Actively Exploited Zero-Day Vulnerability in Microsoft Management Console
Microsoft Management Console received a patch for CVE-2025-26633, which has a severity of Important and a CVSS score of 7.0. This RCE vulnerability could allow a remote attacker to run arbitrary code on a victim machine after tricking a victim into either opening a malicious file from an email or message or navigating to an adversary-owned website.
| Severity | CVSS Score | CVE | Description |
| Important | 7.0 | CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability |
Actively Exploited Zero-Day Vulnerability in Windows Kernel
All supported Windows servers and workstations received a patch for CVE-2025-24983, which patches Win32 kernel. This CVE has a severity of Important and a CVSS score of 7.0. This elevation of privilege vulnerability allows an authenticated attacker to gain local SYSTEM privileges. This vulnerability is present in a core component of all Windows installations.
| Severity | CVSS Score | CVE | Description |
| Important | 7.0 | CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
Four Actively Exploited Zero-Days Vulnerabilities in Windows File System Implementations
The Windows Fast FAT (File Allocation Table) driver received a patch for CVE-2025-24985, which has a severity of Important and a CVSS score of 7.8. This RCE vulnerability allows an attacker to run arbitrary code on a system locally after tricking a victim into mounting a malicious drive. Organizations are recommended to disallow users from mounting arbitrary drives in order to partially mitigate the risk of this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-24985 | Windows Fast FAT File System Driver Remote Code Execution Vulnerability |
Windows New Technology File System (NTFS) implementation has received a patch for CVE-2025-24993, which has a severity of Important and a CVSS score of 7.8. This RCE vulnerability allows an attacker to run arbitrary code on a system locally after tricking a victim into mounting a malicious drive. Organizations are recommended to disallow users from mounting arbitrary drives in order to partially mitigate the risk of this vulnerability.
Windows NTFS implementation has received a patch for CVE-2025-24991, which has a severity of Important and a CVSS score of 5.5. This information disclosure vulnerability allows a local attacker to potentially gain information from the victim computer’s heap memory by tricking the victim into mounting a malicious drive. As with CVE-2025-24993 discussed above, organizations are recommended to disallow users from mounting arbitrary drives in order to partially mitigate the risk of this vulnerability.
Windows NTFS implementation has received a patch for CVE-2025-24984, which has a severity of Important and a CVSS score of 4.6. This information disclosure vulnerability allows a physically present attacker to potentially gain information from the victim computer’s heap memory by plugging in a malicious USB device. Organizations are strongly recommended to follow USB storage best practices in order to limit their exposure to this and similar vulnerabilities.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-24993 | Windows NTFS Remote Code Execution Vulnerability |
| Important | 5.5 | CVE-2025-24991 | Windows NTFS Information Disclosure Vulnerability |
| Important | 4.6 | CVE-2025-24984 | Windows NTFS Information Disclosure Vulnerability |
Publicly Disclosed Zero-Day Vulnerability in Microsoft Access
Microsoft Office Access received patches for CVE-2025-26630, which has a severity of Important and a CVSS score of 7.8. This RCE vulnerability is exploited by opening specially crafted Microsoft Access documents. Microsoft addressed similar vulnerabilities in January 2025.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-26630 | Microsoft Access Remote Code Execution Vulnerability |
Critical Vulnerabilities in Windows Remote Desktop Services
CVE-2025-26645, CVE-2025-24045, and CVE-2025-24035 are Critical RCE vulnerabilities affecting the Microsoft Windows Remote Desktop Services system. CVE-2025-26645 has a CVSS score of 8.8, and an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. CVE-2025-24035 and CVE-2025-24045, both with a CVSS score of 8.1, require the attacker to win a race condition, but CVE-2025-24035 requires the attacker to attack a system with the Remote Desktop Gateway role.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2025-24645 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-24045 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
Critical Vulnerability in Windows Subsystem for Linux (WSL2) Kernel
CVE-2025-24084 is a Critical RCE vulnerability with a CVSS score of 8.4 affecting the WSL2. Microsoft notes that in order to exploit this vulnerability, the attacker must either send a malicious instant message or email or entice a victim to click a link to an attacker-controlled website. As this vulnerability has multiple vectors, the risk of successful exploitation is increased.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-24084 | Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft Windows Domain Name Service
CVE-2025-24064 is a Critical RCE vulnerability with a CVSS score of 8.1 affecting the Windows Domain Name Service (DNS). An attacker must win a race condition with the target DNS server’s dynamic DNS update message in order to exploit this vulnerability. The relative importance of DNS servers to an organization’s infrastructure necessitates that this vulnerability be patched quickly, as information held on the DNS server can be used by an adversary to gain critical information about the layout of an organization’s internal infrastructure.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-24064 | Windows Domain Name Service Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft Office
CVE-2025-24057 is a Critical RCE vulnerability with a CVSS score of 7.8 affecting Microsoft Office. This vulnerability requires an attacker to trick the victim into opening a specially crafted file. Organizations are suggested to remind their employees of best practices regarding phishing attacks and to not open unusual files.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-24057 | Microsoft Office Remote Code Execution Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
- Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
- Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster.
- Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
