On March 11, 2025, Microsoft released its March 2025 security update, addressing 57 newly disclosed vulnerabilities. Arctic Wolf has highlighted six vulnerabilities affecting Microsoft Windows in this security bulletin, including five that have been reported as exploited in the wild and one categorized as critical.
Vulnerabilities
| Vulnerability | CVSS | Description | Exploited? |
| CVE-2025-24983 | 7.0 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to gain SYSTEM privileges by successfully winning a race condition. | Yes |
| CVE-2025-24985 | 7.8 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability – A remote threat actor can exploit this vulnerability by tricking a local user into mounting a specially crafted VHD (Virtual Hard Disk), which then triggers the vulnerability. The attack itself is carried out locally, as it requires interaction with the local vulnerable system. | Yes |
| CVE-2025-24991 | 5.5 | Windows NTFS Information Disclosure Vulnerability – A local threat actor can exploit this vulnerability by tricking a local user into mounting a specially crafted VHD (Virtual Hard Disk). If successful, the attacker could potentially read small portions of heap memory. | Yes |
| CVE-2025-24993 | 7.8 | Windows NTFS Remote Code Execution Vulnerability – A remote threat actor can exploit this vulnerability by tricking a local user into mounting a specially crafted VHD (Virtual Hard Disk), which then triggers the vulnerability. The attack itself is carried out locally, as it requires interaction with the local vulnerable system. | Yes |
| CVE-2025-26633 | 7.0 | Microsoft Management Console Security Feature Bypass Vulnerability – A threat actor can exploit this vulnerability by convincing a victim to open a specially crafted file, either sent via email or hosted on a malicious website. The attack requires user interaction, as the user must open the file, either by clicking a link or directly opening an attachment, which then triggers the vulnerability. | Yes |
| CVE-2025-24084 | 8.4 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability – A remote threat actor can exploit this critical vulnerability by convincing a victim to click on a link. In a worst-case scenario, an attacker could execute remote code on the victim’s machine without requiring the victim to open or click the link. The attack itself is carried out locally, as it requires execution from the local machine, but the attacker can initiate it remotely. | No |
Recommendation
Upgrade to Latest Fixed Versions
Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions.
| Product | Vulnerability | Update Article |
| Windows 10 for 32-bit, and x64-based Systems | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053618 |
| Windows 10 Version 1607 for 32-bit, and x64-based Systems | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053594 |
| Windows 10 Version 1809 for 32-bit, and x64-based Systems | CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053596 |
| Windows 10 Version 21H2 for 32-bit, x64-based, and ARM64-based Systems | CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053606 |
| Windows 10 Version 22H2 for 32-bit, x64-based, and ARM64-based Systems | CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053606 |
| Windows 11 Version 22H2 for x64-based, and ARM64-based Systems | CVE-2025-24084, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053602 |
| Windows 11 Version 23H2 for x64-based, and ARM64-based Systems | CVE-2025-24084, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053602 |
| Windows 11 Version 24H2 for x64-based, and ARM64-based Systems | CVE-2025-24084, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053598, 5053636 |
| Windows Server 2008 for 32-bit, and x64-based Systems Service Pack 2 | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053888, 5053995 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053620, 5053627 |
| Windows Server 2012 | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053886 |
| Windows Server 2012 R2 | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053887 |
| Windows Server 2016 | CVE-2025-24983, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053594 |
| Windows Server 2019 | CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053596 |
| Windows Server 2022 | CVE-2025-24084, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053603, 5053638 |
| Windows Server 2022, 23H2 Edition | CVE-2025-24084, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053599 |
| Windows Server 2025 | CVE-2025-24084, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 | 5053598, 5053636 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Microsoft March 2025 Patch Tuesday
Resources
