Microsoft Patches Six Zero-Days in March 2025 Patch Tuesday

Figure 1: Visual representation of the BeyondTrust vulnerability chain

On March 11, 2025, Microsoft published its monthly security update bundle containing fixes for more than 50 vulnerabilities across Windows operating systems and related products. Six of these vulnerabilities were already under active exploitation at the time of disclosure.

The zero-day vulnerabilities addressed in the release include:

CVE-2025-24991 and CVE-2025-24993 affect NTFS, the default file system for Windows and Windows Server. Both require an attacker to trick a target into mounting a malicious virtual hard disk. CVE-2025-24993 enables local code execution, while CVE-2025-24991 causes NTFS to disclose portions of memory, according to Microsoft's advisory.

CVE-2025-24983 is an elevation of privilege vulnerability in older Windows versions. ESET researcher Filip Jurčacko discovered the flaw and reported it to Microsoft. ESET stated the exploit was deployed via the PipeMagic backdoor, which is capable of exfiltrating data and enabling remote access to compromised machines.

CVE-2025-24984 is another NTFS weakness that can be exploited by inserting a malicious USB drive into a Windows computer. According to Rapid7's Adam Barnett, successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which an attacker could then search for privileged information.

CVE-2025-24985 allows attackers to install malicious code. Like the other NTFS vulnerabilities, exploitation requires the user to mount a malicious virtual hard drive.

CVE-2025-26633 affects the Microsoft Management Console, a component that gives system administrators a way to configure and monitor Windows systems. Exploiting the flaw requires the target to open a malicious file.

Microsoft confirmed all six vulnerabilities were under active exploitation at the time of patch release. The company's Security Response Center published individual advisories for each CVE with technical details and affected product versions.

ESET credited researcher Filip Jurčacko with discovering CVE-2025-24983. The security firm stated the exploit was deployed through the PipeMagic backdoor in observed attacks. ESET noted the vulnerability itself is present in newer Windows OS versions including Windows 10 build 1809 and the still-supported Windows Server 2016, though the exploit in the wild targeted only older versions: Windows 8.1 and Server 2012 R2.

Rapid7's lead software engineer Adam Barnett observed that Windows 11 and Server 2019 onwards are not listed as receiving patches for CVE-2025-24983, suggesting they are not vulnerable. Barnett noted the Windows 32 subsystem appears to still be active, as there is no apparent mention of its removal on the Windows client OS deprecated features list.

For CVE-2025-24984, Microsoft assigned a CVSSv3 base score of 4.6. Barnett stated this relatively low score reflects the practical difficulties of real-world exploitation, though Microsoft rates the vulnerability as important on its proprietary severity ranking scale.

Figure 2: How the authentication bypass vulnerability works

Organizations that apply the March 2025 patches promptly gain protection against six actively exploited vulnerabilities. The patches address attack vectors spanning USB-based attacks, malicious virtual hard disk mounting, and file-based exploitation of the Microsoft Management Console.

Security teams receive detailed technical information through Microsoft's Security Response Center advisories, enabling informed prioritization of patch deployment. The SANS Internet Storm Center published a list of all Microsoft patches indexed by severity, providing additional guidance for enterprise administrators.

The disclosure of CVE-2025-24983 by ESET demonstrates the value of coordinated vulnerability disclosure between security researchers and vendors. Organizations benefit from the research community's efforts to identify and report vulnerabilities before they cause widespread damage.

The six zero-days were already under active exploitation before patches became available. Organizations that cannot apply updates immediately remain exposed to attacks leveraging these vulnerabilities.

Several of the vulnerabilities require user interaction for exploitation, such as mounting a malicious virtual hard disk or opening a malicious file. Social engineering attacks targeting employees could enable exploitation even in organizations with otherwise strong security postures.

CVE-2025-24984 can be exploited through physical access via a malicious USB drive. Organizations with inadequate physical security controls or permissive USB policies face elevated risk from this attack vector.

Legacy systems running Windows 8.1 and Server 2012 R2 face particular exposure to CVE-2025-24983. Security support for these products ended more than a year before March 2025, and mainstream support ended years earlier. Organizations still running these systems may face difficult decisions about upgrade timelines.

Barnett noted that Microsoft has not rated any of the zero-days as critical severity at the time of publication for six consecutive months. Security teams relying solely on Microsoft's severity ratings for prioritization may underestimate the urgency of patching actively exploited vulnerabilities.

Figure 3: Privilege escalation from user to SYSTEM level

The NTFS vulnerabilities (CVE-2025-24991, CVE-2025-24993, CVE-2025-24984, CVE-2025-24985) exploit weaknesses in how Windows handles the NTFS file system. NTFS is the default file system for Windows operating systems and Windows Server, managing how data is stored and retrieved from storage devices.

Virtual hard disk (VHD) files are container formats that represent a virtual hard drive. Windows can mount VHD files as if they were physical drives, enabling access to the file system contained within. The NTFS vulnerabilities exploiting VHD mounting take advantage of how Windows processes the file system structures within malicious VHD files.

CVE-2025-24984 exploits NTFS through USB drives. When a malicious USB drive is inserted, the vulnerability causes portions of heap memory to be improperly written to a log file. Heap memory can contain sensitive information from running processes, potentially exposing credentials or other privileged data.

CVE-2025-24983 is an elevation of privilege vulnerability. Elevation of privilege attacks allow an attacker who already has limited access to a system to gain higher-level permissions, potentially achieving full administrative control. The PipeMagic backdoor used to deploy this exploit provides attackers with initial access and data exfiltration capabilities.

The Microsoft Management Console (MMC) vulnerability CVE-2025-26633 affects a Windows component used by system administrators. MMC provides a framework for hosting administrative tools called snap-ins. The vulnerability requires opening a malicious file, suggesting the flaw exists in how MMC parses or processes certain file types.

Technical context (optional): The CVSSv3 base score of 4.6 for CVE-2025-24984 reflects factors including the requirement for physical access (attack vector: physical) and the limited scope of information disclosure. However, CVSS scores do not account for active exploitation, which elevates the practical risk regardless of the base score.

The March 2025 Patch Tuesday release continues a pattern of monthly zero-day disclosures from Microsoft. Security teams must maintain continuous patch management processes to address actively exploited vulnerabilities as they are disclosed.

The involvement of the PipeMagic backdoor in CVE-2025-24983 exploitation indicates organized threat actors are leveraging these vulnerabilities. PipeMagic's capabilities for data exfiltration and remote access suggest the attacks may be part of broader intrusion campaigns rather than opportunistic exploitation.

Enterprise environments face ongoing challenges balancing patch deployment speed against testing requirements. The six zero-days under active exploitation create pressure for rapid deployment, while the potential for patch-related disruptions necessitates careful validation.

The continued presence of Windows 8.1 and Server 2012 R2 systems in production environments exposes organizations to vulnerabilities that may not receive patches. Microsoft's extended security update programs provide some coverage, but organizations must evaluate the cost-benefit of maintaining legacy systems versus migration to supported platforms.

Confirmed:

• Microsoft released patches for six zero-day vulnerabilities on March 11, 2025
• All six vulnerabilities were under active exploitation at the time of disclosure
• ESET discovered CVE-2025-24983 and observed its deployment via the PipeMagic backdoor
• The exploit for CVE-2025-24983 targeted Windows 8.1 and Server 2012 R2 in observed attacks
• Windows 11 and Server 2019 onwards do not appear to be affected by CVE-2025-24983
• Microsoft also patched six additional critical vulnerabilities in the same release

Open Questions:

• The specific threat actors deploying the PipeMagic backdoor and CVE-2025-24983 exploit have not been publicly identified
• The full scope of organizations affected by the active exploitation campaigns remains unclear
• Microsoft has not explained why newer Windows versions are not vulnerable to CVE-2025-24983 despite the Windows 32 subsystem remaining active

Enterprise administrators should monitor the SANS Internet Storm Center and AskWoody.com for reports of any issues caused by the March 2025 patches. Historical Patch Tuesday releases have occasionally caused compatibility problems that emerge after widespread deployment.

Security researchers may publish additional technical analysis of the zero-day vulnerabilities in the coming weeks. Such analysis could reveal additional attack vectors or affected configurations not covered in Microsoft's initial advisories.

Organizations should track whether Microsoft updates the severity ratings for any of the zero-days. The pattern of not rating actively exploited vulnerabilities as critical at publication time may change based on observed exploitation scope.

The next Patch Tuesday release is scheduled for April 2025. Security teams should prepare for the possibility of additional zero-day disclosures continuing the pattern observed over the previous six months.

1. Krebs on Security, "Microsoft: 6 Zero-Days in March 2025 Patch Tuesday," March 11, 2025. https://krebsonsecurity.com/2025/03/microsoft-6-zero-days-in-march-2025-patch-tuesday/

2. Microsoft Security Response Center, "March 2025 Security Updates," March 11, 2025. https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar

3. BleepingComputer, "Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws," March 11, 2025. https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2025-patch-tuesday-fixes-7-zero-days-57-flaws/