This is a Patch Tuesday, where the casual observer needs to pay a bit more attention. If you were to review the release notes, you might notice that the CVE count is low, that the software being updated is completely standard and there are no CVSS scores that fall within the realm of “Critical.” You might even be inclined to call this a nothingburger of a Patch Tuesday. You would, however, be wrong. There are 6 vulnerabilities that are listed as exploit detected, 1 that has been publicly disclosed, and 6 vulnerabilities where Microsoft has labeled the severity as “Critical”. In other words, buckle up because admins may be in for a ride.
Let’s talk about the good news this month… all 6 of the vulnerabilities that Microsoft has labeled as exploit detected are resolved with the monthly cumulative update. This means a single update to roll out to fix all of these at once. Thankfully, none of them require post-patch configuration steps. The same is true for 5 of the 6 critical severity vulnerabilities. A lot of our important fixes come from the same patch.
The remaining critical vulnerability (CVE-2025-24057) and the publicly disclosed vulnerability (CVE-2025-26630) both require Office updates. For those running click-to-run, there’s not a lot to do, but for those running Office 2016, there are two patches to install, one for Office and one for Access.
Fortunately, this greatly limits the amount of patching to be done to resolve the big-ticket items. However, they are big ticket items and with headlines likely to state, “Microsoft Patches Six 0-Day Vulnerabilities”, admins will likely have a lot of questions to answer about the state of their patching.
The bad news, of course, is the sheer number of big ticket items. 22% of the items this month are either publicly disclosed, exploited, or have a severity of critical. That number is high because of the lower number of CVEs, but it still means more work for the defenders. I feel like a lot of that work will be answering questions for higher ups. So, if you are one of those people reading this that want to reach out to your team to see what they’re doing about Patch Tuesday… don’t. Trust that they have their process and let them run with it. There’s not a huge amount of per-machine effort involved in fixing the major issues this month, but distractions and context shifting will still slow things down. Give your team room to deploy these fixes and let them fill you in afterward.
While the already exploited vulnerabilities will be at the top of everyone’s list this month, there are two items that stood out to me. A remote code execution in DNS (CVE-2025-24064) is definitely the one that stood out to me. Microsoft has rated this a critical, but thankfully said exploitation is less likely. This is likely because of Microsoft FAQ, which states, the attacker must send a message with “perfect timing” and we all know how hard perfection is. Still, I’m always cautious when I see vulnerabilities in core services.
The other one is the Mark of the Web (MotW) vulnerability (CVE-2025-24061), while neither a 0-day or marked critical, we have seen numerous MotW vulnerabilities make waves in the past. I would keep an eye on this one, but thankfully, due to cumulative updates, this will be patched alongside everything else.
One final note regarding cumulative updates. This month, they are a saving grace, providing a fix to most of the major issues with a single update. When this works, it is fantastic. However, the flip side is that when there is a patch issue, all of these critical vulnerabilities go unpatched. Keep an eye on the deployment of your cumulative updates and ensure that they deploy without error, otherwise this month’s updates could end up worse than they need to be.
Fortra® Security & Trust Center
Security advisories. Emerging threats. New discoveries from our team of security researchers. Timely notifications.
