Microsoft Patchday: 5 critical Windows flaws, 6 others already exploited

Microsoft has published corrections for a total of 57 CVE vulnerability entries for the March Patchday. Five of these relate to vulnerabilities in Windows systems classified as critical; of a further 33 Windows vulnerabilities with high severity, six are already being exploited. Other affected products include Office, Edge, Visual Studio and some Azure components.

As usual, Microsoft offers a list that can be filtered by product and severity in its Security Response Center; Microsoft also lists all 57 CVEs in the release notes for the March Patchday.

Critical Windows vulnerabilities

The five critical Windows vulnerabilities have not yet been exploited. CVE-2025-24035 and CVE-2025-24045 address the risk of remote code execution via the Windows Remote Desktop Service; Microsoft estimates the risk of exploitation here as probable.

The vulnerabilities CVE-2025-26645 (vulnerability in the Remote Desktop Client), CVE-2025-24084 (risk of remote code execution via the Windows Subsystem for Linux 2) and CVE-2025-24064 (vulnerability in the Domain Name Service) are considered less likely. After all

Already exploited

Microsoft also lists a total of 33 CVEs with high severity (also called "important" by Microsoft) for Windows systems alone. Six of these are already being exploited. Gaps in the file system drivers for FAT and NTFS allow remote code execution (CVE-2025-24985, CVE-2025-24993) and the tapping of confidential information (CVE-2025-24991, CVE-2025-24984).

A privilege elevation vulnerability is located in the Win32 kernel subsystem and affects older systems (LTSC and server versions up to 2016, CVE-2025-24983), a vulnerability in the Microsoft Management Console (MMC) allows security functions to be bypassed (CVE-2025-26633).

(jss)