Microsoft on Tuesday released safety updates to handle 57 safety vulnerabilities in its software program, together with a whopping six zero-days that it stated have been actively exploited within the wild.
Of the 56 flaws, six are rated Important, 50 are rated Vital, and one is rated Low in severity. Twenty-three of the addressed vulnerabilities are distant code execution bugs and 22 relate to privilege escalation.
The updates are along with 17 vulnerabilities Microsoft addressed in its Chromium-based Edge browser for the reason that launch of last month’s Patch Tuesday update, one among which is a spoofing flaw particular to the browser (CVE-2025-26643, CVSS rating: 5.4).
The six vulnerabilities which have come beneath lively exploitation are listed beneath –
- CVE-2025-24983 (CVSS rating: 7.0) – A Home windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that permits a licensed attacker to raise privileges regionally
- CVE-2025-24984 (CVSS rating: 4.6) – A Home windows NTFS data disclosure vulnerability that permits an attacker with bodily entry to a goal gadget and the power to plug in a malicious USB drive to probably learn parts of heap reminiscence
- CVE-2025-24985 (CVSS rating: 7.8) – An integer overflow vulnerability in Home windows Quick FAT File System Driver that permits an unauthorized attacker to execute code regionally
- CVE-2025-24991 (CVSS rating: 5.5) – An out-of-bounds learn vulnerability in Home windows NTFS that permits a licensed attacker to reveal data regionally
- CVE-2025-24993 (CVSS rating: 7.8) – A heap-based buffer overflow vulnerability in Home windows NTFS that permits an unauthorized attacker to execute code regionally
- CVE-2025-26633 (CVSS rating: 7.0) – An improper neutralization vulnerability in Microsoft Administration Console that permits an unauthorized attacker to bypass a safety function regionally
ESET, which is credited with discovering and reporting CVE-2025-24983, stated it first found the zero-day exploit within the wild in March 2023 and delivered by way of a backdoor named PipeMagic on compromised hosts.
“The vulnerability is a use-after-free in Win32k driver,” the Slovakian firm noted. “In a sure state of affairs achieved utilizing the WaitForInputIdle API, the W32PROCESS construction will get dereferenced another time than it ought to, inflicting UAF. To succeed in the vulnerability, a race situation have to be gained.”
PipeMagic, first found in 2022, is a plugin-based trojan that has focused entities in Asia and Saudi Arabia, with the malware distributed within the type of a pretend OpenAI ChatGPT utility in late 2024 campaigns.
“One in all distinctive options of PipeMagic is that it generates a 16-byte random array to create a named pipe within the format .pipe1.<hex string>,” Kaspersky revealed in October 2024. “It spawns a thread that repeatedly creates this pipe, reads information from it, after which destroys it.”
“This pipe is used for receiving encoded payloads, cease indicators by way of the default native interface. PipeMagic often works with a number of plugins downloaded from a command-and-control (C2) server, which, on this case, was hosted on Microsoft Azure.”
The Zero Day Initiative famous that CVE-2025-26633 stems from how MSC recordsdata are dealt with, permitting an attacker to evade file repute protections and execute code within the context of the present consumer. The exercise has been linked to a risk actor tracked as EncryptHub (aka LARVA-208).
Action1 pointed out that risk actors might chain the 4 vulnerabilities affecting core Home windows file system elements to trigger distant code execution (CVE-2025-24985 and CVE-2025-24993) and data disclosure (CVE-2025-24984 and CVE-2025-24991). All of the 4 bugs had been reported anonymously.
“Particularly, the exploit depends on the attacker crafting a malicious VHD file and convincing a consumer to open or mount a VHD file,” Kev Breen, senior director of risk analysis at Immersive, stated. “VHDs are Digital Exhausting Disks and are usually related to storing the working system for digital machines.”
“While they’re extra usually related to Digital Machines, we’ve got seen examples over time the place risk actors use VHD or VHDX recordsdata as a part of phishing campaigns to smuggle malware payloads previous AV options. Relying on the configuration of Home windows programs, merely double-clicking on a VHD file could possibly be sufficient to mount the container and, due to this fact, execute any payloads contained inside the malicious file.”
In line with Satnam Narang, senior workers analysis engineer at Tenable, CVE-2025-26633 is the second flaw in MMC to be exploited within the wild as a zero-day after CVE-2024-43572 and CVE-2025-24985 is the primary vulnerability within the Home windows Quick FAT File System Driver since March 2022. It is also the primary to be exploited within the wild as a zero-day.
As is customary, it is at the moment not identified the remaining vulnerabilities are being exploited, in what context, and the precise scale of the assaults. The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add them to the Identified Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to use the fixes by April 1, 2025.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
