For the second month in a row, Microsoft’s Patch Tuesday updates landed with warnings that a half-dozen Windows security defects have already been exploited in the wild.
Redmond’s security response team slapped “exploitation detected” tags on six of the 57 security vulnerabilities patched this month and pushed Windows admins to prioritize another large batch of code execution flaws.
The latest exploited zero-days were addressed in the Microsoft Management Console, Windows NTFS, the Fast FAT File System Driver, and the Win32 Kernel Subsystem.
According to Microsoft documentation, the exploited bugs allow security features bypass, remote code execution, privilege escalate via memory corruption issues.
Here’s a list of the exploited zero-days:
CVE-2025-26633 — Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally. In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file or website that is designed to exploit the vulnerability. User interaction is required. Important, CVSS 7.8/10.
CVE-2025-24993 — Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. According to Microsoft, “remote” refers to the location of the attacker. “The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.” CVSS 7.8.
CVE-2025-24991 — Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally. An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability. CVSS 5.5.
CVE-2025-24985 — Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally. An attacker can trick a local user on a vulnerable system into mounting a specially crafted VHD that would then trigger the vulnerability. CVSS 7.8.
CVE-2025-24984 — Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack. An attacker needs physical access to the target computer to plug in a malicious USB drive to potentially read portions of heap memory. CVSS 4.6.
CVE-2025-24983 — Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally. Successful exploitation of this vulnerability requires an attacker to win a race condition to gain SYSTEM privileges. CVSS 7.0.
As is customary, the company did not publicly release IOCs to help defenders hunt for signs of infections.
In addition to the exploited bugs, Microsoft called immediate attention to multiple critical-severity bugs that, in some cases, allow remote code execution over the network.
These include CVE-2025-26645, documented as a relative path traversal in Remote Desktop Client that allows an unauthorized attacker to execute code over a network. “In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client,” Microsoft warned.
Redmond also urged Windows sysadmins to prioritize critical, code execution bugs in the Windows Subsystem for Linux, the Windows DNS Server, Windows Remote Desktop Service and Microsoft Office.
Related: Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days
Related: Remote Code Execution Flaw in Microsoft Message Queuing
Related: Microsoft Warns of Under-Attack Windows Kernel Flaw
Related: Microsoft Flags Major Bugs in HyperV, Exchange Server
Related: Microsoft Patches ‘Wormable’ Windows Flaw and File-Deleting Zero-Day
