- Microsoft releases February 2025 Patch Tuesday cumulative update
- It fixes 55 security flaws, including four zero-days
- Of the four zero-days, two are being actively exploited
Microsoft has fixed a total of 55 Windows security vulnerabilities, including four zero-day bugs, including two that are being actively exploited in the wild.
Since some of the bugs addressed in the cumulative update are being actively exploited in the wild, users are advised to apply the fix immediately. The two flaws in question are CVE-2025-21391 (Windows Storage Elevation of Privilege vulnerability) and CVE_2025-21418 (Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability).
Threat actors could use the first one to delete files from a target system, and the second one to gain SYSTEM privileges in Windows. Microsoft did not want to discuss who was abusing these flaws, how, or against whom.
Notable mentions
In total, Microsoft addressed 19 Elevation of Privilege bugs, 2 Security Feature Bypass bugs, 22 Remote Code Execution flaws, one Information Disclosure bug, nine Denial of Service vulnerabilities, and three Spoofing flaws in its Patch Tuesday cumulative update.
Other two notable mentions are CVE-2025-21194 and CVE-2025-21377. These two are also zero-day vulnerabilities, but there is no evidence of cybercriminals abusing them just yet. That being said, the first one could be used to bypass the UEFI and lead to compromise of the hypervisor and the secure kernel, while the second one is an NTLM Hash Disclosure Spoofing flaw that allows cybercriminals to potentially log in as the target user.
“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability.” Microsoft said in the advisory.
Aside from Patch Tuesday, Microsoft also addressed Edge browser flaws in a separate patch, fixing 10 vulnerabilities in the process. Furthermore, there was a critical Microsoft Dynamics 365 Sales elevation of privilege bug that was separately addressed.
Leave a comment