On Tuesday, Microsoft issued security patches to fix 57 security vulnerabilities in its software, including six zero-day vulnerabilities that the company claims have been actively exploited in the wild.
Of the 57 vulnerabilities, six are categorized as Critical, 50 are labeled as Important, and one is classified as Low in severity. Twenty-three of the vulnerabilities addressed are remote code execution bugs, while 22 pertain to privilege escalation.
In addition to these updates, Microsoft also addressed 17 vulnerabilities in its Chromium-based Edge browser since the last Patch Tuesday update, one of which is a spoofing flaw specific to the browser (CVE-2025-26643, CVSS score: 5.4).
The six vulnerabilities that are being actively exploited are listed below –
- CVE-2025-24983 (CVSS score: 7.0) – A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that enables an authorized attacker to elevate privileges locally.
- CVE-2025-24984 (CVSS score: 4.6) – A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory.
- CVE-2025-24985 (CVSS score: 7.8) – An integer overflow vulnerability in the Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally.
- CVE-2025-24991 (CVSS score: 5.5) – An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally.
- CVE-2025-24993 (CVSS score: 7.8) – A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally.
- CVE-2025-26633 (CVSS score: 7.0) – An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally.
ESET, the company credited with discovering and reporting CVE-2025-24983, stated that it first discovered the zero-day exploit in the wild in March 2023, which was delivered via a backdoor named PipeMagic on compromised hosts.
“The vulnerability is a use-after-free in the Win32k driver,” the Slovakian company noted. “In a certain scenario achieved using the WaitForInputIdle API, the W32PROCESS structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.”
PipeMagic, first discovered in 2022, is a plugin-based trojan that has targeted entities in Asia and Saudi Arabia, with the malware distributed in the form of a fake OpenAI ChatGPT application in late 2024 campaigns.
“One of the unique features of PipeMagic is that it generates a 16-byte random array to create a named pipe in the format \.pipe1.
“This pipe is used for receiving encoded payloads, stop signals via the default local interface. PipeMagic usually works with multiple plugins downloaded from a command-and-control (C2) server, which, in this case, was hosted on Microsoft Azure.”
The Zero Day Initiative noted that CVE-2025-26633 stems from how MSC files are handled, allowing an attacker to evade file reputation protections and execute code in the context of the current user. The activity has been linked to a threat actor tracked as EncryptHub (aka LARVA-208).
Action1 pointed out that threat actors could chain the four vulnerabilities affecting core Windows file system components
Source Link
