Microsoft's February Patch a Lighter Lift Than January's

Source: Somphop Krittayaworagul via Shutterstock

Microsoft’s February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there’s still plenty in it that requires immediate attention.

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.

63 CVEs, 2 Zero-Days

In total, Microsoft released patches for 63 unique CVEs, a far cry from the massive 159 CVEs — including a startling eight zero-days — that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.

The two actively exploited zero-day bugs in this month’s update are CVE-2025-21418 (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft’s advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are “valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access,” Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. “Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system,” said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. “Microsoft has released patches to mitigate this vulnerability. It’s recommended for administrators to apply these immediately.”

In a blog, researchers at Action1 described the flaw as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to “redirect file operations to critical system files or user data, leading to unauthorized deletion,” the security vendor said.

Breen recommended that organizations also treat CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. “The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file,” Breen said. “The user doesn’t have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability.” Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit

The other previously disclosed vulnerability in the February patch update is CVE-2025-21194, a security feature bypass vulnerability in Microsoft Surface.

Critical Flaws

The flaws that Microsoft rated as being of critical severity in this latest update are CVE-2025-21379 (CVSS Score 7.1), an RCE in the DHCP client service; CVE-2025-21177 (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. “While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday,” Reguly said in an emailed comment. “One can’t help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action.”

Meanwhile, the only CVE to earn a severity score of 9.0 in this month’s update — (CVE-2025-21198) — is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. “This networking requirement should limit the impact of what would otherwise be a more serious vulnerability.”

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.