Microsoft’s March Patch Tuesday fixes 67 flaws, including 6 zero-days

Microsoft addressed a half-dozen zero-day security vulnerabilities in it latest monthly security update.

The March edition of Patch Tuesday remedies a total of 67 vulnerabilities across the software giant's various offerings, including Windows and Office. Of those, six are considered to be critical security risks while another six are being actively targeted in the wild.

None of the six zero-day flaws are considered to be critical severity, with the most severe receiving a CVSS score of 7.8. Possible exploits could allow for remote code execution in some scenarios.

Of the six exploited vulnerabilities, three (CVE-2025-24984, CVE-2025-24991, CVE-2025-24993) were found in the Windows NTFS component. Should a user mount a specially crafted virtual hard drive (VHD), a threat actor could view potentially sensitive memory contents or, in the case of CVE-2025-24993, execute code.

Another flaw under active exploitation addresses a similar issue in the FAT file system. Like the NTFS bugs, CVE-2025-24985 targets a vulnerability in the FAT file system in Windows to execute malicious code by away of a malformed VHD image.

Dustin Childs, head researcher with the Trend Micro Zero Day Initiative, noted that the two vulnerabilities appear to share a common cause.

“It’s interesting to see the root cause of these bugs is an overflow; heap-based for the NTFS and an integer overflow for Fast FAT,” Childs explained.

“Once exploited, the attacker can execute code on an affected system. If paired with a privilege escalation, they could completely take over a system.”

Other in-the-wild attacks include a security bypass in the Microsoft Management Console (CVE-2025-26633) and an elevation of privilege flaw in in the Win32 Kernel Subsystem (CVE-2025-24983.)

While it's been publicly disclosed, CVE-2025-26630 has yet to see active exploitation but could allow for remote code execution via Microsoft Access.

The six critical flaws each allow for remote code execution if exploited, which include bugs in Office (CVE-2025-24057), Remote Desktop Client (CVE-2025-26645), Remote Desktop Services (CVE-2025-24035, CVE-2025-24045), Windows DNS (CVE-2025-24064) and Windows Subsystem for Linux (CVE-2025-24084.)

None of the critical flaws have been reported to be under active attack as of this writing, though with the flaws being made public and the release of working exploit scripts, it will only be a matter of time.

Overall, experts believe that the March updates carry more weight and importance for users and administrators than some of the previous months. Tyler Reguly, associate director of security research and development at Forta, said in an email to SC Media that the prevalence of in-the-wild attacks means this latest Patch Tuesday release should be prioritized.

“This is a Patch Tuesday where the casual observer needs to pay a bit more attention. If you were to review the release notes, you might notice that the CVE count is low, that the software being updated is completely standard and there are no CVSS scores that fall within the realm of 'Critical,'” Reguly noted.

“You might even be inclined to call this a 'nothingburger' of a Patch Tuesday. You would, however, be wrong.”