Microsoft on Tuesday released security updates to address 57 security vulnerabilities in its software, including a whopping six zero-days that it said have been actively exploited in the wild.
Of the 56 flaws, six are rated Critical, 50 are rated Important, and one is rated Low in severity. Twenty-three of the addressed vulnerabilities are remote code execution bugs and 22 relate to privilege escalation.
The updates are in addition to 17 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update, one of which is a spoofing flaw specific to the browser (CVE-2025-26643, CVSS score: 5.4).
The six vulnerabilities that have come under active exploitation are listed below –
- CVE-2025-24983 (CVSS score: 7.0) – A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally
- CVE-2025-24984 (CVSS score: 4.6) – A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory
- CVE-2025-24985 (CVSS score: 7.8) – An integer overflow vulnerability in Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally
- CVE-2025-24991 (CVSS score: 5.5) – An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally
- CVE-2025-24993 (CVSS score: 7.8) – A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally
- CVE-2025-26633 (CVSS score: 7.0) – An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally
ESET, which is credited with discovering and reporting CVE-2025-24983, said it first discovered the zero-day exploit in the wild in March 2023 and delivered via a backdoor named PipeMagic on compromised hosts.
“The vulnerability is a use-after-free in Win32k driver,” the Slovakian company noted. “In a certain scenario achieved using the WaitForInputIdle API, the W32PROCESS structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.”
PipeMagic, first discovered in 2022, is a plugin-based trojan that has targeted entities in Asia and Saudi Arabia, with the malware distributed in the form of a fake OpenAI ChatGPT application in late 2024 campaigns.
“One of unique features of PipeMagic is that it generates a 16-byte random array to create a named pipe in the format \\.\pipe\1.
“This pipe is used for receiving encoded payloads, stop signals via the default local interface. PipeMagic usually works with multiple plugins downloaded from a command-and-control (C2) server, which, in this case, was hosted on Microsoft Azure.”
The Zero Day Initiative noted that CVE-2025-26633 stems from how MSC files are handled, allowing an attacker to evade file reputation protections and execute code in the context of the current user. The activity has been linked to a threat actor tracked as EncryptHub (aka LARVA-208).
Action1 pointed out that threat actors could chain the four vulnerabilities affecting core Windows file system components to cause remote code execution (CVE-2025-24985 and CVE-2025-24993) and information disclosure (CVE-2025-24984 and CVE-2025-24991). All the four bugs were reported anonymously.
“Specifically, the exploit relies on the attacker crafting a malicious VHD file and convincing a user to open or mount a VHD file,” Kev Breen, senior director of threat research at Immersive, said. “VHDs are Virtual Hard Disks and are typically associated with storing the operating system for virtual machines.”
“Whilst they are more typically associated with Virtual Machines, we have seen examples over the years where threat actors use VHD or VHDX files as part of phishing campaigns to smuggle malware payloads past AV solutions. Depending on the configuration of Windows systems, simply double-clicking on a VHD file could be enough to mount the container and, therefore, execute any payloads contained within the malicious file.”
According to Satnam Narang, senior staff research engineer at Tenable, CVE-2025-26633 is the second flaw in MMC to be exploited in the wild as a zero-day after CVE-2024-43572 and CVE-2025-24985 is the first vulnerability in the Windows Fast FAT File System Driver since March 2022. It’s also the first to be exploited in the wild as a zero-day.
As is customary, it’s currently not known the remaining vulnerabilities are being exploited, in what context, and the exact scale of the attacks. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by April 1, 2025.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —
