Microsoft has released a total of 57 updates across 10 product families this Tuesday. Among these fixes, Microsoft has deemed six issues to be Critical in severity, while nine have a CVSS base score of 8.0 or above. Six vulnerabilities, all affecting Windows, are currently being exploited in real-world scenarios. One issue has been publicly disclosed but not yet exploited.
During the patch release, Microsoft predicts that 11 additional CVEs are more likely to face exploitation in the next 30 days. Out of this month’s issues, four are detectable by Sophos products directly, and relevant information on these is provided in the table below.
Aside from these updates, the release also includes advisory information on Servicing Stack Updates and details on the 12 Edge patches for the month, which were issued a few days prior. Additionally, nine Adobe Reader vulnerabilities are addressed.
At the conclusion of this post, you will find additional appendices categorizing all Microsoft patches by severity, predicted exploitability timeline and CVSS Base score, and product family; an appendix outlining advisory-style updates; and a breakdown of the patches impacting the various Windows Server platforms that are still supported.
Statistical Summary
- Total number of CVEs: 57
- Public disclosures: 1
- Exploits detected: 6
- Severity
- Critical: 6
- Important: 51
- Impacts
- Remote code execution: 23
- Elevation of privilege: 23
- Information disclosure: 4
- Security feature bypass: 3
- Spoofing: 3
- Denial of service: 1
- CVSS base score 9.0 or higher: 0
- CVSS base score 8.0 or higher: 9
Figure 1: The prevalence of remote code execution issues and elevation of privilege bugs is equal this month, with all critical-severity problems falling under RCE.
- Windows: 37
- 365: 11
- Office: 11
- Azure: 4
- Visual Studio: 4
- Excel: 3
- Word: 2
- .NET: 1
- ASP.NET: 1
- Access: 1
Traditionally, CVEs that impact multiple product families are counted once for each affected family.
Figure 2: Windows continues to be the primary contributor of patches, including a less common issue specific to clients only (CVE-2025-24994). The tallies for 365 and Office pertain to the same 11 CVEs.
Highlighted March Updates
Alongside the aforementioned issues, there are several notable updates worth mentioning.
CVE-2025-24057 — Microsoft Office Remote Code Execution Vulnerability
This heap-based buffer overflow issue impacts both 365 and Office, allowing unauthorized entities to locally execute code, particularly in the Preview Pane.
CVE-2025-26645 — Remote Desktop Client Remote Code Execution Vulnerability
Rated with a CVSS Base score of 8.8 and marked with Critical severity by Microsoft, this vulnerability involves a relative path traversal flaw in RDC. All supported client and server versions, as well as Remote Desktop Client for Windows, are susceptible. Exploiting this flaw, an attacker controlling a Remote Desktop server could initiate RCE on a vulnerable client upon connection.
CVE-2025-21180 – Windows exFAT File System Remote Code Execution Vulnerability
CVE-2025-24985 — Windows Fast FAT File System Driver Remote Code Execution Vulnerability
CVE-2025-24984 — Windows NTFS Information Disclosure Vulnerability
CVE-2025-24991 – Windows NTFS Information Disclosure Vulnerability
CVE-2025-24992 — Windows NTFS Information Disclosure Vulnerability
CVE-2025-24993 — Windows NTFS Remote Code Execution Vulnerability
This month brings challenges for file systems. Fast FAT bears similarities to the dated FAT system and chiefly operates on memory devices such as USB keys, SD cards, and even floppies (!) in current scenarios. exFAT, a more contemporary iteration of FAT, was introduced almost two decades ago, lifting the previous 4GB file-size restriction with its “ex” for “extended.” For both of these bugs, an attacker would need to mislead a user on a vulnerable system into mounting a maliciously crafted VHD. Among the four NTFS issues, CVE-2025-24984 necessitates physical access to the target machine (for USB connection). The remaining three appear analogous to the VHD-related vulnerabilities described earlier. Three NTFS issues alongside the Fast FAT problem are currently exploited, while the other two are more likely to face exploitation within the next 30 days.
CVE-2024-9157 — Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability
Information regarding this Synaptics-associated CVE is scarce, but the available details suggest a potentially concerning scenario: Present in Synaptics’ Audio Effects audio-enhancement component, this elevation-of-privilege issue involves a DLL-loading vulnerability marked by Microsoft as having a higher likelihood of exploitation within the next month. Fortunately, Microsoft declares that the latest Windows builds are no longer affected.
Figure 3: With the completion of the first quarter of 2025, the count of RCE issues has exceeded the 100-CVE milestone.
Sophos Protection Overview
| CVE | Sophos Intercept X/Endpoint IPS | Sophos XGS Firewall |
| Vulnerability-2025-24066 | Exploit/2524066-A | Exploit/2524066-A |
| Vulnerability-2025-24067 | Exploit/2524067-A | Exploit/2524067-A |
| Vulnerability-2025-24983 | Exploit/2524983-A | Exploit/2524983-A |
If every month, you wish to avoid waiting for your system to automatically retrieve Microsoft’s updates, you can opt to manually download them from the Windows Update Catalog website. Utilize the winver.exe tool to identify the build of Windows 10 or 11 you are using, following which download the Cumulative Update package applicable to your system’s architecture and build number.
Appendix A: Vulnerability Impact and Severity
This compilation illustrates the March patches categorized by impact, subsequently sorted by severity. Each list is then organized based on CVE.
Remote Code Execution (23 CVEs)
| Critical severity | |
| Vulnerability-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Vulnerability-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Vulnerability-2025-24057 | Microsoft Office Remote Code Execution Vulnerability |
| Vulnerability-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability |
| Vulnerability-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability |
| Vulnerability-2025-26645 | Remote Desktop Client Remote Code Execution Vulnerability |
| Important severity | |
| Vulnerability-2025-21180 | Windows exFAT File System Remote Code Execution Vulnerability |
| Vulnerability-2025-24043 | WinDbg Remote Code Execution Vulnerability |
| Vulnerability-2025-24051 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Vulnerability-2025-24056 | Windows Telephony Service Remote Code Execution Vulnerability |
| Vulnerability-2025-24075 | Microsoft Excel Remote Code Execution Vulnerability |
| Vulnerability-2025-24077 | Microsoft Word Remote Code Execution Vulnerability |
| Vulnerability-2025-24078 | Microsoft Word Remote Code Execution Vulnerability |
| Vulnerability-2025-24079 | Microsoft Word Remote Code Execution Vulnerability |
| Vulnerability-2025-24080 | Microsoft Office Remote Code Execution Vulnerability |
| Vulnerability-2025-24081 | Microsoft Excel Remote Code Execution Vulnerability |
| Vulnerability-2025-24082 | Microsoft Excel Remote Code Execution Vulnerability |
| Vulnerability-2025-24083 | Microsoft Office Remote Code Execution Vulnerability |
| Vulnerability-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability |
| Vulnerability-2025-24986 | Azure Promptflow Remote Code Execution Vulnerability |
| Vulnerability-2025-24993 | Windows NTFS Remote Code Execution Vulnerability |
| Vulnerability-2025-26629 | Microsoft Office Remote Code Execution Vulnerability |
| Vulnerability-2025-26630 | Microsoft Access Remote Code Execution Vulnerability |
Elevation of Privilege (23 CVEs)
| Important severity | |
| Vulnerability-2024-9157 | Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability |
| Vulnerability-2025-21199 | Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability |
| Vulnerability-2025-24044 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| Vulnerability-2025-24046 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24048 | Windows Hyper-V Elevation of Privilege Vulnerability |
| Vulnerability-2025-24049 | Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability |
| Vulnerability-2025-24050 | Windows Hyper-V Elevation of Privilege Vulnerability |
| Vulnerability-2025-24059 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24066 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24067 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24070 | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability |
| Vulnerability-2025-24072 | Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability |
| Vulnerability-2025-24076 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability |
| Vulnerability-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| Vulnerability-2025-24987 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24988 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24994 | Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability |
| Vulnerability-2025-24995 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
| Vulnerability-2025-24998 | Visual Studio Installer Elevation of Privilege Vulnerability |
| Vulnerability-2025-25003 | Visual Studio Elevation of Privilege Vulnerability |
| Vulnerability-2025-25008 | Windows Server Elevation of Privilege Vulnerability |
| Vulnerability-2025-26627 | Azure Arc Installer Elevation of Privilege Vulnerability |
| Vulnerability-2025-26631 | Visual Studio Code Elevation of Privilege Vulnerability |
Information Disclosure (4 CVEs)
| Important severity | |
| Vulnerability-2025-24055 | Windows USB Video Class System Driver Information Disclosure Vulnerability |
| Vulnerability-2025-24984 | Windows NTFS Information Disclosure Vulnerability |
| Vulnerability-2025-24991 | Windows NTFS Information Disclosure Vulnerability |
| Windows NTFS Information Viewing Vulnerability | |
Bypass of Security Feature (3 CVEs)
| Significant severity | |
| CVE-2025-21247 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-24061 | Windows Mark of the Web Security Feature Bypass Vulnerability |
| CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability |
Deception (3 CVEs)
| Significant severity | |
| CVE-2025-24054 | NTLM Hash Disclosure Deception Vulnerability |
| CVE-2025-24071 | Microsoft Windows File Explorer Deception Vulnerability |
| CVE-2025-24996 | NTLM Hash Disclosure Deception Vulnerability |
Service Unavailability (1 CVE)
| Significant severity | |
| CVE-2025-24997 | DirectX Graphics Kernel File Service Unavailability Vulnerability |
Appendix B: Use and Common Vulnerability Scoring System (CVSS)
Below is a compilation of the March CVEs rated by Microsoft to either be actively exploited in the field or more prone to exploitation in the field during the first 30 days post-launch. The compilation is then categorized by CVE.
| Exploitation Identified | |
| CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2025-24984 | Windows NTFS Information Disclosure Vulnerability |
| CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability |
| CVE-2025-24991 | Windows NTFS Information Disclosure Vulnerability |
| CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability |
| CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability |
| Expected Exploitation in the Next 30 Days | |
| CVE-2024-9157 | Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability |
| CVE-2025-21180 | Windows exFAT File System Remote Code Execution Vulnerability |
| CVE-2025-21247 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| CVE-2025-24044 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| CVE-2025-24061 | Windows Mark of the Web Security Feature Bypass Vulnerability |
| CVE-2025-24066 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2025-24067 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2025-24992 | Windows NTFS Information Disclosure Vulnerability |
| CVE-2025-24995 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
This section lists March’s CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are sorted by score and then by CVE. For additional details on the functionality of CVSS, please refer to our guide on patch prioritization schema.
| CVSS Base | CVSS Temporal | CVE | Title |
| 8.8 | 7.7 | CVE-2025-24051 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| 8.8 | 7.7 | CVE-2025-24056 | Windows Telephony Service Remote Code Execution Vulnerability |
| 8.8 | 7.7 | CVE-2025-26645 | Remote Desktop Client Remote Code Execution Vulnerability |
| 8.4 | 7.3 | CVE-2025-24049 | Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability |
| 8.4 | 7.3 | CVE-2025-24066 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| 8.4 | 7.3 | CVE-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability |
| 8.1 | 7.1 | CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| 8.1 | 7.1 | CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| 8.1 | 7.1 | CVE-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability |
Appendix C: Affected Offerings
The following is a summary of March’s updates listed by product category, then sorted by severity level. Each list is additionally ordered by CVE. Updates that impact multiple product categories are presented multiple times, once per product family. Concerns related to Windows Server are further classified in Appendix E.
Windows (37 CVEs)
| Critical severity | |||
| CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability | ||
| CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability | ||
| CVE-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability | ||
| CVE-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability | ||
| CVE-2025-26645 | Remote Desktop Client Remote Code Execution Vulnerability | ||
| Important severity | |||
| CVE-2024-9157 | Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability | ||
| CVE-2025-21180 | Windows exFAT File | CVE-2025-21126 | Visual Studio IDE Remote Code Execution Vulnerability |
| Medium severity | |||
| CVE-2025-21128 | Visual Studio Debugger Information Disclosure Vulnerability | ||
| CVE-2025-24960 | Visual Studio Source Control Remote Code Execution Vulnerability | ||
| CVE-2025-26621 | Visual Studio Extension Manager Elevation of Privilege Vulnerability | ||
Excel (3 Vulnerabilities)
| Severity Level: Important | |
| Vulnerability ID: CVE-2025-24075 | Remote Code Execution Vulnerability in Microsoft Excel |
| Vulnerability ID: CVE-2025-24081 | Remote Code Execution Vulnerability in Microsoft Excel |
| Vulnerability ID: CVE-2025-24082 | Remote Code Execution Vulnerability in Microsoft Excel |
Word (2 Vulnerabilities)
| Severity Level: Important | |
| Vulnerability ID: CVE-2025-24078 | Remote Code Execution Vulnerability in Microsoft Word |
| Vulnerability ID: CVE-2025-24079 | Remote Code Execution Vulnerability in Microsoft Word |
ASP.NET (1 Vulnerability)
| Severity Level: Important | |
| Vulnerability ID: CVE-2025-24070 | Elevation of Privilege Vulnerability in ASP.NET Core and Visual Studio |
.NET (1 Vulnerability)
| Severity Level: Important | |
| Vulnerability ID: CVE-2025-24043 | Remote Code Execution Vulnerability in WinDbg |
Access (1 Vulnerability)
| Severity Level: Important | |
| Vulnerability ID: CVE-2025-26630 | Remote Code Execution Vulnerability in Microsoft Access |
Appendix D: Advisories and Other Products
This contains advisories and information on other relevant vulnerabilities in the recent Microsoft release. The vulnerabilities mentioned have been addressed by Chrome, but are shared here for transparency. Please note that CVE-2025-21353 specifically relates to Android.
Microsoft Information:
| CVE / Identifier | Product | Title |
| ADV990001 | Latest Servicing Stack Updates | |
| CVE-2025-1914 | Edge | Chromium: Out of Bounds Read in V8 (CVE-2025-1914) |
| CVE-2025-1915 | Edge | Chromium: Improper Limitation of Pathname to Restricted Directory in DevTools (CVE-2025-1915) |
| CVE-2025-1916 | Edge | Chromium: Use after Free in Profiles (CVE-2025-1916) |
| CVE-2025-1917 | Edge | Chromium: Inappropriate Browser UI Implementation (CVE-2025-1917) |
| CVE-2025-1918 | Edge | Chromium: Out of Bounds Read in PDFium (CVE-2025-1918) |
| CVE-2025-1919 | Edge | Chromium: Out of Bounds Read in Media (CVE-2025-1919) |
| CVE-2025-1921 | Edge | Chromium: Inappropriate Media Stream Implementation (CVE-2025-1921) |
| CVE-2025-1922 | Edge | Chromium: Inappropriate Selection Implementation (CVE-2025-1922) |
| CVE-2025-1923 | Edge | Chromium: Inappropriate Permission Prompts Implementation (CVE-2025-1923) |
| CVE-2025-26643 | Edge | Spoofing Vulnerability in Microsoft Edge (Chromium-based) |
| CVE-2025-25001 | Edge | Spoofing Vulnerability in Microsoft Edge for iOS |
| CVE-2025-21353 | Edge | Spoofing Vulnerability in Microsoft Edge (Chromium-based) for Android |
There are 9 Adobe advisories in this month’s release.
| CVE-2025-27158 | APSB25-14 | Uninitialized Pointer Access (CWE-824) |
| CVE-2025-27159 | APSB25-14 | Use After Free (CWE-416) |
| CVE-2025-27160 | APSB25-14 | Use After Free (CWE-416) |
| CVE-2025-27161 | APSB25-14 | Out-of-Bounds Read (CWE-125) |
| CVE-2025-27162 | APSB25-14 | Uninitialized Pointer Access (CWE-824) |
| CVE-2025-27174 | APSB25-14 | Use After Free (CWE-416) |
| CVE-2025-24431 | APSB25-14 | Out-of-Bounds Read (CWE-125) |
| CVE-2025-27163 | APSB25-14 | Out-of-Bounds Read (CWE-125) |
| CVE-2025-27164 | APSB25-14 | Out-of-Bounds Read (CWE-125) |
Appendix E: Impacted Windows Server Releases
This table lists vulnerabilities in the March release that affect various Windows Server versions from 2008 to 2025. The table distinguishes among major versions of the platform and highlights critical-severity issues in red; an “x” indicates the CVE is not applicable to that version. Administrators should use this as a reference to determine their exposure levels. Note that the situation may vary, especially with products out of mainstream support. For specific Knowledge Base numbers, please refer to Microsoft resources.
| 2008 | 2008-R2 | 2012 | 2012-R2 | 2016 | 2019 | 2022 | 2022 23H2 | 2025 | |
| CVE-2024-9157 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-21180 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-21247 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-24035 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | |
| ID-2025-24044 | × | × | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24045 | × | × | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24046 | × | × | × | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24048 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24050 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24051 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24054 | × | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24055 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24056 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24059 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24061 | × | × | × | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24064 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24066 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24067 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24071 | × | × | × | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24072 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24076 | × | × | × | × | × | × | × | ■ | ■ |
| ID-2025-24084 | × | × | × | × | × | × | ■ | ■ | ■ |
| ID-2025-24983 | ■ | ■ | ■ | ■ | ■ | × | × | × | × |
| ID-2025-24984 | × | × | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24985 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24987 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24988 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24991 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24992 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24993 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24994 | × | × | × | × | × | × | × | × | × |
| ID-2025-24995 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24996 | × | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-24997 | × | × | × | × | × | × | ■ | ■ | ■ |
| ID-2025-25008 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| ID-2025-26633 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| ID-2025-26645 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
About Author
