For March’s Patch Tuesday, 57 fixes — and 7 zero-days

For so few patches from Microsoft this month (57), we have seven zero-days to manage (with a “Patch Now” recommendation for Windows) and standard release schedules for Microsoft Office, Microsoft browsers (Edge) and Visual Studio. 

Adobe is back with a critical update for Reader, but it’s not been paired (at least for now) with a Microsoft patch.

To navigate what’s changed, the team from Readiness has crafted this useful infographic detailing the risks of deploying these updates to each platform. (And here’s a look at the last six months of Patch Tuesday releases.)

Known issues 

Microsoft is still dealing with reported gaming issues (Roblox) and has two new known issues for this release cycle, including:

Windows 11: After installing the March update, USB-connected dual-mode printers supporting both USB Print and IPP Over USB may print random text, network commands, and unusual characters, often starting with “POST /ipp/print HTTP/1.1.” This issue can be mitigated using Known Issue Rollback (KIR).

Windows 10: After installing Windows updates from Jan. 14, 2025 or later, the Windows Event Viewer might log an error related to SgrmBroker.exe as Event 7023, though this does not trigger any visible notifications. This error occurs because the System Guard Runtime Monitor Broker Service, originally part of Microsoft Defender and no longer in use, conflicts with the update during initialization. According to Microsoft, this reported issue does not impact system performance, functionality, or security, as the service is already disabled in other supported Windows versions.

Following previous reports of Citrix-related update issues, devices with Citrix Session Recording Agent (SRA) version 2411 could (still) be unable to complete the installation of the January 2025 Windows security update, causing the system to revert to previous updates after a restart. Affected devices might initially download and apply the update, but an error message stating “Something didn’t go as planned” appears during installation. This issue is expected to affect  only a limited number of organizations, as version 2411 of SRA is newly released, and home users are not affected. Don’t count on this issue being fixed soon, folks.

Major revisions and mitigations

Microsoft has not released or documented any mitigations or workarounds for the current set of updates. As of now, the following Chromium patches have been revised and re-released:

CVE-2025-1920: Type Confusion in V8 (Chromium)

CVE-2025-2135: Type Confusion in V8 (Chromium)

CVE-2025-2136: Use After Free in Inspector (Chromium)

CVE-2025-2137: Out of Bounds Read in V8 (Chromium)

CVE-2025-24201: Out of Bounds Write in GPU on Mac (Chromium)

Windows lifecycle and enforcement updates

Microsoft is retiring several products this month:

Microsoft SQL Server 2019, which ended mainstream support on Feb. 28. 

Microsoft Skype, which will be terminated (with prejudice) in May.

Windows Remote Desktop , which will be replaced next month with the Windows App. (Note: there are still some missing features and several known issues reported in this release.)

Over the next few weeks, several Microsoft products are scheduled to reach their end-of-life (EOL), and will no longer receive security updates, non-security updates, or technical support including:

April 2, 2025: Dynamics 365 Business Central on-premises (2023 release wave 2, version 23.x).

April 8, 2025: Dynamics GP 2015/Dynamics GP 2015 R2.

April 9, 2025: Microsoft Configuration Manager, Version 2309.

Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a comprehensive analysis of the patches and their potential impact on Windows and application deployments.

For this release cycle, there are no reported functional changes. However, feature level testing will still be required, especially for system drivers and core libraries. Due to these low-level system (kernel) changes, a full reboot/restart test will be required for all Windows UI elements including Explorer, desktop shell and Internet Explorer.

We have grouped the critical updates and required testing efforts into different functional areas, including:

File System components

Common Log File System: Test by creating a BLF and multiple container files, appending logs using `ReserveAndAppendLog,` and then deleting the containers.

Core System drivers (ntfs.sys, exfat.sys & fastfat.sys): Test mounting, dismounting, and performing file operations on ExFAT volumes.

 Networking and remote services

If using a Routing and Remote Access Service  (RRAS) server, test `netsh` scenarios to confirm commands work as expected.

FAX: Validate TAPI initialization, shutdown, and key functions like `lineInitialize` and `lineMakeCall.` Stress test for stability and error handling.

 Storage and device interaction

Focus on storage subsystem tests, including operations on virtual/physical disks and storage enclosures.

Test how Search Connector files interact with various network paths (UNC, SMB, and file system paths).

Validate all camera-related scenarios.

 Audio, video and UI components

Verify audio/video recording with internal and external devices.

Test apps like Teams and Camera that use virtual features (for example, Phone Link, Windows Studio Effects).

Affected Versions for this update cycle include the following Windows desktop and server builds:

Windows 11 24H2, 23H2, 22H2, Windows 10 1607, Windows 10 RTM.

Windows Server 23H2, Azure Stack OS 22H2, Windows Server 2022 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge) 

Microsoft Windows (both desktop and server) 

Microsoft Office

Microsoft Exchange and SQL Server 

Microsoft Developer Tools (Visual Studio and.NET)

Adobe (if you get this far) 

Browsers

Microsoft released 10 low-profile (no rating) updates to its Chromium-based Edge browser. These changes can be added to your standard release calendar.

Microsoft Windows

The following  Windows product areas have been updated with five critical patches and 32 others rated important for this month’s cycle:

CVE-2025-24035: Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2025-24064: Windows Domain Name Service Remote Code Execution Vulnerability

CVE-2025-24084: Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability

CVE-2025-26645: Remote Desktop Client Remote Code Execution Vulnerability

Unfortunately, three of these updates (CVE-2025-24984, CVE-2025-24984 and CVE-2025-24984) have been reported as exploited. Add these Windows updates to your “Patch Now” schedule.

Microsoft Office

Microsoft released a single critical update (CVE-2025-24057) and 10 patches rated important for the Office platform. All of the important updates affect Microsoft Word, Excel and Access with no reports of disclosures or exploitation. Add these Microsoft Office updates to your standard release calendar.

Microsoft Exchange and SQL Server

There were no updates for either Microsoft Exchange or SQL Server this March update cycle.

Developer tools

Microsoft released five patches, all rated important, that affect Microsoft Visual studio and ASP.NET. Add these updates to your standard developer release schedule.

Adobe (and third-party updates)

This month, Adobe released a security update (APSB25-14) for Acrobat and Reader for Windows and macOS that addresses six critical and three important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. Adobe is not aware of any exploits in the wild for any of the issues. For some reason this update was not included in this Microsoft patch cycle. Maybe that’s as it should be.