Microsoft on Tuesday surveillance updates to tackle 57 protection vulnerabilities in its application, including a staggering six zero-days that it said had been constantly exploited in the wild.
Of the 56 defects, six are rated Important, 50 are rated Important, and one is rated Low in intensity. Twenty-three of the addressed risks are isolated code execution insects and 22 relate to opportunity escalation.
The updates are in addition to Microsoft addressed in its Chromium-based Edge browser since the release of , one of which is a spoofing flaw specific to the browser ( , CVSS score: 5.4).
The six threats that have come under effective abuse are listed below-
- CVE-2025-24983 ( CVSS score: 7.0)- A Windows Win32 Kernel Subsystem use-after-free ( UAF ) vulnerability that allows an authorized attacker to elevate privileges locally
- ( CVSS score: 4.6 )- A Windows NTFS information disclosure vulnerability that allows an attacker with natural access to a specific system and the ability to connect in a harmful USB travel to probably read portions of heap storage
- ( CVSS score: 7.8 )- An integer overflow vulnerability in Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally
- ( CVSS score: 5.5 )- An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally
- ( CVSS score: 7.8 )- A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally
- ( CVSS report: 7.0)- An poor elimination risk in Microsoft Management Console that allows an illicit attacker to pass a security feature directly
ESET, which is credited with discovering and reporting CVE-2025-24983, said it first discovered the zero-day exploit in the wild in March 2023 and delivered via a backdoor named PipeMagic on damaged visitors.
” The risk is a use-after-free in Win32k driver”, the Serb business . ” In a certain situation achieved using the WaitForInputIdle API, the W32PROCESS construction gets dereferenced one more time than it should, causing UAF. To achieve the risk, a contest condition may be won”.
PipeMagic, first discovered in 2022, is a plugin-based trojan that has targeted institutions in Asia and Saudi Arabia, with the ransomware distributed in the form of a false OpenAI ChatGPT program in late 2024 activities.
” One of unique characteristics of PipeMagic is that it generates a 16-byte strange variety to create a named pipe in the genre . pipe1. <, wire string>,”, Kaspersky in October 2024. ” It spawns a string that consistently creates this tube, reads files from it, and then destroys it”.
” This tube is used for receiving encoded loads, prevent signals via the default local program. PipeMagic usually works with multiple plugins downloaded from a command-and-control ( C2 ) server, which, in this case, was hosted on Microsoft Azure”.
The Zero Day Initiative noted that CVE-2025-26633 stems from how MSC data are handled, allowing an intruder to escape record status protections and execute code in the context of the current users. The activity has been linked to a threat actor tracked as (aka LARVA-208 ).
Action1 that threat actors could chain the four vulnerabilities affecting core Windows file system components to cause remote code execution ( CVE-2025-24985 and CVE-2025-24993 ) and information disclosure ( CVE-2025-24984 and CVE-2025-24991 ). All the four bugs were reported anonymously.
” Specifically, the exploit relies on the attacker crafting a malicious VHD file and convincing a user to open or mount a VHD file”, Kev Breen, senior director of threat research at Immersive, said. “VHDs are Virtual Hard Disks and are typically associated with storing the operating system for virtual machines”.
” Whilst they are more typically associated with Virtual Machines, we have seen examples over the years where threat actors use VHD or VHDX files as part of phishing campaigns to smuggle malware payloads past AV solutions. Depending on the configuration of Windows systems, simply double-clicking on a VHD file could be enough to mount the container and, therefore, execute any payloads contained within the malicious file”.
According to Satnam Narang, senior staff research engineer at Tenable, CVE-2025-26633 is the second flaw in MMC to be exploited in the wild as a zero-day after CVE-2024-43572 and CVE-2025-24985 is the first vulnerability in the Windows Fast FAT File System Driver since March 2022. It’s also the first to be exploited in the wild as a zero-day.
As is customary, it’s currently not known the remaining vulnerabilities are being exploited, in what context, and the exact scale of the attacks. The development has the U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) to add them to the Known Exploited Vulnerabilities ( ) catalog, requiring federal agencies to apply the fixes by April 1, 2025.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —