Since 2022 Microsoft has patched a number of NTFS file system vulnerabilities in Windows, Tenable’s Narang said, with the majority of these flaws resulting in information disclosure or privilege escalation. However, this month Microsoft patched its second remote code execution vulnerability in NTFS in 2025. The first, CVE-2025-24993, was patched in March and was exploited in the wild as a zero-day. While this one does not appear to have been exploited, it is still certainly worth keeping an eye on, since NTFS is the primary file system used by Windows, Narang said.
Vulnerability in HPC Pack
Fortra’s Reguly flagged a critical vulnerability in the Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232 ) that could allow unauthorized attackers to execute code over the network. “That makes this a CVSS 9.8 vulnerability and one that people need to pay attention to,” he said. Microsoft has provided mitigation steps for those who cannot update immediately. This is important, Reguly said, as the update for HPC Pack 2016 is to migrate to HPC Pack 2019; there is no fix for HPC Pack 2016. “Thankfully, Microsoft has labelled this as exploitation less likely, with a severity of important,” he said, “but it is still something that you’ll want to pay attention to if you have the High Performance Compute Pack deployed in your environment.”
Kevin Breen, senior director of threat research at Immersive, noted that while no Microsoft vulnerabilities this month are marked as being actively exploited in the wild, “that doesn’t mean securityteams can sit back and rest on their laurels. There are still a number of potentially high-impact vulnerabilities that should be patched quickly. Threat actors are known to try to quickly reverse engineer security patches to create working exploits before organizations have a chance to fully roll out patches; these are commonly referred to as n-day vulnerabilities.”