Microsoft at present issued greater than 50 safety updates for its numerous Home windows working methods, together with fixes for a whopping six zero-day vulnerabilities which can be already seeing lively exploitation.
Two of the zero-day flaws embody CVE-2025-24991 and CVE-2025-24993, each vulnerabilities in NTFS, the default file system for Home windows and Home windows Server. Each require the attacker to trick a goal into mounting a malicious digital onerous disk. CVE-2025-24993 would result in the opportunity of native code execution, whereas CVE-2025-24991 might trigger NTFS to reveal parts of reminiscence.
Microsoft credit researchers at ESET with reporting the zero-day bug labeled CVE-2025-24983, an elevation of privilege vulnerability in older variations of Home windows. ESET mentioned the exploit was deployed through the PipeMagic backdoor, able to exfiltrating knowledge and enabling distant entry to the machine.
ESET’s Filip Jurčacko mentioned the exploit within the wild targets solely older variations of Home windows OS: Home windows 8.1 and Server 2012 R2. Though nonetheless utilized by tens of millions, safety assist for these merchandise ended greater than a 12 months in the past, and mainstream assist ended years in the past. Nonetheless, ESET notes the vulnerability itself is also current in newer Home windows OS variations, together with Home windows 10 construct 1809 and the still-supported Home windows Server 2016.
Rapid7’s lead software program engineer Adam Barnett mentioned Home windows 11 and Server 2019 onwards usually are not listed as receiving patches, so are presumably not susceptible.
“It’s not clear why newer Home windows merchandise dodged this specific bullet,” Barnett wrote. “The Home windows 32 subsystem remains to be presumably alive and properly, since there isn’t a obvious point out of its demise on the Home windows consumer OS deprecated options checklist.”
The zero-day flaw CVE-2025-24984 is one other NTFS weak point that may be exploited by inserting a malicious USB drive right into a Home windows laptop. Barnett mentioned Microsoft’s advisory for this bug doesn’t fairly be a part of the dots, however profitable exploitation seems to imply that parts of heap reminiscence may very well be improperly dumped right into a log file, which might then be combed by way of by an attacker hungry for privileged data.
“A comparatively low CVSSv3 base rating of 4.6 displays the sensible difficulties of real-world exploitation, however a motivated attacker can typically obtain extraordinary outcomes ranging from the smallest of toeholds, and Microsoft does price this vulnerability as essential by itself proprietary severity rating scale,” Barnett mentioned.
One other zero-day fastened this month — CVE-2025-24985 — might enable attackers to put in malicious code. As with the NTFS bugs, this one requires that the person mount a malicious digital onerous drive.
The ultimate zero-day this month is CVE-2025-26633, a weak point within the Microsoft Administration Console, a element of Home windows that offers system directors a method to configure and monitor the system. Exploiting this flaw requires the goal to open a malicious file.
This month’s bundle of patch love from Redmond additionally addresses six different vulnerabilities Microsoft has rated “vital,” which means that malware or malcontents might exploit them to grab management over susceptible PCs with no assist from customers.
Barnett noticed that that is now the sixth consecutive month the place Microsoft has revealed zero-day vulnerabilities on Patch Tuesday with out evaluating any of them as vital severity at time of publication.
The SANS Web Storm Heart has a helpful checklist of all of the Microsoft patches launched at present, listed by severity. Home windows enterprise directors would do properly to regulate askwoody.com, which regularly has the news on any patches inflicting issues. Please take into account backing up your knowledge earlier than updating, and depart a remark under in case you expertise any points making use of this month’s updates.
