This month’s Microsoft Patch Tuesday is here and it’s a big one. Last month fixed 63 vulnerabilities. This month’s update, however, includes patches for another 57 security vulnerabilities, six of which are already being actively exploited by hackers, while cybersecurity experts describe another six as critical. These vulnerabilities require swift action and Microsoft has advised users to update their devices to get patched ASAP.
Microsoft addressed a vulnerability registered on the CVE program as CVE-2025-24993, one of the six reported active exploits. For a successful attack, hackers will need to trick users into mounting a Virtual Hard Disk (VHD); otherwise, the attack will fail. As a Remote Code Execution (RCE) vulnerability, malicious actors can trick users into taking actions that trigger payloads or malware without physical access to the computer. With a successful attack, bad actors can steal sensitive information, corrupt systems with viruses, or control the victim’s computer remotely.
Microsoft also reported that hackers are already exploiting CVE-2025-24983. Successful exploitation allows hackers to assume administrator roles and enjoy full privileges on a system. However, unlike CVE-2025-24993, this vulnerability cannot be exploited without physical access to the computer, making it less critical. Local attackers can install a backdoor, trojan, or malware, which could lead to all sorts of problems.
The other four exploited vulnerabilities are CVE-2025-26633, CVE-2025-24991, CVE-2025-24984, and CVE-2025-24985. CVE-2025-26633 allows attackers to find their way around a core security feature on Windows, while CVE-2025-24984 and CVE-2025-24991 enable local attackers to read the heap memory. The last zero-day exploit – CVE-2025-24985, like CVE-2025-24993, requires attackers to trick users into mounting a VHD.
The update fixes 23 remote code execution security flaws, 22 vulnerabilities allowing attackers to gain special privileges, and 12 vulnerabilities that can cause security bypass, spoofing, denial of service (DOS), and information disclosure.
As expected, to give users a reasonable timeframe for updating their OS, Microsoft did not reveal details of how criminals exploit the flaws. However, users are encouraged to update their Windows PCs as soon as possible to have it patched against all 57 vulnerabilities.
This is all we have until next month’s edition of Patch Tuesday, we urge you to keep your Windows installs safe from the relentless fingers of hackers.