Microsoft's March 2025 Patch Tuesday: 57 Vulnerabilities and a Side of Zero-Day Chaos

March Patch Tuesday 2025 has arrived, and as usual, Microsoft didn't disappoint. Well, unless you're an IT admin who actually likes getting some sleep at night—then you're screwed. This month, the good folks in Redmond have dished up 57 new vulnerabilities, 6 of which are zero-days that cybercriminals have already enthusiastically adopted. Lovely.

So what's on the menu this time?

First up, there's CVE-2025-24983, a Win32k flaw that lets hackers casually elevate their privileges—think of it as giving a burglar the keys to your house, a map of your valuables, and your car keys. You know, just in case they get tired of stealing data and fancy a joyride.

Then there’s CVE-2025-24985, another delightful vulnerability in Windows Fast FAT File System Driver. All it takes is convincing some poor unsuspecting user (we all know one) to mount a maliciously-crafted Virtual Hard Disk (VHD) file, and boom—you're in.

And Microsoft Access lovers aren't off the hook either. CVE-2025-26630 kindly offers attackers another way to run arbitrary code by—you guessed it—opening a dodgy Access file. Who knew Access could be dangerous? Actually, scratch that—anyone who's ever tried using it knew all along.

But the pièce de résistance is surely CVE-2025-24983, a classic NTFS vulnerability that lets attackers casually stroll into your system and snatch sensitive information like it's going out of fashion.

Overall, here's how it breaks down:

• Remote Code Execution: 23 vulnerabilities. Why attack from your chair when you can do it from the sofa?

• Information Disclosure: 4 vulnerabilities. Data privacy is overrated anyway.

• Security Feature Bypass: 3 vulnerabilities. So much for all those expensive security products you've proudly installed.

• Elevation of Privilege: 23 vulnerabilities. Basically, it's like giving burglars the keys to the safe. Might as well leave milk and cookies out for them too.

• Denial of Service: 4 vulnerabilities. Because sometimes, it's just fun to crash things.

As always, Microsoft advises patching immediately; presumably to keep the hackers entertained and ensure they don't move on to Apple users (yet).

On a serious note (momentarily), patching these vulnerabilities isn't optional.

Your MSP, assuming they're not some bottom-of-the-barrel, £5-a-month cowboy outfit, should be all over this already.

If your MSP is still faffing about, it's time to reconsider your choices. A friendly reminder: Cyber Essentials Plus certification is the bare minimum you should accept. Anything less, and you might as well be hosting your systems on a Commodore 64.

Patch early, patch often, and good luck. You'll probably need it.