Microsoft on Tuesday launched safety updates to handle 57 safety vulnerabilities in its tool, together with a whopping six zero-days that it mentioned were actively exploited within the wild.
Of the 56 flaws, six are rated Essential, 50 are rated Essential, and one is rated Low in severity. Twenty-three of the addressed vulnerabilities are far off code execution insects and 22 relate to privilege escalation.
The updates are along with 17 vulnerabilities Microsoft addressed in its Chromium-based Edge browser for the reason that unencumber of ultimate month’s Patch Tuesday replace, one among which is a spoofing flaw explicit to the browser (CVE-2025-26643, CVSS ranking: 5.4).
The six vulnerabilities that experience come below lively exploitation are indexed underneath –
- CVE-2025-24983 (CVSS ranking: 7.0) – A Home windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that permits a certified attacker to lift privileges in the neighborhood
- CVE-2025-24984 (CVSS ranking: 4.6) – A Home windows NTFS knowledge disclosure vulnerability that permits an attacker with bodily get entry to to a goal tool and the power to plug in a malicious USB power to probably learn parts of heap reminiscence
- CVE-2025-24985 (CVSS ranking: 7.8) – An integer overflow vulnerability in Home windows Speedy FAT Document Machine Driving force that permits an unauthorized attacker to execute code in the neighborhood
- CVE-2025-24991 (CVSS ranking: 5.5) – An out-of-bounds learn vulnerability in Home windows NTFS that permits a certified attacker to reveal knowledge in the neighborhood
- CVE-2025-24993 (CVSS ranking: 7.8) – A heap-based buffer overflow vulnerability in Home windows NTFS that permits an unauthorized attacker to execute code in the neighborhood
- CVE-2025-26633 (CVSS ranking: 7.0) – An fallacious neutralization vulnerability in Microsoft Control Console that permits an unauthorized attacker to circumvent a safety function in the neighborhood
ESET, which is credited with finding and reporting CVE-2025-24983, mentioned it first came upon the zero-day exploit within the wild in March 2023 and delivered by way of a backdoor named PipeMagic on compromised hosts.
“The vulnerability is a use-after-free in Win32k driving force,” the Slovakian corporate famous. “In a undeniable situation accomplished the usage of the WaitForInputIdle API, the W32PROCESS construction will get dereferenced yet another time than it must, inflicting UAF. To succeed in the vulnerability, a race situation should be gained.”
PipeMagic, first came upon in 2022, is a plugin-based trojan that has centered entities in Asia and Saudi Arabia, with the malware allotted within the type of a pretend OpenAI ChatGPT software in overdue 2024 campaigns.
“One among distinctive options of PipeMagic is that it generates a 16-byte random array to create a named pipe within the layout .pipe1.<hex string>,” Kaspersky printed in October 2024. “It spawns a thread that regularly creates this pipe, reads information from it, after which destroys it.”
“This pipe is used for receiving encoded payloads, forestall alerts by way of the default native interface. PipeMagic generally works with more than one plugins downloaded from a command-and-control (C2) server, which, on this case, used to be hosted on Microsoft Azure.”
The 0 Day Initiative famous that CVE-2025-26633 stems from how MSC recordsdata are treated, permitting an attacker to evade record recognition protections and execute code within the context of the present person. The process has been related to a risk actor tracked as EncryptHub (aka LARVA-208).
Action1 identified that risk actors may just chain the 4 vulnerabilities affecting core Home windows record device elements to reason far off code execution (CVE-2025-24985 and CVE-2025-24993) and data disclosure (CVE-2025-24984 and CVE-2025-24991). The entire 4 insects had been reported anonymously.
“Particularly, the exploit will depend on the attacker crafting a malicious VHD record and convincing a person to open or mount a VHD record,” Kev Breen, senior director of risk analysis at Immersive, mentioned. “VHDs are Digital Onerous Disks and are in most cases related to storing the running device for digital machines.”
“While they’re extra in most cases related to Digital Machines, we’ve got observed examples through the years the place risk actors use VHD or VHDX recordsdata as a part of phishing campaigns to smuggle malware payloads previous AV answers. Relying at the configuration of Home windows techniques, merely double-clicking on a VHD record may well be sufficient to mount the container and, subsequently, execute any payloads contained inside the malicious record.”
In step with Satnam Narang, senior team of workers analysis engineer at Tenable, CVE-2025-26633 is the second one flaw in MMC to be exploited within the wild as a zero-day after CVE-2024-43572 and CVE-2025-24985 is the primary vulnerability within the Home windows Speedy FAT Document Machine Driving force since March 2022. It is also the primary to be exploited within the wild as a zero-day.
As is commonplace, it is recently no longer recognized the rest vulnerabilities are being exploited, in what context, and the precise scale of the assaults. The advance has precipitated the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add them to the Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the fixes by way of April 1, 2025.
Device Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by way of different distributors during the last a number of weeks to rectify a number of vulnerabilities, together with —