Full Report
Microsoft has fixed seven zero-days this Patch Tuesday, including one not currently being actively exploited
Analysis Summary
# Vulnerability: Microsoft March Patch Tuesday Zero-Day Fixes
## CVE Details
- CVE ID: CVE-2025-26633, CVE-2025-24993, CVE-2025-24991, CVE-2025-24985, CVE-2025-24984, CVE-2025-24983, CVE-2025-26630
- CVSS Score: 7.0 (Moderate/High), 7.8 (High), 5.5 (Medium), 7.8 (High), 4.6 (Low/Medium), 7.0 (Moderate/High), 7.8 (High)
- CWE: Not explicitly detailed in the summary, but implied weakness types include Security Feature Bypass, Remote Code Execution, Information Disclosure, and Elevation of Privilege.
## Affected Systems
- Products: Microsoft Management Console, Windows NTFS, Windows Fast FAT File System Driver, Windows Win32 Kernel Subsystem, Microsoft Access.
- Versions: Not specified, but covered by the March Patch Tuesday release.
- Configurations: Varies by specific vulnerability.
## Vulnerability Description
Microsoft patched over 50 vulnerabilities in its March Patch Tuesday update, including seven zero-days. Six of these zero-days are confirmed to be actively exploited in the wild. The vulnerabilities span multiple components including the Windows kernel subsystems, file systems (NTFS, Fast FAT), management components (MMC), and Microsoft Access.
Specific zero-days include:
* **CVE-2025-26633 (MMC):** Security Feature Bypass.
* **CVE-2025-24993 (NTFS):** Remote Code Execution (RCE).
* **CVE-2025-24985 (Fast FAT Driver):** Remote Code Execution (RCE).
* **CVE-2025-24983 (Win32 Kernel Subsystem):** Elevation of Privilege (EoP).
An additional zero-day, **CVE-2025-26630 (MS Access)**, was publicly disclosed but not reported as exploited yet, rated as 'Important' RCE.
## Exploitation
- Status: Six of the seven zero-days are **Exploited in the wild**. One is publicly disclosed but not yet exploited.
- Complexity: Varies. For the RCE vulnerabilities, complexity is likely Low to Medium given active exploitation, though the MS Access vulnerability's complexity is noted as potentially increased due to the lack of functional code samples available to the public/attackers.
- Attack Vector: Likely a mix of Local (for EoP and some RCEs) and Network (especially for RCEs if triggered remotely).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-24993 (RCE) | Potential High | Potential High | Potential High |
| CVE-2025-24985 (RCE) | Potential High | Potential High | Potential High |
| CVE-2025-26630 (RCE) | Potential High | Potential High | Potential High |
| CVE-2025-24983 (EoP) | Potential High | Potential High | Potential High |
| CVE-2025-26633 (Svc Bypass) | Low/Medium | Low/Medium | Low/Medium |
| CVE-2025-24991 (Info Discl.) | Potential Medium | None | None |
| CVE-2025-24984 (Info Discl.) | Potential Low | None | None |
## Remediation
### Patches
- All seven zero-day vulnerabilities, along with other fixes released in the March Patch Tuesday, are addressed via cumulative updates provided by Microsoft for the affected products (Windows, Microsoft Access). System administrators must apply the relevant March 2025 security updates.
### Workarounds
- No specific technical workarounds were detailed in the summary for these vulnerabilities. Patching is the primary recommended action due to active exploitation.
## Detection
- Indicators of compromise (IOCs) provided by the vendor (Microsoft) should be utilized for threat hunting (not detailed in summary).
- Detection should focus on looking for post-patch deployment indicators or attempts to exploit known RCE/EoP conditions prior to patching. Monitoring for suspicious activity related to file system driver manipulation or unusual execution within kernel or system management contexts is advised.
## References
- Vendor advisories: Microsoft Security Update Guide for March 2025 (Specific CVE references required from the full Microsoft advisory).
- Relevant links - defanged: hxxps://www.infosecurity-magazine.com/news/microsoft-patches-seven-zerodays/