Introduction
This document outlines three significant security vulnerabilities affecting various components of the Windows operating system. These vulnerabilities, identified as CVE-2025-26633 [2], CVE-2025-24993 [1] [2] [3] [4] [5] [6] [7] [8] [9], and CVE-2025-24985 [1] [2] [3] [4] [5] [6] [8] [9], have been exploited in the wild as zero-day threats and are included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog. Each vulnerability poses a substantial risk to system integrity and requires prompt attention and remediation.
Description
CVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC) [1] [3] [4] [8] [9], a component of Windows utilized by system administrators for configuration and monitoring [5]. It has a CVSSv3 score of 7.8 and is rated important. An attacker can exploit this vulnerability by convincing a target with standard user or admin privileges to open a malicious file or click on a link [4] [9], typically delivered through email or messaging apps [6]. This flaw has been reported as exploited in the wild as a zero-day [4] [9], marking the second zero-day in the MMC since CVE-2024-43572 [4] [9], a remote code execution vulnerability that was patched in October 2024 [4] [9]. Additionally, CVE-2025-26633 is included in CISA’s Known Exploited Vulnerabilities Catalog [3] [7], with a patch requested before April 1, 2025 [3], and further guidance available in CISA’s BOD 22-01.
CVE-2025-24993 is a remote code execution (RCE) vulnerability in the Windows New Technology File System (NTFS) [4] [9], rated with a CVSSv3 score of 7.8 and classified as important. This vulnerability involves a heap-based buffer overflow that can be exploited to execute arbitrary code on an affected system [4] [9]. An attacker must entice a local user to mount a specially crafted virtual hard disk (VHD) to exploit this flaw, which could potentially lead to local code execution or the disclosure of memory contents [8]. This vulnerability has also been reported as exploited in the wild as a zero-day [9], allowing attackers to install programs, view [2], change [2], or delete data [2], or create new accounts with full user rights [2]. CVE-2025-24993 has been added to CISA’s Known Exploited Vulnerabilities Catalog [3], with a patch requested before April 1, 2025 [3].
CVE-2025-24985 is another RCE vulnerability in the Windows Fast FAT File System Driver [1] [3] [4] [8] [9], assigned a CVSSv3 score of 7.0 and rated important [4] [9]. This vulnerability combines integer overflow and heap-based buffer overflow defects [8], allowing an unauthorized attacker to execute code [3] [7]. A local attacker can exploit this vulnerability by persuading a target to mount a specially crafted VHD [4] [9], enabling arbitrary code execution [4] [9]. This flaw has also been exploited in the wild as a zero-day and is the first reported vulnerability in the Windows Fast FAT File System since 2022 [4] [9]. CVE-2025-24985 has been added to CISA’s Known Exploited Vulnerabilities Catalog [3], with a patch requested before April 1, 2025 [3]. Users with fewer privileges may be less impacted compared to those with administrative rights [2].
Conclusion
The vulnerabilities detailed herein present significant threats to the security and functionality of Windows systems. Immediate action is required to mitigate these risks, including applying the recommended patches before the specified deadline of April 1, 2025. Organizations and users must remain vigilant and proactive in addressing these vulnerabilities to prevent potential exploitation. Future vigilance and timely updates are essential to safeguard against similar threats.
References
[1] https://www.infosecurity-magazine.com/news/microsoft-patches-seven-zerodays/
[2] https://www.cisecurity.org/advisory/critical-patches-issued-for-microsoft-products-march-11-2025_2025-022
[3] https://thesecmaster.com/blog/breaking-down-the-latest-march-2025-patch-tuesday-report
[4] https://www.tenable.com/blog/microsofts-march-2025-patch-tuesday-addresses-56-cves-cve-2025-26633-cve-2025-24983
[5] https://krebsonsecurity.com/2025/03/microsoft-6-zero-days-in-march-2025-patch-tuesday/
[6] https://www.techrepublic.com/article/news-microsoft-patch-tuesday-march-2025/
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-26633
[8] https://cybersecuritynews.com/microsoft-march-2025-patch-tuesday/
[9] https://securityboulevard.com/2025/03/microsofts-march-2025-patch-tuesday-addresses-56-cves-cve-2025-26633-cve-2025-24983-cve-2025-24993/