Windows NTFS / FAT Remote Code Execution Vulnerability

Top of the list for patching this monthly release is a set of 4 CVEs actively being exploited by threat actors These 4 CVEs are all related to a remote code execution vulnerability that is associated with mounting Virtual Hard Disk files. These are tracked separately as CVE-2025-24984, CVE-2025-24985, CVE-2025-24991,CVE-2025-24993 so when it comes to patch management ensure all four are covered. 

It is important to note that whilst the title classifies this as a Remote Code extraction, it is not actually exploitable over the network and requires a local action to be taken by the user. 

Specifically, the exploit relies on the attacker crafting a malicious VHD file and convincing a user to open or mount a VHD file. VHDs are Virtual Hard Disks and are typically associated with the storing the operating system for virtual machines. 

Whilst they are more typically associated with Virtual Machines, we have seen examples over the years where threat actors use VHD or VHDX files as part of phishing campaigns to smuggle malware payloads past AV solutions. Depending on the configuration of Windows systems, simply double-clicking on a VHD file could be enough to mount the container and, therefore, execute any payloads contained within the malicious file.

Organizations should check their security tools for any VHD files being sent via email or downloaded from the internet and look at add security rules or blocks for these file types where they are not required. 

CVE-2025-26633 - 7.0 - Microsoft Management Console Security Feature

Another vulnerability top of the list for patching this cycle is a CVE in the Memory management console tracked as CVE-2025-26633 this is being actively exploited by threat actors in the wild. 

Very little information is given by Microsoft on what an attack looks like other than to say it can be used to bypass a security feature locally and that “ an attacker needs to take additional actions prior to exploitation” 

The vulnerability report goes on to say that social engineering is required to convince a user to open a malicious file, which can be sent via email or downloaded from a compromised website. 

Microsft Management Console files sent over email or via downloads will typically have a .msc extension, so threat hunters or security teams looking for signs of exploitation or looking to proactively defend against this threat should start by looking for msc files being executed from untrusted locations.

CVE-2025-24035 - 8.1 - Windows Remote Desktop Services Remote Code

Windows Remote Desktop is a feature that allows users to connect to their computer remotely, where they can access their desktop and all of their apps, files, and network resources. CVE-2025-24035 is a critical level vulnerability in the Windows Remote Desktop Services that allows an attacker to remotely connect to a system with the remote desktop gateway role, triggering a race condition to create a use after free scenario, leveraging this to execute arbitrary code.

An attacker with arbitrary code execution on a vulnerable machine is a very dangerous prospect, since they can deploy malware onto compromised machines, enumerate the network, and achieve more complete objectives such as propagating malware and malicious tooling across a network, and potentially disable security tooling to evade detection.

CVE-2025-24061 - Windows Mark of the Web Security Feature Bypass Vulnerability

The Mark of the Web (MoTW) feature was introduced in Windows 7 to all files downloaded through Internet Explorer, then later added for all browsers. MotW is a Windows security feature that tags files downloaded from the internet with a Zone.Identifier alternate data stream (ADS) to enforce security restrictions and warn users before execution.

This particular vulnerability (CVE-2025-24061) has a high chance of exploitation as the conditions that need to be met to exploit this vulnerability are much lower than other vulnerabilities reported. Using either a malicious website or an email, attackers would aim to trick users into viewing their content. Attackers can also use a specially crafted .url file to trick users into accessing their content.

MotW bypass vulnerabilities have become increasingly popular since 2015, as recently similar vulnerabilities such as CVE-2025-0411 have gained the attention of threat actors, and as such, it remains an attractive target since threat actors will want to drop malware onto victim machines from the internet, and MoTW alongside SmartScreen are designed to prevent this from happening. Attackers aiming to bypass MoTW Zone. Identifiers want their files to arrive on the victim machine without a Zone .Identifier so it won’t be flagged as a threat by SmartScreen. In some instances, bypassing MoTW prevents the large, red malicious file warning box from being displayed to the user, telling them not to run the file. Instead,  an older grey box will display, so it isn’t so obvious to the user that the file they are attempting to run is malware. 

CVE-2025-24983 - 7.0 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

This vulnerability in the Windows Win32 Kernel Subsystem (CVE-2025-24983) allows an attacker to exploit a “use after free” condition, leading to an elevation of privileges on affected systems. The vulnerability requires a local attacker with low privileges to exploit a race condition. The attack complexity is denoted by Microsoft as complex. However, successful exploitation could grant the attacker SYSTEM-level privileges – in other words, control the machine with the highest level of privileges. Microsoft has confirmed that exploitation of this vulnerability has been detected. With a CVSS score of 7.0, users are advised to patch to mitigate any risk. Privilege escalation vulns are often seen with all attack paths and could allow an attacker to disable security tooling, bypass security mechanisms, or steal sensitive credentials with tools like Mimiktaz.