Internet Security

U.S. CISA adds six Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

March 12, 2025 add comment

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds six Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
  • CVE-2025-24984 Microsoft Windows NTFS Information Disclosure Vulnerability
  • CVE-2025-24985 Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability
  • CVE-2025-24991 Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability
  • CVE-2025-24993 Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability
  • CVE-2025-26633 Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability

Below are the descriptions of these flaws that Microsoft addressed with the release of Microsoft Patch Tuesday security updates for March 2025:

  • CVE-2025-24983 (CVSS 7.0): A use-after-free vulnerability in the Windows Win32 Kernel Subsystem that enables authorized attackers to escalate privileges locally.
  • CVE-2025-24984 (CVSS 4.6): An NTFS information disclosure flaw that lets attackers with physical access and a malicious USB device read portions of heap memory.
  • CVE-2025-24985 (CVSS 7.8): An integer overflow in the Windows Fast FAT File System Driver allowing unauthorized local code execution.
  • CVE-2025-24991 (CVSS 5.5): An out-of-bounds read vulnerability in NTFS that permits authorized attackers to access sensitive information.
  • CVE-2025-24993 (CVSS 7.8): A heap-based buffer overflow in NTFS that allows unauthorized local code execution.
  • CVE-2025-26633 (CVSS 7.0): An improper neutralization flaw in Microsoft Management Console that lets unauthorized attackers bypass security features locally.

ESET researchers, who discovered the vulnerability CVE-2025-24983, reported that the zero-day CVE-2025-24983 has been exploited since March 2023. The flaw enables attackers with low privileges to escalate to SYSTEM privileges but requires winning a race condition. The exploit, linked to the PipeMagic backdoor, has targeted unsupported Windows versions like Server 2012 R2 and 8.1 but also affects Windows 10 (build 1809 and earlier) and Server 2016.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 1st, 2025.

A few days ago, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added other Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter