Microsoft’s latest Patch Tuesday bundle has addressed a whopping 57 security flaws, including six zero-day vulnerabilities already being exploited by criminals. The first three impacted Windows NTFS, with two of them requiring local action to exploit.
CVE-2025-24993 is a critical heap-based buffer overflow in NTFS, allowing remote code execution through mounting malicious virtual hard disk images. CVE-2025-24991 and CVE-2025-24984 are also NTFS flaws, with the latter permitting sensitive information insertion into logs after physical access.
The sixth zero-day vulnerability, CVE-2025-26633, is a security feature bypass flaw in Microsoft Management Console (MMC), which has already been exploited by over 600 organizations. Trend Micro researcher Aliakbar Zahravi discovered this issue being abused by threat actors.
In addition to the NTFS flaws, Windows Remote Desktop Services (RDS) and Office also have critical vulnerabilities. A sensitive data storage issue in RDS (CVE-2025-24035) and a heap-based buffer overflow in Office (CVE-2025-24057) are rated 8.1 on the CVSS scale.
Other critical flaws include Windows DNS Server, Remote Desktop Client, and a use-after-free bug in Microsoft Access. Apple has also patched a serious issue allowing attackers to bypass its Web Content sandbox and execute arbitrary code.
Adobe fixed six critical and three important flaws in its software, including Illustrator and InDesign. Google released 40-plus patches for Android, with two under limited, targeted exploitation by miscreants.
Source: https://www.theregister.com/2025/03/12/patch_tuesday