Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation.
Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target into mounting a malicious virtual hard disk. CVE-2025-24993 would lead to the possibility of local code execution, while CVE-2025-24991 could cause NTFS to disclose portions of memory.
Microsoft credits researchers at ESET with reporting the zero-day bug labeled CVE-2025-24983, an elevation of privilege vulnerability in older versions of Windows. ESET said the exploit was deployed via the PipeMagic backdoor, capable of exfiltrating data and enabling remote access to the machine.
ESET’s Filip Jurčacko said the exploit in the wild targets only older versions of Windows OS: Windows 8.1 and Server 2012 R2. Although still used by millions, security support for these products ended more than a year ago, and mainstream support ended years ago. However, ESET notes the vulnerability itself also is present in newer Windows OS versions, including Windows 10 build 1809 and the still-supported Windows Server 2016.
Rapid7’s lead software engineer Adam Barnett said Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable.
“It’s not clear why newer Windows products dodged this particular bullet,” Barnett wrote. “The Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.”
The zero-day flaw CVE-2025-24984 is another NTFS weakness that can be exploited by inserting a malicious USB drive into a Windows computer. Barnett said Microsoft’s advisory for this bug doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information.
“A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale,” Barnett said.
Another zero-day fixed this month — CVE-2025-24985 — could allow attackers to install malicious code. As with the NTFS bugs, this one requires that the user mount a malicious virtual hard drive.
The final zero-day this month is CVE-2025-26633, a weakness in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system. Exploiting this flaw requires the target to open a malicious file.
This month’s bundle of patch love from Redmond also addresses six other vulnerabilities Microsoft has rated “critical,” meaning that malware or malcontents could exploit them to seize control over vulnerable PCs with no help from users.
Barnett observed that this is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication.
The SANS Internet Storm Center has a useful list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems. Please consider backing up your data before updating, and leave a comment below if you experience any issues applying this month’s updates.
Microsoft still hasn’t released a fix for the racism and sexism of MAGA cult members currently being exploited by President Musk.
Ok Mr. Trump
“flaw requires the target to open a malicious file.”
“Both require the attacker to trick a target into mounting a malicious virtual hard disk.”
“exploited by inserting a malicious USB drive into a Windows computer.”
If there were some way to block malice we’d be set.
STFU, make your own blog for your political tears to drip into
“…unless we do something about [busing to desegregate schools], my children are going to grow up in a jungle, the jungle being a racial jungle” –Joe Biden, 1977
“You cannot go to a 7-Eleven or a Dunkin’ Donuts unless you have a slight Indian accent.” –Joe Biden 2006
Tara Reade, Juanita Broaddrick, Paula Jones, Monica Lewinski, Kathleen Willey, Mary Jo Kopechne, Mimi Alford….
Hi, RK: How’s the weather in Moscow?
The updates worked ok on a win 11 24h2 system on a fast intel i7 processor machine.
One weird thing was the system asked if I wanted to reboot now and I selected to reboot now.
It started the shutdown.
The one time I looked at the screen it was starting the reboot.
The next time I looked at the screen a bit later the screen was dark so I thought it was maybe doing some update work.
After waiting a while I was concerned it had crashed. I depressed the power on button and the machine booted up fine..
So it was as though the update finished and the machine powered off.
After it came up I looked at the windows update history and it appeared that the updates got put on.
A bit scary that possibly a crash had occurred during the update process.
A comment the day after running this patch tuesday update.
Windows now struggles to bring to the forefront a pre-existing window (or make a pre-existing window the active window).
That is, if I have 3 firefox windows open and I select the firefox icon on the taskbar, it will show the 3 windows available to bring to the forefront.
The issue is if I select the second one for instance, windows seems to ignore my request.
I have to select the icon and then the second window a second time or maybe even a third time to bring the window to the forefront.
The good news is that eventually the window will come to the forefront.
Big flaws
I was never very good at readin’ or ‘ritin’ or ‘rithmetic, only gym, but don’t these two paragraphs contradict each other?
“This month’s bundle of patch love from Redmond also addresses six other vulnerabilities Microsoft has rated “critical,” meaning that malware or malcontents could exploit them to seize control over vulnerable PCs with no help from users.”
“Barnett observed that this is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication.”
Yes, reading comprehension can be challenging.
The issue is that none of the zero-days Microsoft has warned about so far this year have earned the company’s most-dire “critical” rating, not that Microsoft hasn’t fixed any critical vulnerabilities.
This month’s bundle of patch love from Redmond also addresses six other vulnerabilities Microsoft has rated “critical,” meaning that malware or malcontents could exploit them to seize control over vulnerable PCs with no help from users.
Is there a list of programs for pcs that are the best for consumers to use at home? I have ESET, which I bought with the CPU.