Josh Philliban
Cyber Security Assessor
Josh Philliban Linked In
Welcome to the Softcat Patch Tuesday roundup for March 2025, where we offer insight into the major patches released this month. In this edition, we will focus on the patches by Microsoft, Adobe, Broadcom, Cisco, Citrix, Fortinet, Ivanti, Oracle, and SAP.
Many of the vulnerabilities addressed in today’s blog are known to have been actively exploited in the wild and should be patched as soon as feasibly possible.
Microsoft
In their March Patch Tuesday release, Microsoft has addressed 57 vulnerabilities, with 5 of those rated as Critical and 6 known to have been exploited in the wild. The patches cover a broad array of applications and services, including Windows RDP, NTFS, FAT Driver, subsystems, Visual Studio Code, the Office suite, and more. Additionally, there have been 10 Edge/Chromium based vulnerabilities identified, although no advisory notes have been issued.
This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure. Outlined below are the six known-exploited vulnerabilities detailed in this month’s Patch Tuesday:
Actively exploited
1. CVE-2025-24985 – This is a Remote Code Execution vulnerability in the Windows Fast FAT File System Driver that can allow an attacker to execute arbitrary code locally. It is rated as Important, with a CVSS score of 7.8. The vulnerability arises from an Integer Overflow (CWE-190) and Heap-based Buffer Overflow (CWE-122), where an attacker can trick a user into mounting a specially crafted Virtual Hard Disk (VHD), triggering the exploit and leading to arbitrary code execution.
2. CVE-2025-24993 – This is a Remote Code Execution vulnerability in Windows NTFS that can allow an attacker to execute arbitrary code locally. It is rated as Important, with a CVSS score of 7.8. The vulnerability is caused by a Heap-based Buffer Overflow (CWE-122), where an attacker can trick a user into mounting a specially crafted Virtual Hard Disk, leading to memory corruption and arbitrary code execution.
3. CVE-2025-24983 – This is an Elevation of Privilege vulnerability in the Windows Win32 Kernel Subsystem that can allow an attacker to gain SYSTEM privileges. It is rated as Important, with a CVSS score of 7.0. The vulnerability stems from a Use After Free (CWE-416) issue, requiring an attacker to win a race condition to successfully exploit it.
4. CVE-2025-26633 – This is a Security Feature Bypass vulnerability in Microsoft Management Console that can allow an attacker to bypass security protections locally. It is rated as Important, with a CVSS score of 7.0. The vulnerability arises from Improper Neutralisation (CWE-707), where an attacker can exploit it by convincing a user to open a specially crafted file, either through an email attachment or a malicious website, allowing the security bypass to occur.
5. CVE-2025-24991, CVE-2025-24984 – These are both Information Disclosure vulnerabilities in Windows NTFS that can allow an attacker to read portions of heap memory. They are both rated as Important, with a CVSS score of 5.5 and 4.6 respectively. The first vulnerability is caused by an Out-of-bounds Read (CWE-125), where an attacker can trick a user into mounting a specially crafted Virtual Hard Disk, leading to unintended memory disclosure. The second arises from the insertion of sensitive information into log files (CWE-532), allowing an attacker with physical access to extract sensitive data by plugging in a malicious USB drive.
Since all of these are known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation.
Adobe
Adobe has released seven patches this month, addressing 39 vulnerabilities. The applications in question are:
· InDesign
All of these vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers.
Broadcom (VMware)
Broadcom has released a Critical security update for multiple vulnerabilities affecting VMware ESXi, Workstation, and Fusion. The three CVEs related to this have also been added to CISA’s list of known exploited vulnerabilities, therefore Softcat strongly recommends implementing these updates where relevant.
Cisco
Cisco has released 10 advisories for 14 vulnerabilities since last month’s patch Tuesday blog, with the impact ratings ranging from Informational to Critical. There has only been one critical advisory this month, however this addresses three vulnerabilities (up to a CVSS score of 9.0). The critical advisory relates to a number of Cisco Small Business routers.
Citrix
Citrix has released three security bulletins and one update since last month’s patch Tuesday blog; only one of these is rated as Critical, however two of these are rated as High severity. The products affected are:
· NetScaler ADC and NetScaler Gateway
· Citrix Application Delivery Controller and Citrix Gateway Edition (update)
· Citrix Secure Access Client for Mac
· NetScaler Console and NetScaler Agent
Fortinet
Fortinet has addressed nine vulnerabilities in March, four rated as High severity and five as Medium. The products affected by the critical vulnerabilities are:
· FortiSandbox (CVE-2024-54027, CVE-2024-52961, CVE-2024-45328)
· FortiOS, FortiPAM, FortiProxy, FortiSRA, FortiWeb (CVE-2024-45324)
FortiSandbox has had a significant number of critical vulnerabilities addressed, from improper access control to escalation of privilege and even execution of unauthorised code or commands.
Ivanti
Ivanti has addressed two products in their March security update, Ivanti Neurons for MDM and Ivanti Secure Access Client (ISAC). Neither of these are known to be exploited in the wild, and only the vulnerability affecting ISAC is rated as High.
It is also worth noting that CISA has added three vulnerabilities affecting Ivanti Endpoint Manager to their list of known exploited vulnerabilities. These were addressed by Ivanti in January, however if users have not implemented these patches, then Softcat strongly recommends to do so now.
Oracle
Oracle has updated two of the CVEs listed in their January update. Due to Oracle’s extended patch update schedule (the third Tuesday of January, April, July, and October) this update addressed 318 security patches, many of which were rated as Critical. Softcat strongly recommends reviewing these if users have not done so already.
Additionally, CISA has added one of the vulnerabilities, affecting Oracle’s Agile Product Lifecycle Management framework, to their list of known exploited vulnerabilities.
SAP
SAP has released 21 new security notes and 3 updates to previous security notes. Five of these are rated as High, with none being Critical this month. The products affected by the high to very high rated CVEs are:
· SAP Commerce
· SAP NetWeaver
· SAP Commerce Cloud
· SAP Approuter
· SAP PDCE
Industrial Control Systems
Any customers utilising industrial control systems (ICS) should be aware of the following 13 security advisories regarding multiple products:
· ICSA-25-070-01 Schneider Electric Uni-Telway Driver
· ICSA-25-070-02 Optigo Networks Visual BACnet Capture Tool/Optigo Visual Networks Capture Tool
· ICSA-25-065-01 Hitachi Energy PCU400
· ICSA-25-065-02 Hitachi Energy Relion 670/650/SAM600-IO
· ICSA-25-037-02 Schneider Electric EcoStruxure (Update A)
· ICSA-25-063-01 Carrier Block Load
· ICSA-25-063-02 Keysight Ixia Vision Product Family
· ICSA-25-063-03 Hitachi Energy MACH PS700
· ICSA-25-063-04 Hitachi Energy XMC20
· ICSA-25-063-05 Hitachi Energy UNEM/ECST
· ICSA-25-063-06 Delta Electronics CNCSoft-G2
· ICSA-25-063-07 GMOD Apollo
· ICSA-25-063-08 Edimax IC-7100 IP Camera
As always, users are recommended to install the latest security updates as soon as possible to protect their systems from potential threats.