March 2025 Vulnerability Report: Critical CVEs and Exploits in the Wild

This article provides a detailed breakdown of the most critical vulnerabilities disclosed in March 2025, with a special focus on exploited zero-days, high-risk infrastructure flaws, and urgent patch advisories.

Operating Systems & Infrastructure

Microsoft Patch Tuesday (March 2025)

Microsoft patched 57 vulnerabilities in March, including 6 zero-days actively exploited in the wild:

  • CVE-2025-24983 (UAF in Win32k Subsystem): Allows local privilege escalation via Use-After-Free.

  • CVE-2025-24993 (Heap Overflow in NTFS): Enables local code execution.

  • 4 additional zero-days affected NTFS and FAT file system drivers—potentially usable in exploit chains for RCE or info leakage.

Network-related CVEs:

  • CVE-2025-24035 & CVE-2025-24045 – RCE in Remote Desktop Service (CVSS 8.1).

  • CVE-2025-24064 – RCE in DNS Server, labeled “more likely to be exploited”.

Advisory: Apply updates immediately. Some CVEs have public exploit code or are already in attack campaigns.


VMware ESXi & Workstation Zero-Days (VMSA-2025-0004)

On March 4, Broadcom (VMware) patched three critical zero-days, all actively exploited:

  • CVE-2025-22224 (Stack Overflow / TOCTOU – CVSS 9.3)

  • CVE-2025-22225 (Arbitrary Write – CVSS 8.2)

  • CVE-2025-22226 (Information Leak – CVSS 7.1)

⚠️ These allow guest-to-host escapes. Microsoft Threat Intelligence reported ongoing attacks using these flaws.


Apple Zero-Day in WebKit (CVE-2025-24201)

Apple released emergency updates to patch a critical WebKit OOB Write bug exploited in targeted attacks:

  • CVE-2025-24201 (CVSS 8.8) – Escapes browser sandbox via malicious web content.

  • Also patched:

    • CVE-2025-24085 (Use-After-Free in CoreMedia)

    • CVE-2025-24200 (Improper Access Control in Accessibility)


Linux Kernel (CVE-2025-0927 – HFS+ Heap Overflow)

  • Affects Ubuntu 22.04 and kernels ≤ 6.12.

  • Heap overflow in B-tree node parsing of HFS+.

  • PoC exploit released on March 25.

  • Can be triggered by mounting a malicious HFS+ image.

Severity: High (CVSS 7.8)


Windows Subsystem for Linux 2 (WSL2) – CVE-2025-24084

  • RCE via malicious WSL image.

  • CVSS: 8.4. Exploitable due to integrated Linux kernel behavior.


Application Layer Vulnerabilities

Google Chrome Zero-Day (CVE-2025-2783)

  • Mojo IPC type confusion.

  • CVSS: 8.3. Allows sandbox escape.

  • First Chrome 0-day in 2025.

  • Actively exploited in targeted spyware campaigns.


Firefox Vulnerability (CVE-2025-2857)

  • Similar Mojo bug in Firefox.

  • No active exploitation yet.

  • Patched in versions 136.0.4 and 115.21.1 ESR.


Microsoft Office and Excel RCEs

  • CVE-2025-24057 – RCE via malicious Office document.

  • CVE-2025-24080 ~ 24082 – RCEs in Excel.

  • CVE-2025-26630 – RCE in Microsoft Access.


Adobe Products – 37 CVEs Patched

  • Acrobat Reader, Illustrator, InDesign, Substance 3D.

  • Multiple RCEs in Acrobat Reader.

  • No active exploitation yet, but urgent patching recommended.


Web Apps, Libraries, and CMS

Next.js Critical Access Control Bypass (CVE-2025-29927)

  • Improper middleware validation.

  • Affects versions 13.0.0–13.5.8.

  • Patched in 13.5.9.


Axios SSRF (CVE-2025-27152)

  • SSRF due to improper validation of allowAbsoluteUrls.

  • Affects all versions < 0.30.0 and 1.8.2.

  • Allows access to internal resources via crafted URLs.


WordPress Plugin LFI (WP Ghost – CVE-2025-27209)

  • Unauthenticated LFI → RCE.

  • CVSS: 9.6.

  • Affects WP Ghost < 5.4.02.


Joomla Sourcerer RCE (CVE-2025-22204)

  • Remote PHP code injection in Sourcerer < 11.0.0.

  • CVSS 9.8 – unauthenticated RCE.

  • Patch released March 11.


GitHub Actions Supply Chain Attack (CVE-2025-30066)

  • Malicious commit in tj-actions/changed-files.

  • Python script exfiltrates secrets during CI.

  • GitHub suspended the repo; advised pinning actions to specific SHA.


Network Equipment & Services

Fortinet RCE + Auth Bypass (CVE-2025-24472)

  • FortiOS / FortiProxy: Unauthenticated attacker gains super_admin.

  • Exploited in SuperBlack ransomware campaigns.

  • Related: CVE-2024-55591 – used in exploit chain.

  • Urgent patching mandated by CISA KEV directive.


CrushFTP Critical Auth Bypass (CVE-2025-2825)

  • Exploitable via S3 header injection.

  • CVSS: 9.8.

  • Versions affected: 10.0.0–10.8.3 and 11.0.0–11.3.0.

  • Patched in 11.3.1.