Microsoft’s February safety replace comprises considerably fewer vulnerabilities for admins to deal with in comparison with a month in the past, however there’s nonetheless loads in it that requires instant consideration.
Topping the listing are two zero-day vulnerabilities that attackers are actively exploiting within the wild, two extra which are publicly identified however not exploited but, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of different widespread vulnerabilities and exposures (CVEs) with doubtlessly extreme penalties for affected organizations.
63 CVEs, 2 Zero-Days
In whole, Microsoft launched patches for 63 distinctive CVEs, a far cry from the large 159 CVEs — together with a startling eight zero-days — that the corporate disclosed in January. Microsoft assessed 4 of the bugs it disclosed as we speak as being of important severity. It rated the overwhelming majority of the remaining bugs as essential to deal with however of lesser severity for a wide range of elements, together with assault complexity and privileges required to take advantage of the vulnerability.
The 2 actively exploited zero-day bugs on this month’s replace are CVE-2025-21418 (CVSS rating 7.8), an elevation of privilege vulnerability in Home windows Ancillary Perform Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), one other elevation of privilege subject, this time affecting Home windows Storage. Per its ordinary follow, Microsoft’s advisories for each bugs supplied no particulars on the exploitation exercise. However safety researchers had their very own tackle why organizations want to deal with the problems ASAP.
CVE-2025-21418, for example, solely allows an area exploit. Meaning an attacker or malicious insider should have already got entry to a goal machine, by way of a phishing assault, malicious doc, or different vector, stated Kev Breen, senior director, cyber risk analysis, at Immersive Labs. Even so, such flaws are “useful to attackers as they permit them to disable safety tooling, dump credentials, or transfer laterally throughout the community to take advantage of the elevated entry,” Breen stated in an emailed remark. An attacker who efficiently exploits the flaw can acquire SYSTEM stage privileges on the affected system, he stated, whereas recommending that organizations make the vulnerability a prime precedence to repair.
With CVE-2025-21391, the Home windows Storage zero-day, the priority shouldn’t be concerning the flaw enabling unauthorized information entry; moderately, the priority is about how attackers may exploit it to have an effect on information integrity and availability. “Microsoft has outlined that if the attacker efficiently exploited this vulnerability, they might solely be capable to delete focused recordsdata on a system,” stated Natalie Silva, lead cyber safety engineer at Immersive Labs, in an emailed remark. “Microsoft has launched patches to mitigate this vulnerability. It is really useful for directors to use these instantly.”
In a weblog, researchers at Action1 described the flaw as ensuing from a weak point in how Home windows Storage resolves file paths and follows hyperlinks. Attackers can leverage the weak point to “redirect file operations to important system recordsdata or consumer information, resulting in unauthorized deletion,” the safety vendor stated.
Breen really useful that organizations additionally deal with CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a excessive precedence bug that wants instant consideration. When Microsoft initially disclosed the bug in December 2024, it didn’t have a patch out there for it, making the flaw a zero-day risk. “The vulnerability permits a risk actor to steal the NTLM credentials for a sufferer by sending them a malicious file,” Breen stated. “The consumer does not must open or run the executable however merely viewing the file in Explorer could possibly be sufficient to set off the vulnerability.” Microsoft itself has assessed the vulnerability as one thing that risk actors usually tend to exploit
The opposite beforehand disclosed vulnerability within the February patch replace is CVE-2025-21194, a safety function bypass vulnerability in Microsoft Floor.
Crucial Flaws
The issues that Microsoft rated as being of important severity on this newest replace are CVE-2025-21379 (CVSS Rating 7.1), an RCE within the DHCP shopper service; CVE-2025-21177 (CVSS Rating 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Gross sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Home windows LDAP and the one one within the set that Microsoft recognized as extra susceptible to exploitation.
Curiously, one of many flaws that Microsoft rated as important (CVE-2025-21177) required affected prospects to do nothing, nevertheless it is a matter that Microsoft has already addressed on its finish. This vulnerability makes use of the newer CAR (buyer motion required) attribute to determine that there isn’t any buyer actions required, says Tyler Reguly, affiliate director safety R&D at Fortra. “Whereas these info updates are good, they will bloat the variety of updates that admins could also be fearful about coping with on a Patch Tuesday,” Reguly stated in an emailed remark. “One can not help however surprise if these updates must be issued outdoors of Patch Tuesday since they don’t require buyer motion.”
In the meantime, the one CVE to earn a severity rating of 9.0 on this month’s replace — (CVE-2025-21198) — is an RCE affecting Microsoft Excessive Efficiency Compute (HPC) Pack. An attacker can’t exploit the flaw except they’ve entry to the community used to hook up with the high-performance cluster, Reguly stated. “This networking requirement ought to restrict the affect of what would in any other case be a extra severe vulnerability.”
