had already been exposed to a total of five so-called zero-day exploits where attackers had already struck in the wild before a patch could be made available. March has just beaten that with a worrying six Windows zero-days being confirmed by Microsoft in the latest Patch Tuesday security announcement. Here’s what you need to know.
Windows Operating System Security Patches Should Be your Top Priority This Month
You might be excused for thinking, at least after a casual glance, that this month Microsoft’s Patch Tuesday security round up is nothing too dramatic. After all, the overall Common vulnerabilities and Exposures count is relatively low at “just” 57. However, as Tyler Reguly, associate director of security research and development at Fortra, said, “buckle up because admins may be in for a ride.” With six zero-day vulnerabilities listed as exploit detected, and six where Microsoft has labeled the severity as critical, this is not the time to sit back and relax. Quite the opposite, in fact. The good news, Reguly said, is that all six of the exploit detected zero-days are resolved with the monthly cumulative update. “This means a single update to roll out to fix all of these at once,” Reguly concluded, with none of them requiring any post-patch configuration steps.
Chris Goettl, vice president of security product management at Ivanti, meanwhile, said that in the Midwest there’s a saying about March which goes in like a lion, out like a lamb. “At first glance, the March Patch Tuesday looks like a lamb, but this lamb might have the teeth of a lion,” Goettl continued. The teeth being referred to are, of course, those zero-days. “The zero-day exploits affect the Microsoft Management Console, NTFS, Fast FAT, and the Win32 Kernel Subsystem,” Goettl said. As such, Goettl recommended that this Windows operating system update should be the top priority update this month.
The Six Windows Zero-Days In Detail
CVE-2025-26633 is a security feature bypass in the Microsoft Management Console. “An attacker needs to convince a potential target that is either a standard user or has admin privileges to open a malicious file to exploit this vulnerability,” Satnam Narang, a senior staff research engineer at Tenable, said, “and social engineering is certainly one of the easiest ways to make this happen.”
CVE 2024-24993 is a heap-based buffer overflow vulnerability within Windows NTFS. “An attacker can potentially exploit this issue by prompting users to mount a specially crafted virtual hard disk,” Henry Smith, a senior security engineer at Automox, said. A successful zero-day attack using this vulnerability could result in an unauthorized attacker executing arbitrary code locally.
CVE-2025-24991 is an information disclosure vulnerability in Windows NTFS that affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. “Risk-based prioritization warrants treating this vulnerability as critical,” Goettl warned.
CVE-2025-24985 is a vulnerability within the Windows fast FAT file system driver, the first to be detected for three years. “It was reported anonymously,” Narang said, “so we don’t have any specific details around it.” What we do know is that it could lead to remote code execution if a user is tricked into mounting a specially crafted virtual hard disk.
CVE-2025-24983 is a Windows Win32 kernel subsystem elevation of privilege vulnerability that, if successfully exploited, could give unauthorized access to sensitive data, credentials, encryption keys, and system information. “CVE-2025-24983 provides a direct path from low privileges to SYSTEM access,” Alex Vovk, CEO and co-founder of Action1, said, “making it an attractive target for attackers with initial access via phishing, malware, compromised credentials, or insider threats.”
CVE-2025-24984 is another information disclosure vulnerability in Windows NTFS that affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. As with CVE-2025-24991, Goettl said that risk-based prioritization warrants treating this vulnerability as critical.
