Microsoft's February 2025 patch fixes 56 vulnerabilities

Microsoft has addressed 56 vulnerabilities in its February 2025 Patch Tuesday release, which includes two vulnerabilities currently being exploited in the wild. The company has released patches for only three critical remote code execution vulnerabilities and none that have been evaluated as critical zero-day vulnerabilities at the time of publication. This marks the fifth consecutive month that Microsoft has published zero-day vulnerabilities on Patch Tuesday without any being classified as critically severe upon release.

Included in this month's patches is CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). This vulnerability affects all versions of Windows and, if exploited successfully, grants SYSTEM privileges. The AFD, being a kernel driver that processes user-supplied input, has historically been prone to elevation of privilege vulnerabilities. "Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritise for patching," stated Adam Barnett, Lead Software Engineer at Rapid7. This vulnerability shares characteristics with CVE-2024-38193, previously highlighted by Rapid7 as susceptible to malware exploitation.

CVE-2025-21391 is another elevation of privilege vulnerability targeted by attackers in the wild. It affects the Windows Storage service and allows attackers to delete targeted files on a system without user interaction. The weakness is identified as "CWE-59: Improper Link Resolution Before File Access." This vulnerability enables attackers to escalate privileges by creatively misusing symbolic links. Rapid7's Barnett warns that "it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service."

CVE-2025-21377 addresses a vulnerability that results in the disclosure of NTLMv2 hashes, enabling attackers to authenticate as a targeted user. Exploitation requires minimal user interaction with a malicious file. "This trademark linguistic ducking and weaving may be Microsoft's way of saying 'if we told you any more, we'd give the game away,'" added Barnett. Companies like 0patch by ACROS Security, Securify, and Cathay Pacific have also been credited in the advisory.

A security feature bypass affecting certain Microsoft Surface devices is described in CVE-2025-21194. This vulnerability can lead to container escape from a UEFI host machine and compromise the hypervisor. The Surface Pro 10 and 11 series are not affected by this vulnerability. Microsoft users can receive updates via Windows Update or apply them manually.

The complexity of CVE-2025-21376, a critical remote code execution vulnerability affecting the Windows LDAP server, is highlighted, requiring an attacker to overcome various challenges, including a race condition. "Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, which is the only safe assumption," said Barnett.

CVE-2025-21379, another critical remote code execution vulnerability, affects the Windows DHCP Client Service. Exploitation requires intercepting and potentially modifying communications between the Windows DHCP client and its requested resource, suggesting weaknesses in encryption or its absence. This is consistent with Microsoft's DHCP implementation specification.

CVE-2025-21381 is a critical remote code execution vulnerability in Excel, with the Outlook Preview Pane serving as an attack vector. Exploitation occurs simply by viewing an email with a malicious spreadsheet, although attackers may use various methods to trick users into accessing the malicious file.

In related product lifecycle developments, SQL Server 2019 will transition from mainstream support to extended support on 28 February 2025.