Today’s VERT Alert addresses Microsoft’s March 2025 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1147 as soon as coverage is completed.
In-The-Wild & Disclosed CVEs
According to Microsoft, improper neutralization in Microsoft Management Console could allow an unauthorized attacker to bypass a security feature locally. For those unfamiliar with “Improper Neutralization”, it is based on CWE-707, which Microsoft has associated with this vulnerability even though MITRE discourages mapping against it. Readers may better know this as Improper Input Validation or Improper Output Encoding, both of which are children of CWE-707. Microsoft has reported this vulnerability as Exploitation Detected.
This vulnerability allows for local privilege escalation to SYSTEM for an authenticated user via the Windows Win32 Kernel Subsystem, however it does require winning a race condition. Microsoft has reported this vulnerability as Exploitation Detected.
An interesting vulnerability, this CVE requires that the attacker has physical access to a system to plug in a malicious USB drive. With that access, inserting data into an NTFS log file could lead to information disclosure, allowing the attacker to read portions of heap memory. Microsoft has reported this vulnerability as Exploitation Detected.
An integer overflow in the Windows Fast FAT Driver could lead to code execution if an attacker can convince a local user to mount a malicious VHD (Virtual Hard Disk). Microsoft has reported this vulnerability as Exploitation Detected.
This CVE almost feels like a combination of CVE-2025-24984 and CVE-2025-24985. An attacker must convince a local user to mount a malicious VHD, which would trigger an out-of-bounds read in NTFS, disclosing portions of heap memory. Microsoft has reported this vulnerability as Exploitation Detected.
A heap-based buffer overflow in NTFS could allow for code execution if an attacker is able to successfully convince a local user to mount a malicious VHD. Microsoft has reported this vulnerability as Exploitation Detected.
A code execution vulnerability exists within Microsoft Access that requires an attacker to convince a local user to open a malicious Access document. Microsoft has reported this vulnerability as Exploitation Less Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted.
| Tag | CVE Count | CVEs |
| Windows Remote Desktop Services | 2 | CVE-2025-24035, CVE-2025-24045 |
| Microsoft Windows | 2 | CVE-2024-9157, CVE-2025-25008 |
| Windows Win32 Kernel Subsystem | 2 | CVE-2025-24044, CVE-2025-24983 |
| .NET | 1 | CVE-2025-24043 |
| Microsoft Office | 4 | CVE-2025-24057, CVE-2025-24080, CVE-2025-24083, CVE-2025-26629 |
| ASP.NET Core & Visual Studio | 1 | CVE-2025-24070 |
| Microsoft Office Word | 3 | CVE-2025-24077, CVE-2025-24078, CVE-2025-24079 |
| Microsoft Office Excel | 3 | CVE-2025-24081, CVE-2025-24082, CVE-2025-24075 |
| Azure PromptFlow | 1 | CVE-2025-24986 |
| Windows USB Video Driver | 3 | CVE-2025-24987, CVE-2025-24988, CVE-2025-24055 |
| Windows exFAT File System | 1 | CVE-2025-21180 |
| Kernel Streaming WOW Thunk Service Driver | 1 | CVE-2025-24995 |
| Windows NTLM | 2 | CVE-2025-24996, CVE-2025-24054 |
| Windows Kernel Memory | 1 | CVE-2025-24997 |
| Visual Studio | 2 | CVE-2025-24998, CVE-2025-25003 |
| Microsoft Edge (Chromium-based) | 10 | CVE-2025-1919, CVE-2025-1916, CVE-2025-1918, CVE-2025-1917, CVE-2025-1921, CVE-2025-1915, CVE-2025-1923, CVE-2025-1922, CVE-2025-1914, CVE-2025-26643 |
| Windows MapUrlToZone | 1 | CVE-2025-21247 |
| Azure Agent Installer | 1 | CVE-2025-21199 |
| Microsoft Streaming Service | 2 | CVE-2025-24046, CVE-2025-24067 |
| Role: Windows Hyper-V | 2 | CVE-2025-24048, CVE-2025-24050 |
| Windows Routing and Remote Access Service (RRAS) | 1 | CVE-2025-24051 |
| Windows Telephony Server | 1 | CVE-2025-24056 |
| Windows Common Log File System Driver | 1 | CVE-2025-24059 |
| Windows Mark of the Web (MOTW) | 1 | CVE-2025-24061 |
| Role: DNS Server | 1 | CVE-2025-24064 |
| Windows Kernel-Mode Drivers | 1 | CVE-2025-24066 |
| Windows File Explorer | 1 | CVE-2025-24071 |
| Microsoft Local Security Authority Server (lsasrv) | 1 | CVE-2025-24072 |
| Windows Cross Device Service | 2 | CVE-2025-24076, CVE-2025-24994 |
| Windows Subsystem for Linux | 1 | CVE-2025-24084 |
| Windows NTFS | 4 | CVE-2025-24984, CVE-2025-24991, CVE-2025-24992, CVE-2025-24993 |
| Windows Fast FAT Driver | 1 | CVE-2025-24985 |
| Azure CLI | 1 | CVE-2025-24049 |
| Azure Arc | 1 | CVE-2025-26627 |
| Microsoft Office Access | 1 | CVE-2025-26630 |
| Visual Studio Code | 1 | CVE-2025-26631 |
| Microsoft Management Console | 1 | CVE-2025-26633 |
| Remote Desktop Client | 1 | CVE-2025-26645 |
Other Information
At the time of publication, there were no new advisories included with the March Security Guidance.
