Little fires all over the place for March Patch Tuesday – Sophos Information

Microsoft on Tuesday launched 57 patches affecting 10 product households. Six of the addressed points are thought of by Microsoft to be of Essential severity, and 9 have a CVSS base rating of 8.0 or greater. Six, all affecting Home windows, are below lively exploit within the wild. One problem has been publicly disclosed however not but publicly exploited.

At patch time, 11 further CVEs usually tend to be exploited within the subsequent 30 days by the corporate’s estimation. 4 of this month’s points are amenable to direct detection by Sophos merchandise, and we embody data on these within the regular desk under.

Along with these patches, the discharge consists of advisory data on Servicing Stack Updates, in addition to on the month’s 12 Edge patches, which have been launched a number of days earlier. 9 Adobe Reader points are additionally coated.

We’re as all the time together with on the finish of this submit further appendices itemizing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base rating, and by product household; an appendix masking the advisory-style updates; and a breakout of the patches affecting the assorted Home windows Server platforms nonetheless in help.

By the numbers

• Complete CVEs: 57
• Publicly disclosed: 1
• Exploit detected: 6
• Severity
  • Essential: 6
  • Vital: 51
• Impression
  • Distant code execution: 23
  • Elevation of privilege: 23
  • Info disclosure: 4
  • Safety characteristic bypass: 3
  • Spoofing: 3
  • Denial of service: 1
• CVSS base rating 9.0 or higher: 0
• CVSS base rating 8.0 or higher: 9

Determine 1: Distant code execution points and elevation of privilege bugs are equally prevalent this month, however all of the critical-severity issues are RCE

• Home windows: 37
• 365: 11
• Workplace: 11
• Azure: 4
• Visible Studio: 4
• Excel: 3
• Phrase: 2
• .NET: 1
• ASP.NET: 1
• Entry: 1

As is our customized for this listing, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on.

Determine 2: Home windows as ever accounts for the lion’s share of patches, together with a less-common client-only problem (CVE-2025-24994). Observe that the 365 and Workplace tallies are for a similar 11 CVEs

Notable March updates

Along with the problems mentioned above, quite a lot of particular gadgets benefit consideration.

CVE-2025-24057 — Microsoft Workplace Distant Code Execution Vulnerability

A heap-based buffer overflow problem affecting each 365 and Workplace may permit an unauthorized get together to execute code domestically – and it really works in Preview Pane.

CVE-2025-26645 — Distant Desktop Shopper Distant Code Execution Vulnerability

Ranking each a CVSS Base rating of 8.8 and a Microsoft designation of Essential severity, this can be a relative path traversal problem in RDC. All supported variations of the consumer and server in addition to in Distant Desktop Shopper for Home windows are susceptible. An attacker controlling a Distant Desktop server may use this to set off RCE on a susceptible consumer when it connects.

CVE-2025-21180 – Home windows exFAT File System Distant Code Execution Vulnerability
CVE-2025-24985 — Home windows Quick FAT File System Driver Distant Code Execution Vulnerability
CVE-2025-24984 — Home windows NTFS Info Disclosure Vulnerability
CVE-2025-24991 – Home windows NTFS Info Disclosure Vulnerability
CVE-2025-24992 — Home windows NTFS Info Disclosure Vulnerability
CVE-2025-24993 — Home windows NTFS Distant Code Execution Vulnerability

A tricky month for file methods. Quick FAT is carefully associated to the traditional FAT (File Allocation Desk) system and primarily sees responsibility today for reminiscence gadgets, together with USB keys, SD playing cards, and floppies (!). exFAT, the “extra fashionable” model of FAT, was launched virtually twenty years in the past and freed customers from the outdated 4GB file-size restrict; the “ex” means “prolonged.” For each of these bugs, the attacker must trick a person on a susceptible system into mounting a specifically crafted and malicious VHD. Of the 4 NTFS points, CVE-2025-24984 requires bodily entry to the goal machine (to plug in a USB). The opposite three look like much like the VHD points described above. Three of the NTFS points and the Quick FAT problem are already below exploit within the wild; the opposite two usually tend to be so throughout the subsequent 30 days.

CVE-2024-9157 — Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability

Not a lot is certainly identified but about this Synaptics-issued CVE, however what we do know signifies it’s doubtlessly disagreeable: The elevation-of-privilege drawback exists in Synaptics’ Audio Results audio-enhancement part, it’s a DLL-loading bug, and Microsoft considers it to be amongst these extra prone to be exploited within the subsequent month. The excellent news is that the most recent builds of Window are, Microsoft assures the world, not susceptible.

Determine 3: With the primary quarter of 2025 accounted for, RCE points have simply crossed the 100-CVE mark

Sophos direct protections

As you’ll be able to each month, in case you don’t wish to wait in your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace bundle in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

It is a listing of March patches sorted by influence, then sub-sorted by severity. Every listing is additional organized by CVE.

Distant Code Execution (23 CVEs)

Elevation of Privilege (23 CVEs)

Info Disclosure (4 CVEs)

Safety Characteristic Bypass (3 CVEs)

Spoofing (3 CVEs)

Denial of Service (1 CVE)

Appendix B: Exploitability and CVSS

It is a listing of the March CVEs judged by Microsoft to be both below exploitation within the wild or extra prone to be exploited within the wild throughout the first 30 days post-release. The listing is additional organized by CVE.

It is a listing of March CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or greater. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our collection on patch prioritization schema.

Appendix C: Merchandise Affected

It is a listing of March’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of instances, as soon as for every product household. Points affecting Home windows Server are additional sorted in Appendix E.

Home windows (37 CVEs)

365 (11 CVEs)

Workplace (11 CVEs)

Azure (4 CVEs)

Visible Studio (4 CVEs)

Excel (3 CVEs)

Phrase (2 CVEs)

ASP.NET (1 CVE)

.NET (1 CVE)

Entry (1 CVE)

Appendix D: Advisories and Different Merchandise

It is a listing of advisories and data on different related CVEs within the March Microsoft launch. The problems addressed in these CVEs have already been mitigated by Chrome, however have been listed within the launch within the pursuits of transparency. Observe that CVE-2025-21353 applies specifically to Android.

Microsoft data:

There are 9 Adobe advisories on this month’s launch.

Appendix E: Affected Home windows Server variations

It is a desk of CVEs within the March launch affecting 9 Home windows Server variations, 2008 via 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Essential-severity points are marked in purple; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream help, will differ. For particular Data Base numbers, please seek the advice of Microsoft.