Microsoft just dropped its March 2025 Patch Tuesday update, which includes 57 fixes though closer to 70 with third-party vulnerabilities included. The update addresses some critical security issues that require immediate attention, including the following six zero-day vulnerabilities that hackers are actively exploiting.
- CVE-2025-26633: A security hole in Microsoft Management Console that lets hackers bypass normal protections. They typically trick you into opening a specially designed file or website through email or messaging apps. Rated Important, with a danger score of 7.8 out of 10. “In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the vulnerability,” explains Microsoft. “In any case an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment.”
- CVE-2025-24993: A memory bug in Windows that allows hackers to run whatever code they want on your computer. Even though Microsoft calls this “remote,” someone or something needs to be physically at your computer to exploit it. Danger score: 7.8. “An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability,” explains Microsoft.
- CVE-2025-24991: A Windows flaw that lets attackers peek at small bits of your computer’s memory. They’d need to trick you into opening a special kind of disk image file. Moderate danger at 5.5.
- CVE-2025-24985: A math error in Windows’ file system that lets attackers run malicious code on your computer. They’d need you to open a harmful disk image file first. Danger score: 7.8.
- CVE-2025-24984: A Windows bug that accidentally writes sensitive information to log files. Hackers would need physical access to your computer to plug in a malicious USB drive. Lower risk at 4.6.
- CVE-2025-24983: A Windows flaw that lets someone with access to your computer gain full system control by exploiting a timing vulnerability. Danger score: 7.0.
There’s a seventh vulnerability – a remote code execution bug in Windows Access – that’s been made public but doesn’t seem to be actively exploited yet.
True to form, Microsoft kept with tradition and didn’t share any digital fingerprints that could help security teams spot if they’ve been hit.
Additional security vulnerabilities including in Remote Desktop Client
Microsoft also highlighted several nasty bugs that could allow attackers to run malicious code over networks. The scariest part is that they can do this without needing user interaction.
One standout is CVE-2025-26645, a path traversal vulnerability in Remote Desktop Client. This one is a doozy because if you connect to a compromised Remote Desktop Server using a vulnerable client, the attacker could immediately execute code on your computer. Disaster.
Microsoft strongly advised Windows administrators to prioritize patching critical remote code execution vulnerabilities affecting Windows Subsystem for Linux, Windows DNS Server, Remote Desktop Service, and Microsoft Office.
Download our customizable patch management policy, written by Scott Matteson for TechRepublic Premium, which provides guidelines for the appropriate application of patches in an organization.
This article was written by TechnologyAdvice contributing writer Allison Francis.
