Microsoft<\/strong> today issued more than 50 security updates for its various Windows<\/strong> operating systems, including fixes for a whopping six zero-day vulnerabilities<\/em> that are already seeing active exploitation.<\/p>\n Two of the zero-day flaws include CVE-2025-24991<\/a> and CVE-2025-24993<\/a>, both vulnerabilities in NTFS<\/strong>, the default file system for Windows and Windows Server. Both require the attacker to trick a target into mounting a malicious virtual hard disk. CVE-2025-24993 would lead to the possibility of local code execution, while CVE-2025-24991 could cause NTFS to disclose portions of memory.<\/p>\n Microsoft credits researchers at ESET<\/strong> with reporting the zero-day bug labeled CVE-2025-24983<\/a>, an elevation of privilege vulnerability in older versions of Windows. ESET said the exploit was deployed via the PipeMagic backdoor<\/a>, capable of exfiltrating data and enabling remote access to the machine.<\/p>\n ESET\u2019s Filip<\/strong> Jur\u010dacko <\/b>said the exploit in the wild targets only older versions of Windows OS: Windows 8.1 and Server 2012 R2. Although still used by millions, security support for these products ended more than a year ago, and mainstream support ended years ago. However, ESET notes the vulnerability itself also is present in newer Windows OS versions, including Windows 10 build 1809<\/strong> and the still-supported Windows Server 2016<\/strong>.<\/p>\n Rapid7\u2019s lead software engineer Adam Barnett<\/strong> said Windows 11<\/strong> and Server 2019<\/strong> onwards are not listed as receiving patches, so are presumably not vulnerable.<\/p>\n \u201cIt\u2019s not clear why newer Windows products dodged this particular bullet,\u201d Barnett wrote. \u201cThe Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.\u201d<\/span><\/p>\n The zero-day flaw CVE-2025-24984<\/a> is another NTFS weakness that can be exploited by inserting a malicious USB drive into a Windows computer. Barnett said Microsoft\u2019s advisory for this bug doesn\u2019t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information.<\/p>\n \u201cA relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale,\u201d Barnett said.<\/p>\n Another zero-day fixed this month \u2014 CVE-2025-24985<\/a> \u2014 could allow attackers to install malicious code. As with the NTFS bugs, this one requires that the user mount a malicious virtual hard drive.<\/p>\n The final zero-day this month is CVE-2025-26633<\/a>, a weakness in the Microsoft Management Console<\/strong>, a component of Windows that gives system administrators a way to configure and monitor the system. Exploiting this flaw requires the target to open a malicious file.<\/p>\n This month\u2019s bundle of patch love from Redmond also addresses six other vulnerabilities Microsoft has rated \u201ccritical,\u201d meaning that malware or malcontents could exploit them to seize control over vulnerable PCs with no help from users.<\/p>\n Barnett observed that this is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication.<\/p>\n The\u00a0SANS Internet Storm Center<\/a> has a useful list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com<\/a>, which often has the scoop on any patches causing problems. Please consider backing up your data before updating, and leave a comment below if you experience any issues applying this month\u2019s updates.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2022\/07\/winupdatedate.png?resize=749%2C496&ssl=1\")
<\/p>\n