News
Microsoft Patches 7 Zero-Day Flaws in March Security Update
Microsoft released its monthly security update today, featuring an alarming seven zero-day flaw fixes that should be patched as soon as possible. Six of the seven zero-day items, while not publicly disclosed, have active attacks already in the wild.
First up is CVE-2025-26630, a remote code execution flaw in Microsoft Access 2016, all supported versions of Microsoft Office and Office 365. According to Microsoft, if an attacker tricks a user into running malicious code (typically through a phishing attempt), the attacker would gain access to the machine and would be granted the ability to run additional code.
The next actively exploited flaw also concern a remote code execution issue in all supported versions of Windows OS and Windows Server. CVE-2025-24993 addresses the vulnerability in Windows NTFS (New Technology File System) that, if gone unpatched, an "attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability," said Microsoft.
March's security update has also addressed an active security bypass issue in the Microsoft Management Console (CVE-2025-26633). Alone, this flaw won't do much damage. However, if an attacker exploits it (through a specially crafted email or instant message), they can gain access to a system and take down some of Windows' built-in safeguards, allowing for additional malicious code to be inserted in a follow-up attack.
The final two actively exploited vulnerabilities target disclosure vulnerabilities in Windows and Windows Server. Both CVE-2025-24984 and CVE-2025-24991 are additional errors in Windows NTFS and could expose read portions of heap memory. While both these issues have a high difficulty in exploiting (typically by using a malicious USB in person on a system), the fact that Microsoft has seen attacks taking advantage of the hole means they're not impossible to pull off.
This month's batch has one more zero-day flaw to take care of. While not under active attack like the previous six entries, this one has been publicly disclosed -- so the probability of active attacks appearing soon is high. CVE-2025-26630 targets yet another remote code execution flaw in Microsoft Access, Office and Microsoft 365. If exploited, an attacker can remotely run malicious code on a targeted system if a user is tricked into clicking on a harmful link. However, according to Chris Goettl, VP of security products at Ivanti, this one may take some additional work for attackers to pull off.
"The disclosure could provide attackers with some additional information to formulate an exploit, but the lack of code samples will increase their efforts," said Goettl. "Risk-based prioritization would indicate a slightly higher risk for a disclosure without functional code, but not enough to bump this CVE up to critical."
Once those are handled, it's recommended that IT teams move to apply the five bulletin items rated "critical":
- CVE-2025-24057: Remote code execution flaw in Microsoft Office.
- CVE-2025-24064: Remote code execution flaw in Windows Domain Name Service.
- CVE-2025-24035: Remote code execution flaw in Windows Remote Desktop Services.
- CVE-2025-24045: Remote code execution flaw in Windows Remote Desktop Services.
- CVE-2025-24084: Remote code execution flaw in Windows Subsystem for Linux (WSL2) kernel.
Click here for the full list of March's security bulletins.