Patch Tuesday - March 2025

Patch Tuesday - March 2025

Microsoft is addressing 57 vulnerabilities this March 2025 Patch Tuesday, which is a similar volume to last month. However, Microsoft has evidence of in-the-wild exploitation for as many as six of the vulnerabilities published today, and CISA KEV already lists all of them. Microsoft is also aware of public disclosure for one other vulnerability. This is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Ten browser vulnerabilities have already been published separately this month, and are not included in the total.

Win32 kernel subsystem: zero-day EoP

Older Windows products receive a patch today for CVE-2025-24983, which is an elevation of privilege vulnerability in the Win32 kernel subsystem. Microsoft is aware of exploitation in the wild. Since no user interaction is required, and successful exploitation leads to SYSTEM privileges, this isn’t one to ignore, even if the attacker must win a race condition, which does raise the bar for entry somewhat. Microsoft  Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. It’s not clear why newer Windows products dodged this particular bullet; the Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.

NTFS USB attack: zero-day information disclosure

Defense-in-depth practitioners have been limiting and monitoring access to USB p ..

Support the originator by clicking the read the rest link below.