Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws

Patch Tuesday Microsoft’s Patch Tuesday bundle has appeared, with a dirty dozen flaws competing for your urgent attention – six of them rated critical and another six already being exploited by criminals.

Let’s start with the six already exploited vulnerabilities, three of which impact Windows NTFS.

The first is CVE-2025-24993 - a heap-based buffer overflow in NTFS used by Windows Server 2008 and later systems, as well as Windows 10 and 11. The flaw makes remote code execution (RCE) a possibility and is fairly simple to exploit, Redmond warns.

Though it's technically an RCE, it requires some local action, such as getting a user to mount a malicious virtual hard disk (VHD) image, as Redmond explains: "This type of exploit is sometimes referred to as arbitrary code execution. The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine ...