Microsoft on Tuesday launched fixes for 63 safety flaws impacting its software program merchandise, together with two vulnerabilities that it mentioned has come beneath energetic exploitation within the wild.
Of the 63 vulnerabilities, three are rated Essential, 57 are rated Essential, one is rated Average, and two are rated Low in severity. That is except for the 23 flaws Microsoft addressed in its Chromium-based Edge browser because the launch of final month’s Patch Tuesday replace.
The replace is notable for fixing two actively exploited flaws –
- CVE-2025-21391 (CVSS rating: 7.1) – Home windows Storage Elevation of Privilege Vulnerability
- CVE-2025-21418 (CVSS rating: 7.8) – Home windows Ancillary Perform Driver for WinSock Elevation of Privilege Vulnerability
“An attacker would solely be capable to delete focused information on a system,” Microsoft mentioned in an alert for CVE-2025-21391. “This vulnerability doesn’t enable disclosure of any confidential info, however may enable an attacker to delete information that would embody information that ends in the service being unavailable.”
Mike Walters, president and co-founder of Action1, famous that the vulnerability could possibly be chained with different flaws to escalate privileges and carry out follow-on actions that may complicate restoration efforts and permit risk actors to cowl up their tracks by deleting essential forensic artifacts.
CVE-2025-21418, alternatively, issues a case of privilege escalation in AFD.sys that could possibly be exploited to attain SYSTEM privileges.
It is value noting {that a} related flaw in the identical element (CVE-2024-38193) was disclosed by Gen Digital final August as being weaponized by the North Korea-linked Lazarus Group. In February 2024, the tech large additionally plugged a Home windows kernel privilege escalation flaw (CVE-2024-21338) affecting the AppLocker driver (appid.sys) that was additionally exploited by the hacking crew.
These assault chains stand out as a result of they transcend a conventional Convey Your Personal Weak Driver (BYOVD) assault by making the most of a safety flaw in a local Home windows driver, thereby obviating the necessity for introducing different drivers into goal environments.
It is at the moment not identified if the abuse of CVE-2025-21418 is linked to the Lazarus Group as effectively. The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added each the issues to its Identified Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the patches by March 4, 2025.
Essentially the most extreme of the issues addressed by Microsoft on this month’s replace is CVE-2025-21198 (CVSS rating: 9.0), a distant code execution (RCE) vulnerability within the Excessive Efficiency Compute (HPC) Pack.
“An attacker may exploit this vulnerability by sending a specifically crafted HTTPS request to the focused head node or Linux compute node granting them the power to carry out RCE on different clusters or nodes linked to the focused head node,” Microsoft mentioned.
Additionally value mentioning is one other RCE vulnerability (CVE-2025-21376, CVSS rating: 8.1) impacting Home windows Light-weight Listing Entry Protocol (LDAP) that allows an attacker to ship a specifically crafted request and execute arbitrary code. Nonetheless, profitable exploitation of the flaw requires the risk actor to win a race situation.
“Provided that LDAP is integral to Lively Listing, which underpins authentication and entry management in enterprise environments, a compromise may result in lateral motion, privilege escalation, and widespread community breaches,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, mentioned.
Elsewhere, the replace additionally resolves a NTLMv2 hash disclosure vulnerability (CVE-2025-21377, CVSS rating: 6.5) that, if efficiently exploited, may allow an attacker to authenticate because the focused person.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous couple of weeks to rectify a number of vulnerabilities, together with —