Microsoft's March 2025 Patch Tuesday has addressed 57 security flaws, including seven zero-day vulnerabilities—six of which were already being actively exploited in the wild. Security researchers at ESET have revealed that one of these vulnerabilities, CVE-2025-24983, has been exploited since March 2023.
The vulnerability (CVE-2025-24983), classified as "Important" with a CVSS score of 7.0, involves a use-after-free flaw in the Windows Win32 Kernel Subsystem that allows attackers to gain SYSTEM-level privileges on compromised machines. According to ESET Research, attackers have been deploying this exploit through the "PipeMagic" backdoor.
The technical details reveal that exploitation requires winning a race condition in the Win32k driver. The vulnerability is triggered when the #WIN32PROCESS structure gets dereferenced once more than it should, causing a use-after-free (UAF) condition.
This flaw primarily affects older Windows operating systems, including Windows 8.1, Server 2012 R2, and Server 2016, but does not impact newer systems like Windows 11.
Other actively exploited zero-days in this update include multiple Windows NTFS vulnerabilities (CVE-2025-24984, CVE-2025-24991, CVE-2025-24993) that could be triggered by tricking users into mounting specially crafted VHD files.
Microsoft warns that these flaws could lead to information disclosure or remote code execution. The Fast FAT File System Driver also received a patch for CVE-2025-24985, which involves an integer overflow that allows code execution.
Additionally, Microsoft fixed a security feature bypass vulnerability in Microsoft Management Console (CVE-2025-26633) discovered by Aliakbar Zahravi from Trend Micro. This flaw could be exploited through social engineering tactics to convince users to open malicious files.
This month's update also addressed three "Critical" vulnerabilities affecting Windows Remote Desktop Services and the Windows Subsystem for Linux, which could potentially allow remote code execution.
The March security update follows recent patches from other major vendors. Broadcom fixed three zero-day flaws in VMware ESXi, Cisco addressed issues in WebEx and Small Business routers, and Google patched an exploited zero-day in Android's Linux kernel driver.
Security administrators are strongly advised to apply these patches promptly, particularly for systems affected by the actively exploited vulnerabilities.
Here is the complete list of security updates that resolved vulnerabilities in the March 2025 Patch Tuesday updates.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET | CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability | Important |
| ASP.NET Core & Visual Studio | CVE-2025-24070 | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | Important |
| Azure Agent Installer | CVE-2025-21199 | Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability | Important |
| Azure Arc | CVE-2025-26627 | Azure Arc Installer Elevation of Privilege Vulnerability | Important |
| Azure CLI | CVE-2025-24049 | Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability | Important |
| Azure PromptFlow | CVE-2025-24986 | Azure Promptflow Remote Code Execution Vulnerability | Important |
| Kernel Streaming WOW Thunk Service Driver | CVE-2025-24995 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Local Security Authority Server (lsasrv) | CVE-2025-24072 | Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability | Important |
| Microsoft Management Console | CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability | Important |
| Microsoft Office | CVE-2025-24083 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-26629 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-24080 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-24057 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Access | CVE-2025-26630 | Microsoft Access Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-24081 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-24082 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-24075 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-24077 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-24078 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2025-24079 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Streaming Service | CVE-2025-24046 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Streaming Service | CVE-2025-24067 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2025-25008 | Windows Server Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2024-9157 | Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability | Important |
| Remote Desktop Client | CVE-2025-26645 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Role: DNS Server | CVE-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability | Critical |
| Role: Windows Hyper-V | CVE-2025-24048 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2025-24050 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2025-24998 | Visual Studio Elevation of Privilege Vulnerability | Important |
| Visual Studio | CVE-2025-25003 | Visual Studio Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2025-26631 | Visual Studio Code Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2025-24059 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Cross Device Service | CVE-2025-24994 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | Important |
| Windows Cross Device Service | CVE-2025-24076 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability | Important |
| Windows exFAT File System | CVE-2025-21180 | Windows exFAT File System Remote Code Execution Vulnerability | Important |
| Windows Fast FAT Driver | CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability | Important |
| Windows File Explorer | CVE-2025-24071 | Microsoft Windows File Explorer Spoofing Vulnerability | Important |
| Windows Kernel Memory | CVE-2025-24997 | DirectX Graphics Kernel File Denial of Service Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2025-24066 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | Important |
| Windows MapUrlToZone | CVE-2025-21247 | MapUrlToZone Security Feature Bypass Vulnerability | Important |
| Windows Mark of the Web (MOTW) | CVE-2025-24061 | Windows Mark of the Web Security Feature Bypass Vulnerability | Important |
| Windows NTFS | CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2025-24984 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTFS | CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTFS | CVE-2025-24991 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTLM | CVE-2025-24996 | NTLM Hash Disclosure Spoofing Vulnerability | Important |
| Windows NTLM | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical |
| Windows Remote Desktop Services | CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-24051 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important |
| Windows Subsystem for Linux | CVE-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability | Critical |
| Windows Telephony Server | CVE-2025-24056 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows USB Video Driver | CVE-2025-24988 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Video Driver | CVE-2025-24987 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Video Driver | CVE-2025-24055 | Windows USB Video Class System Driver Information Disclosure Vulnerability | Important |
| Windows Win32 Kernel Subsystem | CVE-2025-24044 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important |
| Windows Win32 Kernel Subsystem | CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important |