Microsoft’s Latest Update Fixes 57 Security Vulnerabilities
Microsoft has released its monthly Patch Tuesday update for March 2025, fixing 57 bugs in Windows, Office, Azure and other Microsoft systems. Seven patches address zero-day vulnerabilities, six of which are actively exploited.
According to Bleeping Computer , this month’s update fixes 23 privilege escalation bugs, three security feature bypass bugs, 23 remote code execution bugs, four information disclosure bugs, one denial of service bug, and three spoofing bugs. This month, Microsoft also released patches for numerous vulnerabilities in Mariner and Microsoft Edge.
Patch Tuesday fixes for March
Seven of the bugs fixed are zero-day vulnerabilities, which allow attackers to exploit systems before developers release an official patch. In this case, six of the seven zero-day vulnerabilities were actively exploited, and one was publicly disclosed, so it is only a matter of time before attackers exploit the seventh vulnerability.
Two of the six active exploits (CVE-2025-24985 and CVE-2025-24993) are remote code execution vulnerabilities that allow attackers to trick users into mounting a malicious VHD file to execute code remotely. One of them affects the Windows Fast FAT system driver, and the other is a disadvantage of Windows NTFS.
Two of the active exploits are information disclosure vulnerabilities, both on Windows NTFS. CVE-2025-24984 allows attackers with physical access to the device to read memory and steal data when a malicious USB drive is attached, and CVE-2025-24991 is exploited when a user mounts a malicious VHD file.
Finally, there is CVE-2025-24983, a vulnerability in the Windows Win32 kernel subsystem that allows local attackers to gain system privileges on a device, and CVE-2025-26633, a security feature bypass vulnerability in Microsoft Management Console.
Microsoft says the majority of exploited zero-day vulnerabilities were disclosed anonymously, although CVE-2025-24983 was discovered by ESET and CVE-2025-26633 by Trend Micro.
A publicly disclosed zero-day vulnerability, designated CVE-2025-26630 and discovered by Unpatched.ai, allows remote code execution in Microsoft Office Access if a user opens a file sent through a phishing or social engineering attack. Microsoft also released patches for six other “critical” vulnerabilities affecting Microsoft Office, the Remote Desktop Client, Windows Domain Name Service, Windows Remote Desktop Services and the Windows Subsystem for the Linux kernel.
How to install the latest Microsoft security updates
Microsoft releases Patch Tuesday fixes on the second Tuesday of every month at 10 a.m. Pacific Time and sends notifications and security updates to users as needed. Windows and Microsoft security updates are usually downloaded and installed on your computer automatically . To make sure your PC is up to date, go to Start > Settings > Windows Update and select Check for Windows Updates .