Microsoft has today released over 50 security patches for its various Windows operating systems, including resolutions for a staggering six zero-day vulnerabilities that are already being actively exploited.
Among the zero-day issues are CVE-2025-24991 and CVE-2025-24993, both flaws affecting NTFS, the standard file system for Windows and Windows Server. Both vulnerabilities necessitate that the attacker deceives a victim into mounting a harmful virtual hard disk. CVE-2025-24993 may enable local code execution, whereas CVE-2025-24991 could lead NTFS to reveal segments of memory.
Microsoft acknowledges researchers from ESET for identifying the zero-day issue labeled CVE-2025-24983, which is an elevation of privilege vulnerability present in older Windows iterations. ESET indicated that the exploit was utilized through the PipeMagic backdoor, which is capable of exfiltrating data and allowing remote access to the device.
ESET’s Filip Jurčacko noted that this exploit specifically targets older versions of Windows OS: Windows 8.1 and Server 2012 R2. Despite still being used by millions, security support for these products has been discontinued for over a year, with mainstream support halted several years prior. Nonetheless, ESET highlights that the vulnerability is also present in more recent Windows OS versions, such as Windows 10 build 1809 and the still-supported Windows Server 2016.
According to Rapid7’s lead software engineer Adam Barnett, Windows 11 and Server 2019 and later versions are not included in the list for patches, indicating they are likely not susceptible.
“It remains unclear why newer Windows products have evaded this particular issue,” Barnett mentioned. “The Windows 32 subsystem is still presumably operational, as there is no evident indication of its discontinuation on the deprecated features list for the Windows client OS.”
The zero-day vulnerability CVE-2025-24984 represents another NTFS flaw that can be exploited by inserting an infected USB drive into a Windows machine. Barnett noted that Microsoft’s advisory on this issue does not fully connect the details, but successful exploitation seemingly allows for the unintended dumping of sections of heap memory into a log file, which could then be examined by an attacker seeking privileged information.
“A comparatively low CVSSv3 base score of 4.6 indicates the real-world challenges of exploitation; however, a determined attacker can occasionally attain remarkable outcomes starting from the slightest advantages, and Microsoft rates this vulnerability as significant on its proprietary severity ranking system,” Barnett explained.
Another zero-day addressed this month — CVE-2025-24985 — has the potential to allow attackers to introduce malicious code. Similar to the NTFS issues, this one also mandates that the user mounts a harmful virtual hard drive.
The last zero-day introduced this month is CVE-2025-26633, a vulnerability within the Microsoft Management Console, a Windows component offering system administrators a method to configure and oversee the system. To exploit this flaw, the target must open a harmful file.
This month’s patch package from Redmond also resolves six additional vulnerabilities that Microsoft has classified as “critical,” indicating that malware or malicious actors could leverage them to take control of susceptible PCs without user intervention.
Barnett remarked that this marks the sixth consecutive month where Microsoft has revealed zero-day vulnerabilities on Patch Tuesday without classifying any of them as critically severe at the time of release.
The SANS Internet Storm Center maintains a helpful list of all Microsoft patches launched today, categorized by severity. Windows enterprise administrators are advised to monitor askwoody.com, which frequently provides insight on any updates that might cause issues. Before updating, please consider backing up your data, and feel free to leave a comment below if you encounter any problems while applying this month’s updates.