CISA adds half a dozen Microsoft Patch Tuesday Vulnerabilities to KEV

---

The Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) Catalog to include six newly identified vulnerabilities in Microsoft products. This action underscores the urgency of addressing these actively exploited vulnerabilities, which pose significant risks to organizational and individual security.

Overview of the Microsoft Vulnerabilities

1. CVE-2024-49035: Microsoft Partner Center Privilege Escalation

• Type: Privilege Escalation.
• Component: Microsoft Partner Center.
• Description: This vulnerability arises due to improper access controls in Microsoft Partner Center, a platform widely used by enterprises and managed service providers for managing cloud services, licenses, and customer accounts.
• Impact: Exploitation enables unauthenticated attackers to escalate privileges, thereby gaining unauthorized access to sensitive organizational data, executing commands with elevated rights, and potentially deploying malware or initiating lateral movement within networks.
• Severity: CVSS Score of 9.8 (critical).
• Exploitation Evidence: Actively exploited in real-world attacks, particularly targeting cloud environments managed via Partner Center.
• Mitigation: Microsoft has implemented automatic patch deployment to the cloud-based Power Apps that underpin Partner Center functionality. Organizations must validate that these patches have been applied and monitor associated cloud operations for unusual activity.

2. CVE-2025-24057: Microsoft Office Remote Code Execution (RCE)

• Type: Remote Code Execution.
• Component: Microsoft Office.
• Description: This vulnerability allows attackers to execute arbitrary code remotely by tricking users into opening maliciously crafted Office files. The exploitation typically occurs through phishing emails containing compromised documents.
• Impact: Attackers gain the ability to compromise user systems, exfiltrate sensitive data, and potentially deploy ransomware or other malware.
• Severity: High due to its potential widespread use in phishing campaigns.
• Exploitation Evidence: Heavily exploited in recent targeted attacks aimed at enterprises, especially through spear-phishing campaigns targeting financial, healthcare, and public sector organizations.
• Mitigation: Apply the latest Microsoft Office updates. Train users to recognize and avoid suspicious email attachments or links, and implement email filtering mechanisms to block phishing attempts.

3. CVE-2025-24985: Windows Fast FAT File System Driver RCE

• Type: Remote Code Execution.
• Component: Windows Fast FAT File System Driver.
• Description: An integer overflow vulnerability in the FAT File System driver allows attackers to execute arbitrary code by using specially crafted Virtual Hard Disk (VHD) files.
• Impact: Successful exploitation can lead to full system compromise, allowing attackers to manipulate data, deploy malicious software, or escalate privileges.
• Exploitation Evidence: Actively used in targeted attacks, particularly in scenarios involving untrusted VHD files distributed through phishing campaigns or malicious file-sharing platforms.
• Mitigation: Organizations must ensure all affected systems are updated with the latest patches and restrict access to VHD files from untrusted or unknown sources.

4. CVE-2025-24993: Windows NTFS Remote Code Execution (RCE)

• Type: Remote Code Execution.
• Component: Windows NTFS.
• Description: A heap-based buffer overflow vulnerability in the NTFS file system, triggered by malicious VHD files, can be exploited to execute arbitrary code on target systems.
• Impact: High-risk vulnerability enabling attackers to gain full control over affected machines remotely. This poses a significant threat to environments using shared or distributed storage.
• Exploitation Evidence: Widely exploited by attackers to infiltrate enterprise systems.
• Mitigation: Apply the latest Windows updates. Monitor network activity for any attempts to mount or access suspicious VHD files, and restrict usage where possible.

5. CVE-2025-26633: Microsoft Management Console (MMC) Security Feature Bypass

• Type: Security Feature Bypass.
• Component: Microsoft Management Console (MMC).
• Description: Attackers can bypass security restrictions by crafting malicious files or URLs that, when opened in MMC, allow execution of unauthorized commands or scripts.
• Impact: Compromises IT administrators who utilize MMC for managing system resources. Once bypassed, attackers can gain control over sensitive configurations and administrative tools.
• Exploitation Evidence: Actively leveraged in attacks targeting IT environments, particularly in enterprise-level organizations.
• Mitigation: Implement user training to avoid opening suspicious files or links. Apply the latest security updates and review security feature configurations in MMC.

6. CVE-2025-26630: Windows Kernel Elevation of Privilege

• Type: Elevation of Privilege (EoP).
• Component: Windows Kernel.
• Description: This vulnerability allows attackers to escalate privileges by exploiting improperly secured kernel processes. Public details about this flaw were disclosed before a patch was released, increasing its attractiveness for exploitation.
• Impact: Attackers can gain unauthorized access to system-level resources, enabling activities such as disabling security tools, modifying critical settings, or executing malicious commands with administrative privileges.
• Exploitation Evidence: Public disclosure led to rapid exploitation in the wild, targeting both individual and enterprise systems.
• Mitigation: Apply the latest updates to Windows systems. Restrict administrative privileges to essential personnel only and monitor kernel activity for unusual behavior.

Implications of CISA’s Inclusion in the KEV Catalog

• Active Exploitation Confirmation: The inclusion of these vulnerabilities in the KEV Catalog confirms they are being actively exploited in real-world attacks, increasing their urgency for remediation.
• Mandatory Remediation for Federal Agencies: Under Binding Operational Directive (BOD) 22-01, federal agencies are required to remediate these vulnerabilities by March 18, 2025. This directive reflects their severity and the need for immediate action.
• Broader Industry Impact: While CISA’s directive applies to Federal Civilian Executive Branch (FCEB) agencies, organizations across all industries are strongly advised to prioritize remediation to mitigate risks effectively.

Recommended Mitigation Strategies

1. Patch Management

• Apply all relevant patches immediately for affected systems, including Microsoft Office, Windows, and MMC.
• Use automated patch management tools to ensure consistent deployment across enterprise environments.

2. Endpoint Protection

• Deploy advanced Endpoint Detection and Response (EDR) solutions to monitor for exploitation attempts targeting these vulnerabilities.
• Regularly audit system logs and configurations to identify indicators of compromise (IoCs).

3. Network Security Enhancements

• Restrict access to administrative tools like MMC to internal or trusted networks only.
• Implement network segmentation to isolate sensitive resources and minimize the impact of potential exploits.

4. User Awareness Training

• Educate users about phishing risks, including avoiding untrusted email attachments, links, and VHD files.
• Promote the use of secure communication channels for file sharing and collaboration.

5. Privileged Access Management (PAM)

• Limit administrative privileges to essential personnel and enforce multi-factor authentication (MFA) for all administrative accounts.

Final Thoughts

The addition of these six vulnerabilities to the CISA KEV Catalog underscores their criticality and the active threats they pose to systems. Organizations must act swiftly by applying patches, enhancing monitoring capabilities, and implementing robust access controls. Proactive measures, combined with user education, will significantly reduce exposure and improve resilience against these exploitation attempts. Let me know if you need additional guidance or deeper insights into implementing these strategies!