Microsoft Releases February Patch Tuesday Update, Addressing Critical Zero-Day Vulnerabilities

Microsoft Patch Tuesday has rolled out its February security update, addressing 56 Common Vulnerabilities and Exposures (CVEs), including two actively exploited zero-day vulnerabilities. This Microsoft Patch Tuesday update also includes fixes for three critical vulnerabilities and several previously identified issues. Among the vulnerabilities addressed is a Secure Boot security feature bypass, which was initially mitigated last year but has now been revised to cover additional affected systems.

One of the two actively exploited zero-day vulnerabilities, CVE-2025-21418, is an elevation-of-privilege flaw in the Windows Ancillary Function Driver for WinSock. This vulnerability, which has been assigned a CVSS score of 7.8, impacts all supported versions of Windows for both desktop and server environments. It requires local access, either through physical access to the machine or remote access via Secure Shell (SSH), and does not require user interaction. If successfully exploited, an attacker gains system-level privileges, effectively taking full control of the device. Security experts have emphasized the severity of this flaw, with warnings that the availability of exploit code could lead to widespread attacks if the patch is not applied promptly.

The second actively exploited zero-day vulnerability, CVE-2025-21391, is an elevation-of-privilege flaw within Windows Storage. This vulnerability, rated 7.1 on the CVSS scale, affects Windows Server versions from 2016 onward, as well as desktop editions including Windows 10 and newer. It requires local network access and can be exploited to delete critical system files, leading to service disruptions and potential privilege escalation. Although Microsoft has not disclosed specific details regarding how this vulnerability has been exploited in the wild, security analysts urge immediate patching to prevent further incidents.

Additionally, Microsoft has revised the Secure Boot vulnerability (CVE-2023-24932), which was initially addressed in May 2023. The latest update extends coverage to Windows 11 versions 22H2, 23H2, and 24H2, as well as Windows Server 2025. Secure Boot is a crucial security feature that ensures a device starts only with trusted software from the original equipment manufacturer. If bypassed, an attacker could load unauthorized software at startup, compromising the system at a fundamental level.

Microsoft’s latest security update also includes fixes for two publicly disclosed vulnerabilities. CVE-2025-21377, an NTLM Hash Disclosure spoofing vulnerability, has been assigned a CVSS score of 6.5 and affects a wide range of Windows versions. The flaw is considered more likely to be exploited, as it can be triggered remotely with minimal user interaction, such as a simple right-click on a malicious file. While this vulnerability has not yet been used in active attacks, security experts caution that publicly available exploit code significantly lowers the barrier for attackers, making it a high-priority issue.

In June 2024, Microsoft placed the NTLM authentication protocol on its deprecated features list, signaling its eventual phase-out. While NTLM is still functional, it is no longer actively developed, and Microsoft recommends that organizations transition to Kerberos or other modern authentication mechanisms to improve security and reduce exposure to potential attacks.

Among the three critical vulnerabilities addressed in the update, CVE-2025-21381, a Microsoft Excel remote-code execution flaw, stands out due to its potential for exploitation. This vulnerability, which affects Microsoft 365 Apps, Office 2019, and Office for Mac, carries a CVSS score of 7.8. It can be triggered by simply opening an Excel document in the preview pane of Microsoft Outlook, allowing an attacker to execute arbitrary code. If successfully exploited, an attacker could install malware, elevate privileges, or gain a foothold within an organization’s network. Security analysts have warned that users should exercise caution when opening Excel attachments and ensure that Office applications are fully updated.

Another significant vulnerability addressed in this month’s update is CVE-2025-21376, a remote-code execution flaw in the Windows Lightweight Directory Access Protocol (LDAP). This vulnerability has been assigned a CVSS score of 8.1 and affects most supported versions of Windows. It allows an attacker to send specially crafted requests to a vulnerable LDAP server, potentially leading to a buffer overflow and remote code execution. Given that this vulnerability does not require authentication and has been categorized as more likely to be exploited, security experts recommend immediate patching.

Security analysts emphasize that administrators should prioritize the deployment of these updates, especially given the active exploitation of the two zero-day vulnerabilities. Organizations are also encouraged to review their authentication configurations and begin phasing out deprecated protocols such as NTLM in favor of more secure alternatives like Kerberos. Regularly updating systems and security measures remains a critical defense against emerging threats, and experts urge IT teams to stay vigilant against potential attacks leveraging these vulnerabilities.