Exposure Management

Patch Tuesday - February 2025

|Last updated on Feb 22, 2025|1 min read
LinkedInFacebookX
Patch Tuesday - February 2025

Microsoft is addressing 56 vulnerabilities this February 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for two of the vulnerabilities published today, which is reflected in CISA KEV. Microsoft is aware of public disclosure for two other vulnerabilities. This is now the fifth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of just three critical remote code execution (RCE) vulnerabilities. Eleven browser vulnerabilities have already been published separately this month, and are not included in the total.

Ancillary Function Driver: zero-day EoP

All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.

Windows Storage: zero-day EoP

Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.

NTLMv2 disclosure: zero-day spoofing

It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.

Surface: zero-day container escape

A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.

LDAP server: critical RCE

Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.

DHCP client: critical RCE

Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.

Excel: critical RCE

As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Preview Pane is an attack vector, so simply glancing at a file or email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply scatter a few USB sticks in the parking lot.

Microsoft lifecycle update

In Microsoft product lifecycle news, SQL Server 2019 moves from mainstream support to extended support on 2025-02-28.

Summary charts

A bar chart showing the distribution of vulnerabilities by affected component for Microsoft Patch Tuesday February 2025.A bar chart showing the distribution of vulnerabilities by affected component for Microsoft Patch Tuesday February 2025.A heatmap showing the distribution of vulnerabilities by impact and affected component for Microsoft Patch Tuesday February 2025.

Summary tables

Apps vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21322Microsoft PC Manager Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-21259Microsoft Outlook Spoofing VulnerabilityNoNo5.3

Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21198Microsoft High Performance Compute (HPC) Pack Remote Code Execution VulnerabilityNoNo9
CVE-2025-21188Azure Network Watcher VM Extension Elevation of Privilege VulnerabilityNoNo6

Browser vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21342Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21408Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21279Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo6.5
CVE-2025-21283Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo6.5
CVE-2025-21253Microsoft Edge for IOS and Android Spoofing VulnerabilityNoNo5.3
CVE-2025-21267Microsoft Edge (Chromium-based) Spoofing VulnerabilityNoNo4.4
CVE-2025-21404Microsoft Edge (Chromium-based) Spoofing VulnerabilityNoNo4.3
CVE-2025-0451Chromium: CVE-2025-0451 Inappropriate implementation in Extensions APINoNoN/A
CVE-2025-0445Chromium: CVE-2025-0445 Use after free in V8NoNoN/A
CVE-2025-0444Chromium: CVE-2025-0444 Use after free in SkiaNoNoN/A

Developer Tools vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21206Visual Studio Installer Elevation of Privilege VulnerabilityNoNo7.3
CVE-2025-24042Visual Studio Code JS Debug Extension Elevation of Privilege VulnerabilityNoNo7.3
CVE-2025-24039Visual Studio Code Elevation of Privilege VulnerabilityNoNo7.3

Developer Tools Mariner vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-32002HackerOne: CVE-2023-32002 Node.js Module._load() policy Remote Code Execution VulnerabilityNoNoN/A

Device vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21194Microsoft Surface Security Feature Bypass VulnerabilityNoYes7.1

ESU Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21406Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21407Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21190Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21200Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21371Windows Telephony Service Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21201Windows Telephony Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21208Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21410Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21368Microsoft Digest Authentication Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21369Microsoft Digest Authentication Remote Code Execution VulnerabilityNoNo8.8
CVE-2025-21376Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityNoNo8.1
CVE-2025-21359Windows Kernel Security Feature Bypass VulnerabilityNoNo7.8
CVE-2025-21373Windows Installer Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-21420Windows Disk Cleanup Tool Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-21418Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityYesNo7.8
CVE-2025-21375Kernel Streaming WOW Thunk Service Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-21181Microsoft Message Queuing (MSMQ) Denial of Service VulnerabilityNoNo7.5
CVE-2025-21419Windows Setup Files Cleanup Elevation of Privilege VulnerabilityNoNo7.1
CVE-2025-21377NTLM Hash Disclosure Spoofing VulnerabilityNoYes6.5
CVE-2025-21352Internet Connection Sharing (ICS) Denial of Service VulnerabilityNoNo6.5
CVE-2025-21347Windows Deployment Services Denial of Service VulnerabilityNoNo6
CVE-2025-21350Windows Kerberos Denial of Service VulnerabilityNoNo5.9
CVE-2025-21337Windows NTFS Elevation of Privilege VulnerabilityNoNo3.3

Microsoft Dynamics vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21177Microsoft Dynamics 365 Sales Elevation of Privilege VulnerabilityNoNo8.7

Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21400Microsoft SharePoint Server Remote Code Execution VulnerabilityNoNo8
CVE-2025-21392Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21397Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21381Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21386Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21387Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21390Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21394Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2025-21383Microsoft Excel Information Disclosure VulnerabilityNoNo7.8
CVE-2025-24036Microsoft AutoUpdate (MAU) Elevation of Privilege VulnerabilityNoNo7

Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2025-21367Windows Win32 Kernel Subsystem Elevation of Privilege VulnerabilityNoNo7.8
CVE-2025-21358Windows Core Messaging Elevation of Privileges VulnerabilityNoNo7.8
CVE-2025-21351Windows Active Directory Domain Services API Denial of Service VulnerabilityNoNo7.5
CVE-2025-21182Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege VulnerabilityNoNo7.4
CVE-2025-21183Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege VulnerabilityNoNo7.4
CVE-2025-21391Windows Storage Elevation of Privilege VulnerabilityYesNo7.1
CVE-2025-21379DHCP Client Service Remote Code Execution VulnerabilityNoNo7.1
CVE-2025-21184Windows Core Messaging Elevation of Privileges VulnerabilityNoNo7
CVE-2025-21414Windows Core Messaging Elevation of Privileges VulnerabilityNoNo7
CVE-2025-21349Windows Remote Desktop Configuration Service Tampering VulnerabilityNoNo6.8
CVE-2025-21212Internet Connection Sharing (ICS) Denial of Service VulnerabilityNoNo6.5
CVE-2025-21216Internet Connection Sharing (ICS) Denial of Service VulnerabilityNoNo6.5
CVE-2025-21254Internet Connection Sharing (ICS) Denial of Service VulnerabilityNoNo6.5
CVE-2025-21179DHCP Client Service Denial of Service VulnerabilityNoNo4.8

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now

Related blog posts