Microsoft’s February safety replace accommodates considerably fewer vulnerabilities for admins to deal with in comparison with a month in the past, however there’s nonetheless a lot in it that requires instant consideration.
Topping the checklist are two zero-day vulnerabilities that attackers are actively exploiting within the wild, two extra which are publicly recognized however not exploited but, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of different widespread vulnerabilities and exposures (CVEs) with probably extreme penalties for affected organizations.
63 CVEs, 2 Zero-Days
In complete, Microsoft launched patches for 63 distinctive CVEs, a far cry from the huge 159 CVEs — together with a startling eight zero-days — that the corporate disclosed in January. Microsoft assessed 4 of the bugs it disclosed at this time as being of crucial severity. It rated the overwhelming majority of the remaining bugs as essential to deal with however of lesser severity for quite a lot of elements, together with assault complexity and privileges required to take advantage of the vulnerability.
The 2 actively exploited zero-day bugs on this month’s replace are CVE-2025-21418 (CVSS rating 7.8), an elevation of privilege vulnerability in Home windows Ancillary Perform Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), one other elevation of privilege situation, this time affecting Home windows Storage. Per its ordinary apply, Microsoft’s advisories for each bugs provided no particulars on the exploitation exercise. However safety researchers had their very own tackle why organizations want to deal with the problems ASAP.
CVE-2025-21418, as an example, solely permits an area exploit. Which means an attacker or malicious insider should have already got entry to a goal machine, by way of a phishing assault, malicious doc, or different vector, mentioned Kev Breen, senior director, cyber risk analysis, at Immersive Labs. Even so, such flaws are “precious to attackers as they permit them to disable safety tooling, dump credentials, or transfer laterally throughout the community to take advantage of the elevated entry,” Breen mentioned in an emailed remark. An attacker who efficiently exploits the flaw can acquire SYSTEM stage privileges on the affected system, he mentioned, whereas recommending that organizations make the vulnerability a high precedence to repair.
With CVE-2025-21391, the Home windows Storage zero-day, the priority is just not in regards to the flaw enabling unauthorized information entry; somewhat, the priority is about how attackers may exploit it to have an effect on information integrity and availability. “Microsoft has outlined that if the attacker efficiently exploited this vulnerability, they might solely be capable to delete focused information on a system,” mentioned Natalie Silva, lead cyber safety engineer at Immersive Labs, in an emailed remark. “Microsoft has launched patches to mitigate this vulnerability. It is advisable for directors to use these instantly.”
In a weblog, researchers at Action1 described the flaw as ensuing from a weak point in how Home windows Storage resolves file paths and follows hyperlinks. Attackers can leverage the weak point to “redirect file operations to crucial system information or person information, resulting in unauthorized deletion,” the safety vendor mentioned.
Breen advisable that organizations additionally deal with CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a excessive precedence bug that wants instant consideration. When Microsoft initially disclosed the bug in December 2024, it didn’t have a patch out there for it, making the flaw a zero-day risk. “The vulnerability permits a risk actor to steal the NTLM credentials for a sufferer by sending them a malicious file,” Breen mentioned. “The person does not must open or run the executable however merely viewing the file in Explorer may very well be sufficient to set off the vulnerability.” Microsoft itself has assessed the vulnerability as one thing that risk actors usually tend to exploit
The opposite beforehand disclosed vulnerability within the February patch replace is CVE-2025-21194, a safety function bypass vulnerability in Microsoft Floor.
Vital Flaws
The issues that Microsoft rated as being of crucial severity on this newest replace are CVE-2025-21379 (CVSS Rating 7.1), an RCE within the DHCP shopper service; CVE-2025-21177 (CVSS Rating 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Gross sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Home windows LDAP and the one one within the set that Microsoft recognized as extra weak to exploitation.
Apparently, one of many flaws that Microsoft rated as crucial (CVE-2025-21177) required affected clients to do nothing, nevertheless it is a matter that Microsoft has already addressed on its finish. This vulnerability makes use of the newer CAR (buyer motion required) attribute to determine that there isn’t any buyer actions required, says Tyler Reguly, affiliate director safety R&D at Fortra. “Whereas these info updates are good, they will bloat the variety of updates that admins could also be frightened about coping with on a Patch Tuesday,” Reguly mentioned in an emailed remark. “One can not help however marvel if these updates needs to be issued exterior of Patch Tuesday since they don’t require buyer motion.”
In the meantime, the one CVE to earn a severity rating of 9.0 on this month’s replace — (CVE-2025-21198) — is an RCE affecting Microsoft Excessive Efficiency Compute (HPC) Pack. An attacker can’t exploit the flaw until they’ve entry to the community used to connect with the high-performance cluster, Reguly mentioned. “This networking requirement ought to restrict the affect of what would in any other case be a extra severe vulnerability.”