Microsoft’s February safety replace accommodates considerably fewer vulnerabilities for admins to deal with in comparison with a month in the past, however there’s nonetheless loads in it that requires quick consideration.
Topping the checklist are two zero-day vulnerabilities that attackers are actively exploiting within the wild, two extra which are publicly identified however not exploited but, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of different widespread vulnerabilities and exposures (CVEs) with probably extreme penalties for affected organizations.
63 CVEs, 2 Zero-Days
In whole, Microsoft launched patches for 63 distinctive CVEs, a far cry from the large 159 CVEs — together with a startling eight zero-days — that the corporate disclosed in January. Microsoft assessed 4 of the bugs it disclosed at present as being of essential severity. It rated the overwhelming majority of the remaining bugs as essential to deal with however of lesser severity for quite a lot of elements, together with assault complexity and privileges required to take advantage of the vulnerability.
The 2 actively exploited zero-day bugs on this month’s replace are CVE-2025-21418 (CVSS rating 7.8), an elevation of privilege vulnerability in Home windows Ancillary Perform Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), one other elevation of privilege situation, this time affecting Home windows Storage. Per its normal follow, Microsoft’s advisories for each bugs supplied no particulars on the exploitation exercise. However safety researchers had their very own tackle why organizations want to deal with the problems ASAP.
CVE-2025-21418, as an example, solely permits a neighborhood exploit. Meaning an attacker or malicious insider should have already got entry to a goal machine, by way of a phishing assault, malicious doc, or different vector, stated Kev Breen, senior director, cyber menace analysis, at Immersive Labs. Even so, such flaws are “useful to attackers as they permit them to disable safety tooling, dump credentials, or transfer laterally throughout the community to take advantage of the elevated entry,” Breen stated in an emailed remark. An attacker who efficiently exploits the flaw can acquire SYSTEM stage privileges on the affected system, he stated, whereas recommending that organizations make the vulnerability a prime precedence to repair.
With CVE-2025-21391, the Home windows Storage zero-day, the priority will not be concerning the flaw enabling unauthorized information entry; quite, the priority is about how attackers may exploit it to have an effect on information integrity and availability. “Microsoft has outlined that if the attacker efficiently exploited this vulnerability, they might solely be capable to delete focused recordsdata on a system,” stated Natalie Silva, lead cyber safety engineer at Immersive Labs, in an emailed remark. “Microsoft has launched patches to mitigate this vulnerability. It is really useful for directors to use these instantly.”
In a weblog, researchers at Action1 described the flaw as ensuing from a weak spot in how Home windows Storage resolves file paths and follows hyperlinks. Attackers can leverage the weak spot to “redirect file operations to essential system recordsdata or consumer information, resulting in unauthorized deletion,” the safety vendor stated.
Breen really useful that organizations additionally deal with CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a excessive precedence bug that wants quick consideration. When Microsoft initially disclosed the bug in December 2024, it didn’t have a patch accessible for it, making the flaw a zero-day menace. “The vulnerability permits a menace actor to steal the NTLM credentials for a sufferer by sending them a malicious file,” Breen stated. “The consumer would not must open or run the executable however merely viewing the file in Explorer may very well be sufficient to set off the vulnerability.” Microsoft itself has assessed the vulnerability as one thing that menace actors usually tend to exploit
The opposite beforehand disclosed vulnerability within the February patch replace is CVE-2025-21194, a safety characteristic bypass vulnerability in Microsoft Floor.
Essential Flaws
The failings that Microsoft rated as being of essential severity on this newest replace are CVE-2025-21379 (CVSS Rating 7.1), an RCE within the DHCP shopper service; CVE-2025-21177 (CVSS Rating 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Gross sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Home windows LDAP and the one one within the set that Microsoft recognized as extra susceptible to exploitation.
Apparently, one of many flaws that Microsoft rated as essential (CVE-2025-21177) required affected prospects to do nothing, however it is a matter that Microsoft has already addressed on its finish. This vulnerability makes use of the newer CAR (buyer motion required) attribute to establish that there isn’t any buyer actions required, says Tyler Reguly, affiliate director safety R&D at Fortra. “Whereas these info updates are good, they will bloat the variety of updates that admins could also be nervous about coping with on a Patch Tuesday,” Reguly stated in an emailed remark. “One can not help however surprise if these updates must be issued exterior of Patch Tuesday since they don’t require buyer motion.”
In the meantime, the one CVE to earn a severity rating of 9.0 on this month’s replace — (CVE-2025-21198) — is an RCE affecting Microsoft Excessive Efficiency Compute (HPC) Pack. An attacker can not exploit the flaw until they’ve entry to the community used to hook up with the high-performance cluster, Reguly stated. “This networking requirement ought to restrict the influence of what would in any other case be a extra severe vulnerability.”
